Hi,

I've just only recently discovered what a HIPS is, and according to Gizmo, DW was by far the best. So I've decided to give it a try. I tried DW 1.7 but it kept blue-screening on me, so I've decided to try this beta, because other HIPS, such as SSM, were a nightmare, 4 popups to shutdown the computer!

Anyway I installed DW 2 beta 4 on my desktop and rebooted, but I'm confronted by this:







I have kept a copy of the appcompat text file. Has anyone experienced this? Any suggestions?

~tamdam

See these threads also

http://gladiator-antivirus.com/forum/index...ntdll\.dll

http://gladiator-antivirus.com/forum/index...ntdll\.dll

Is you Win XP SP2 currently updated ?

Hm, I believe that are the problems with skin engine. To make sure in it- fins DRWatson's log files and send them to me zipped. Mail to support [at] softsphere [dot] com

Yes, my XP2 was updated last month through windows update. I wasn't running any programs or anything, infact just restarted from installing beta 4, and that came up. I tried restarting but I get the same error all the time.

Hi,

Thanks, I will do that.

Excellent..that means you have all the updates that are protecting for buffer overflows and we have a baseline understanding of your system..many overflows are harmless and Ilya will get it all sorted out for you.

http://www.nta-monitor.com/posts/2003/07/ntdll.html


I do not suggest you do this..but I remember other programs that had problems in the past that I know were also harmless..like Clipmate and this is what they asked people to do for a while:

Quote:

Access violation ... in module 'ntdll.dll'
If the crash occurs right after launching the program, and you've got XP SP2, then it may be "Data Execution Prevention" (DEP). Turn off DEP in the XP control panel:

System | properties | advanced | Data Execution Prevention.

If you've got it set for "all programs", then add ClipMate to the exception list.


We're looking into the cause, and will try sort out this compatibility issue.


But do not try that..and thanks for your help and info.

Hi Hunter,

I emailed the drwatson log as Ilya suggested and it is a skin issue, nothing to do with DEP.

tamdam

Cool..skins have been known to cause buffer overflows... as well as NTDLL.DLL Access Violation due to a skin overlay on a development box.

winamp had a skin problem last year
http://forums.winamp.com/showthread.php?threadid=251940

and they are not uncommon...


http://archives.neohapsis.com/archives/ful...04-10/1044.html

http://groups.google.com/group/mailing.uni...dc299db318943aa

http://secunia.com/advisories/23360/

ntdll.dll is utilized by many different components in the Windows operating system. ntdll.dll is a module that contains NT system functions.



And of course the reason for DEP is to prevent them..


buffer overflows are prevented by fully enabled Hardware DEP on CPU's that support it and in Software.

In Windows® XP SP2, Data Execution Prevention(DEP) is a new Memory Protection Technology implemented to mitigate the buffer overflow exploit in which a virus or other attack tool has injected executable code into a process and then attempted to execute the injected code. DEP is enforced in both hardware and software. Hardware DEP relies on hardware CPU to mark memory with an attribute that indicates that code should not be executed from that memory. Software DEP adds a set of data execution prevention checks to forbid the code execution in heap and buffer segment.

http://www.wenpoint.com/securityinfo/quicktips/qt060601.php

Well I've uninstalled DW beta 4 on my desktop, seems like the skin bug affects notification windows too.

I've installed the beta4 on my laptop and its running very smoothly, my first reboot after install had "driver not loaded" and "defense out of work" messages, but I uninstalled then reinstalled and now its working great.

Its definitely better than v1.7, I especially like "defense exclusions". However, just a minor bug -> windows media player is considered "untrusted". When i try to minimise I'd like it to do that taskbar thing, but DW prevents it and I'm not sure how to "exclude" it. In the event log it comes up as

"Attemps to post message 400 into the window of the process C:\WINDOWS\explorer.exe." -- as event type "Shatter"

->btw note the typo "Attemps" Ilya :)

I was hoping it'd appear in "defense exclusions" but that appears only to cover files and folders not processes.

btw I'm still kind of new to HIPS and DW so if I'm missing something really obvious then silly me :)

btw i shouldve added, the WMP taskbar thing I'm talking about:

OK, fixed. Will be published with Beta 5. There are just few things left, but they are highly important and complecated (as undocumented).

Thanks for that Ilya.

After a day with my laptop I'd just like to report a few things about beta4. Again I'm kinda new to DW and HIPS so this is kinda from a new user's point of view.

1) Generally running smoothly, programs load with no or little lag. Very nice.
2) I'm not sure if this is default behaviour, but on my desktop the tray icon would turn from white to red if an untrusted program were to do anything that only a "trusted" program can do, but then after a couple seconds it would turn back to white. However, on my laptop, it stays red, and only turns white when I go to the main window and click "events log".
3) Ilya, you should add to the main interface that when running an update the program has to be running as "trusted". I know the website and help file might say it, but putting it on the main interface makes it more prominent. For example, when I was updating firefox extensions and restarted firefox (all the time as untrusted) and the extension was "to be updated on restart" - running it as trusted fixed this.
4) In relation to the above, I'm not sure if this is possible at all, but have a "on-the-fly" untrusted-trusted change. Like, when firefox asks "would you like to update to 2.0.3" my normal instinct is to say yes, but because firefox normally runs as untrusted the update should fail. As it stands I'd need to say "no" to the update, restart firefox as trusted and "check for updates". I know you probably have a time frame so maybe it can be implemented in a future release
5) the context menu "run as trusted" and "run as untrusted" doesn't work for me, I'm not sure if thats one of the things you're still working on.
6) in the "events log" it'd be nice if, when I click on the "time" tab it switches to most recent at the top. I hate scrolling down to see what happened most recently :)

I think for a beta this is very stable and good, and better than the 1.7 final! So I'm looking forward to the final release. Thanks Ilya for making a decent HIPS that doesn't make me go crazy with popups :)

actually after noticing something I can say it does work, but:



there are 2 context menu items for DW on QUICK LAUNCH icons - the top one (number '2') works for everything. Number '1' only works for the others, not "run as trusted". But in WINDOWS EXPLORER, when I right-click on a file, there's only ONE(1) context menu, not 2. When I click an icon on the DESKTOP or START MENU there are also 2 context menus.

1. OK, I'll add "run software updaters as trusted" to the first dialog's sheet text.

2. There will be "re-open as trusted" menu item within Beta 5. This will allow you to re-run your browser with the same URL as trusted. I need to mention that I can't do on the fly untrusted to trusted movement due to security reasons.

3. Context menu doubling- already fixed, but not published yes. I may send you .reg file that will fix this issue.

4. "Events log"- OK, will do.

Thanks Ilya.

btw just for anyone who's interested, if you use firefox you'll notice when you run it as untrusted and try to "save password" (I think it gives you "remember" as the option) it won't work. I added

\Documents and Settings\YOURUSERNAME\Application Data\Mozilla\Firefox\Profiles\YOURPROFILE\signons2.txt

in the "Defense Excludes". Initially I thought I needed to run Firefox as trusted to save these passwords (or remove them) but infact you only have to add that file as an exclusion. However, I'm not sure whether this is safe or not.

Ilya, maybe if its safe, it can be added automatically as a Defense Exclusion, just like DW does for Firefox cookies, bookmarks etc. :)

signons2.txt is already covered, but not published yet.