A malicious item has been detected!

[Lemonade]

Hello.

I've just bought a DL version of ToW2: Kursk and Caen bundle and guess what... My IS application has detected a malicious code contained within the eLicPatch.exe file. Now, I'm a bit worried for the setup application had administrative rights granted during the installation. I've managed to heal the file, but God only knows what has managed to slip into my system.

Any comments on that?

[Schrullenhaft]

I'm fairly certain that is a 'false positive'. Your security software's 'heuristics' comes into play with code that it can't identify and generically identifies the eLicense executables as a virus/trojan due to their encryption (part of the eLicense functionality). I believe you should be fine and you can ignore the warning.

Another warning regarding the Comodo software. You may need to disable some of its functionality in order for eLicense to work. This has been the case with some of the free firewalls in the past and may be true of their other products. The feature in the firewall products was called 'Defender+' and that had to be deactivated. Even adding the game executable and the eLicense files as 'Trusted' did not allow eLicense and the games to work.

[Lemonade]

Thank you for your response... But I've never had any problems with Battlefront DL versions of ToW2 Afrika and Centauro. Have you guys been changing eLicensing software? I get this alert also when trying to launch Kursk1943.exe: .UnclassifiedMalware@1.

Kursk1943.exe has stopped working.

Problem signature:

  Problem Event Name:	APPCRASH

  Application Name:	Kursk1943.exe

  Application Version:	0.0.0.0

  Application Timestamp:	4ca30eb4

  Fault Module Name:	Kursk1943.exe

  Fault Module Version:	0.0.0.0

  Fault Module Timestamp:	4ca30eb4

  Exception Code:	c0000005

  Exception Offset:	0000b1b6

  OS Version:	6.1.7600.2.0.0.256.48

  Locale ID:	1045

  Additional Information 1:	0a9e

  Additional Information 2:	0a9e372d3b4ad19135b953a78882e789

  Additional Information 3:	0a9e

  Additional Information 4:	0a9e372d3b4ad19135b953a78882e789


Read our privacy statement online:

  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409


If the online privacy statement is not available, please read our privacy statement offline:

  C:\Windows\system32\en-US\erofflps.txt

Also options.exe worked only once, during the license code verification. Now Launching it doesn't bring any window on the screen. The options.exe process is running in the background but without any GUI.

Now, if you are certain it is a false positive malware identification, I will try to reinstall Kursk and slip it through Defense+ module without healing the suspicious files.

Still, maybe I'll sandbox the Kursk installation just to be on the safe side.

[Lemonade]

I've spent some time reinstalling ToW2 Kursk+Caen with and without COMODO (and its Defense+ component). No matter what I do, I always end up with APPCRASH I've quoted in my post above. I just can't seem to make it work.

[Moon]

Have you guys been changing eLicensing software?

No. What changes is your anti-virus/internet-security etc. software. It changes whenever you update definitions or change settings etc.

All the problems/crashes you are listing are caused by a system on your PC blocking the exeuction of parts it (erroneously) thinks are malicious (it assumes the worst because it cannot decode the encryption). Comodo seems to be one of the most intrusive systems in this regard. I would suggest to submit a support ticket at www.battlefront.com/helpdesk if you haven't done so already. Ian (Schrullenhaft from above) can perhaps try to help you there in more details.

You could also contact Comodo as it's their software faulting here and tell them about this "false positive" (good companies will ask you to send them the flagged files etc. and will update their definitions).

Martin

[Schrullenhaft]

Our experience with Comodo Firewall is that we had to turn off the 'Defense+' security feature in order for eLicense to work.

It's possible that you may need to make changes to your DEP (Data Execution Prevention) settings. Here's our Knowledgebase article on DEP.

Do you have any other security software beyond Comodo (anti-virus/anti-spyware/anti-malware/firewall/internet-security/other system utilities) ?

[jcmil]

As an FYI, I've been using Comodo for years & have CMSF & ToW working fine.

It does flag files that behave in the way the eLicense does for obvious reasons but I think if you ensure you add all appropriate files to the white-list it all goes along OK. For me it does at least...

Check the 'files waiting for review' / 'pending files' & ensure you add the contents of the game dir to 'my own safe files'. You can browse for these on the HDD or in memory etc if you start the game up & set their permissions.

It is also possible to submit files to comodo directly so they can be flagged appropriately in their white-lists.

[Lemonade]

Good news!

Firstly, I would like to thank you guys for your feedback.

I've finally managed to launch ToW2 Kursk+Caen. You guys were right. It was Defense+ that blocked and crashed the executables. But the trick here was to completely disable the module via the Defense+->Defense+ Settings->Deactivate the Defense+ permanently (Requires a system restart). Simply setting the Defense+ Security Level to Disabled via right click menu on the tray icon was not sufficient.

As an FYI, I've been using Comodo for years & have CMSF & ToW working fine.

It does flag files that behave in the way the eLicense does for obvious reasons but I think if you ensure you add all appropriate files to the white-list it all goes along OK. For me it does at least...

I too have been using Comodo for years and that is the first time I meet with such situation. What's more, I didn't have any issues with ToW2: Africa+Centauro eLicense (and I've been playing it with Defense+ fully enabled). Only ToW2: Kursk+Caen is giving me such odd problems. Putting K+C executables on the white list does not help in any way.

Rebooting my system each time I want to play ToW2: Kursk+Caen is a bit troublesome, but I think I can live with it until Comodo puts it into whitelist.

By the way, did I mention how amazed was I when I finished playing the first Kursk battle? You guys are doing great progress to make ToW series one of the best tactical war game out there. Jolly good show!

ToW is getting better and better with every new version.

[jcmil]

You probably know this but you may need to white-list more than just the obvious game .exes.

Out of curiosity I just did a quick count of .dlls, .bins & .exes in my white-list - over 40 - for Kursk with Caen.

I have D+ set to 'clean PC'.

Hopefully you will be able to track down which call is upsetting Comodo...I assume you have tried the active processes list for cross refs.

ToW is a very enjoyable game, lot of replayability in the series too.

[jcmil]

Another possible approach/solution from Comodo-

Have you added BFC's Executables to Image Execution Control Exclusions?

As well as trusted applications?

(CIS > Defense+ > Defense+ Settings > Image Execution > Exclusions)

(CIS > Defense+ > Computer Security Policy )

Could be the answer as D+ doesn't properly flag the BFC eLicense activity as being blocked.

[Lemonade]

Another possible approach/solution from Comodo-

Could be the answer as D+ doesn't properly flag the BFC eLicense activity as being blocked.

It worked. It really worked! I've added three executables (Kursk1943.exe, options.exe and builder.exe) to the exclusion list of shellcode injection detection module and have flagged them as trusted applications in Defense+ Computer Security Policy. That seems to do the trick.

Thank you very much, Jcmil.

[jcmil]

Glad it worked for you.