Shellcode warning when trying to run OA

[Michael Withstand 10]

A picture tells a thousand words

Can BI explain why their app is thought to be attempting buffer overflow attack?

[Gunter Severloh 4064]

What are you running that gives you that message?

[Michael Withstand 10]

What are you running that gives you that message?

As the pic states Combined operation: arma2oa.exe

With ACE2 add on and mando missile add on.

Not running the game with add-on would also result in the same warning.

The beta would not give the warning though

Detection is done by COMODO CIS(COMODO Internet Security)

[MJK-Ranger 0]

Topic: "tried to execute shellcode as a result of possible buffer overflow attack"

From Ronny at Comodo forum:

Hello Amy,

The new version of CIS 3.9.x (Still beta though) has a few fixes to prevent false alerts.

I can't tell from this info if yours is a false positive, but if you like you could try 3.9.x beta and see if the alert is gone.... i have to say you should probably only be using beta software if you feel confident.

You could if you have time, export your "old" 3.8 configuration, uninstall the 3.8, install the 3.9.x beta and see if the problem still exists or not, remove 3.9.x beta, install 3.8 latest and import your settings back so you are "back to where you started" only you know if the alert is still there in the latest version.

And from LostAmy that had the problem:

Hi Ronny,

i've downloaded and installed the Beta version and everything seems to be working fine.

thanks for your help!

It's a good idea to use google to search after error from applications ;)

[Michael Withstand 10]

I did google it but found nothing...well I didn't look past the first page or maybe I was googling the wrong keyword.

Any link to those?

Besides it's already version 4.0 now those quotes are irrelevant.

Edited August 20, 2010 by Michael Withstand

[MJK-Ranger 0]

I did google it but found nothing...well I didn't look past the first page or maybe I was googling the wrong keyword.

Any link to those?

Besides it's already version 4.0 now those quotes are irrelevant.

But try a newer version or latest beta from Comodo and see if you still run into same problem.

To me it's seems to be more like a Comodo bug or something.

Version 4.1 is the newest i think.

http://forums.comodo.com/help/tried-to-execute-shellcode-as-a-result-of-possible-buffer-overflow-attack-t35795.0.html

http://tinyurl.com/32t86e8 :D :)

Comodo Internet Security v.4.1 (free version)

Edited August 20, 2010 by MJK-Ranger

[Gunter Severloh 4064]

no i meant running as is it the game giving you this message or another progam, like an anitvirus or something.

[Michael Withstand 10]

But try a newer version or latest beta from Comodo and see if you still run into same problem.

To me it's seems to be more like a Comodo bug or something.

Version 4.1 is the newest i think.

http://forums.comodo.com/help/tried-to-execute-shellcode-as-a-result-of-possible-buffer-overflow-attack-t35795.0.html

http://tinyurl.com/32t86e8 :D :)

Already using latest version.

no i meant running as is it the game giving you this message or another progam, like an anitvirus or something.

It's a security app COMODO Internet Security. The warning comes out whenever trying to launch Combined operation.

launching beta version of Combined Operation would not result in the warning being shown.

[MJK-Ranger 0]

launching beta version of Combined Operation would not result in the warning being shown.

Interesting, hmm Are you running Steam Version of ArmA2/OA/CO?

You are not running the game in Sanboxie from Comodo?

I'm not familiar with Comodo products at all, but I can not remember having seen others in here with same issue.

Edited August 20, 2010 by MJK-Ranger

[Michael Withstand 10]

Interesting, hmm Are you running Steam Version of ArmA2/OA/CO?

You are not running the game in Sanboxie from Comodo?

I'm not familiar with Comodo products at all, but I can not remember having seen others in here with same issue.

No Im not using COMODO sandbox

It's OA retail(boxed) version merged with ArmA 2 retail version

[Gunter Severloh 4064]

what if you turn that program off and then try the game,

will it work then?

[Michael Withstand 10]

what if you turn that program off and then try the game,

will it work then?

Yes it would work I assume but according to COMODO Internet Security some hidden program would also be run that would enable some people to take over my machine :rolleyes:

Running the app when the security app is telling you it's potentially dangerous would make using the security app kind of pointless . . . . .

Edited August 20, 2010 by Michael Withstand

[Gunter Severloh 4064]

dont think they would if you dont have your remote services enabled, plus if you got a firewall on.

Are you in mp when you play or try too, or are you just in the game sp, and editor?

[Michael Withstand 10]

I play MP most of the time, firewall wouldn't help against this kind of attack I think.

Shellcode is taking advantage of vulnerabilities in app to take control of the target machine. It's very risky.

I hope some other people are also experiencing this as well and hopefully it's a false positive.

Running the game using admin right is stupid however. OA would make you to run it on admin rights when battleeye is used in game.:(

Now I can't even run the game. I may have to exclude the app from bufferoverflow detection

[Encrypted_God 10]

My 2.5 Cents: First you need to understand what a 'shellcode' is. Lots of information available but here's one for ya ---> LINK

Next, educate yourself on what a Buffer Overflow is. ---> LINK

Now, I'm more then positive that this is alarming for a lot of people. So it would behoove you to investigate it. However; Something else you have to take into consideration that most to all games need internet access whether you're in SP or MP.

With that said; Some AV's will erroneously report such behaviors in some games. Including applications as well. If you are positive that you don't have ANY virus's, malware, spyware and all that crap then maybe it's COMODO being to paranoid. But I suggest you scan your entire computer again using different programs of your choice.

Hm...what else ...Try a different one first. well I'm sure we'll all get this figured out but patience is key but we need to keep our cool and try not to go off the deep end about this...

EDIT:

Oh...I am in no way disrespecting the COMODO program and I have no reason to doubt it as I have never used it. However, you might want to think about getting a different AV if you have had this before (This issue). Or better yet, just try one from a reputable vendor. I personally use Kaspersky 2011 Internet Security

Edited August 20, 2010 by Encrypted_God

[Michael Withstand 10]

My 2.5 Cents: First you need to understand what a 'shellcode' is. Lots of information available but here's one for ya ---> LINK

Next, educate yourself on what a Buffer Overflow is. ---> LINK

Now, I'm more then positive that this is alarming for a lot of people. So it would behoove you to investigate it. However; Something else you have to take into consideration that most to all games need internet access whether you're in SP or MP.

With that said; Some AV's will erroneously report such behaviors in some games. Including applications as well. If you are positive that you don't have ANY virus's, malware, spyware and all that crap then maybe it's COMODO being to paranoid. But I suggest you scan your entire computer again using different programs of your choice.

Hm...what else ...well I'm sure we'll all get this figured out but patience is key but we need to keep our cool and try not to go off the deep end about this...

I understand that most games would need internet access and I have no objection to that and I play other games as well that need internet access and have no problem with shell code or buffer overflow attack.

I asked to know whether this is a false positive or a true positive.

Last time I scanned it was all clean. I'll scan everything again.

[Encrypted_God 10]

Understood sir. And believe me, I wasn't belittling you. I am here (like many others) for you if you need help. We'll get this figured out. Oh..I do have to ask this; Does your computer "act funny". I mean do you notice strange things that would indicate virus' or that other junk?

Reason why I ask is because within the last week My own rig has been acting funny. Long story short I was forced to Re-Format because sometimes it's better to start over from scratch then spend hours and hours trying to figure it all out. Plus...headaches

[Michael Withstand 10]

Umm no nothing funny at all. everything seems to be fine.

I didn't feel you were belittling me either.

I'm suspicious that the disc checking is what's causing this. The beta won't check for disc. the server exe won't either.

I think whatever causing it may have stemmed from the disc checking.

I hate having to have the disc in the tray. BI please give us no disc patch ASAP.

And if some hacker found exploit in arma2oa.exe and inserted some nasty shellcode injection especially because the exe is demanding to be run with admin rights then we would not be able to tell because of the disc checking also resulted in the same warning. Running game with admin rights is just STUPID.

---------- Post added at 10:27 AM ---------- Previous post was at 10:19 AM ----------

EDIT:

Oh...I am in no way disrespecting the COMODO program and I have no reason to doubt it as I have never used it. However, you might want to think about getting a different AV if you have had this before (This issue). Or better yet, just try one from a reputable vendor. I personally use Kaspersky 2011 Internet Security

Yea man COMODO is like the best firewall and internet security suite out there and it's free too. No kiddin. Official tests have concluded that COMODO security suite is the best one out there. I think it's you who may need to switch. :D

No kiddin. ;) Google it

http://www.matousec.com/projects/proactive-security-challenge/results.php

yea the test was on proactive security but the firewall and Anti virus are also very very good.

Edited August 20, 2010 by Michael Withstand

[Encrypted_God 10]

Yes!! there ya go!! Come to think of it, how about the SecuRom? Do you have to put the disk in every time? This is offtopic but I had to use the CD/DVD everytime I wanted to ArmA 2. Then a very good friend of mine (Gunter Severloh) told me that I only had to do it a few times. RE: SecuRom verifying the disk. Which I neglected to think about.

[Michael Withstand 10]

Yes!! there ya go!! Come to think of it, how about the SecuRom? Do you have to put the disk in every time? This is offtopic but I had to use the CD/DVD everytime I wanted to ArmA 2. Then a very good friend of mine (Gunter Severloh) told me that I only had to do it a few times. RE: SecuRom verifying the disk. Which I neglected to think about.

Hmm it was just a suspicion I wouldn't jump into conclusion because there's no way to verify that it's really the SECUROM since it could very well be a shellcode injection that's run at the same time Securom is checking for disc. And it's a bad programming if it is true. If the game wouldn't demand ADMIN rights in the first place I wouldn't be so worried.

Edited August 20, 2010 by Michael Withstand

[Encrypted_God 10]

Agreed. But SecuRom is notorious for that stuff

---------- Post added at 11:04 PM ---------- Previous post was at 10:53 PM ----------

I'm sorry but I need to go. I got to get some sleep.

I wish you good luck my friend . I'll check on this thread in the morning

Edited August 20, 2010 by Encrypted_God
Spell Check

[Gunter Severloh 4064]

Lol Jaeger, (encryptd God) Hes close Buddy of mine for many years and we game together reguarly.

anyways, have you ever been able to play the game without the disc?

Personally i had only installed Arma 2 when it first came out, and then had the disc

in once i think to play and then after that maybe the patch i never

had to use the disc again, so I can just click on the icon and Im in.

I use AVG and I dont get any interference, but this is a stumping issue you have,

as Jaeger would say we need to go through a process of elimination,

basically strip everything down to the bare bones and the test things out and

see what response we get.

I think in a way you should start over, lose the antivirus, and any protection

and what not, maybe uninstall reinstall the game, and just start over, play it,

patch it, play it and final patch it, and then if the game works, go from there,

the next response after the game should give you or at least narrow it down to

what is possibly causing the inability to play, off course you have an idea already

but we dont really know for sure what it may be.

Just a thought.

[Michael Withstand 10]

Well Encrypted God seems like a nice fellow :rolleyes:

I don't have any problem running the game just that my security apps is telling me of Shellcode injection. It was just matter of changing setting in the security app but still I'd like to know what was it about.

I'm still unable to accept that Battleeye requires the game to be run on admin rights which would make shellcode injection much more potent and would not surprise me that the game exe does have some exploits since it was probably never designed with customer security as priority. This is what concerns me: playing with admin rights and getting the shellcode injection warning at the same time and playing and hosting the game online :o

I need the have OA disc inserted except when playing BETA version

Edited August 20, 2010 by Michael Withstand

[Gunter Severloh 4064]

I'm still unable to accept that Battleeye requires the game to be run on admin rights

I have read about this admin thing so many times in the forums here yet

I have no idea what it is, does it have to do with windows 7? as I have windows xp.

warning at the same time and playing and hosting the game online

I can see that being a concern, especially when hosting, not sure if it

would work that where one person computer can pass a virus or

something to yours while your hosting the game, I'm sure Jaeger can touch on that.

[Michael Withstand 10]

I have read about this admin thing so many times in the forums here yet

I have no idea what it is, does it have to do with windows 7? as I have windows xp.

When you play online some servers are using battleye that checks for game hacks in order to prevent people playing from cheating their fellow gamers. This battleye now since OA requires that the game be played on admin rights otherwise that player will get kicked out of the server.

Anyway it seems that the warning is not really about real shellcode injection

http://forums.comodo.com/defense-sandbox-help-cis/operation-arrowheadgame-triggered-buffer-overflow-warning-t60703.0.html