Tweet
Daemon-Tools Lite v4.30.0
Windows XP Pro SP-3
Comodo Firewall Pro v3.0.25.378 (Defense+ HIPS enabled)
I installed a game (FEAR Gold). When I go to run the game, Comodo will alert that the game is attempting several suspicious action. One was to modify a file with dinput8.dll. That's Microsoft's DirectX support library that gets injected in a program's files to add DX support, so I allow that change by the game. Some other alerts were about the game trying to install some global hooks. I haven't made up my mind what to do about those attempted actions; so far, I've blocked them. The one I'm concerned about is the game wants to modify sptd.sys. I'm no expert at this copy-protection paranoia so please bear with me as some of my conclusions based on a couple hour's of browsing and reading could be inaccurate.
sptd.sys, although it is described as SCSI Pass-Through Driver, doesn't really seem to be its intended purpose but rather to behave in rootkit-like fashion to operate at kernel-mode level to hide or deny access to some registry keys and perhaps to some files. One of the HIPS alerts from Comodo is that the game is trying to modify sptd.sys. Obviously this is not a file that is part of the game so the game is trying to modify files that don't belong to it. So far, I've chosen to block that attempt to modify sptd.sys but I'm not sure that I have to. If DT is protecting itself, perhaps it provides a bogus target for this file so it can appear to get modified but not really happen. I don't know if DT protects the sptd.sys file. I certainly can't look inside using a hex editor (I get denied access).
From what I've read, it looks like the game uses some version of SecureROM. I'm not keen on the game's startup trying to modify any file that isn't part of the game itself, like sptd.sys that DT uses. However, if it is just a bogus target that DT will replace if it gets modified or DT prevents modification of its files then I could see what happens if I allow Comodo to let the game to modify sptd.sys.
While allowing some actions by the game start to occur, like direct screen access, direct keyboard control, and injecting dinput8.dll into its files, I have blocked the global hooking and modification of sptd.sys. The result is that the game starts, plays its intro screens and movie, and then the game hangs at a black screen and hangs the host so I have to hit the Reset button to restart Windows. So I'm blocking more actions than the game can tolerate.
Understand that I am NOT trying to play the game from a DT virtual drive. I don't mind putting the game's DVD into the drive and let it check for its protection. My question is about the game wanting to modify DT's files and if I should permit the game to [try to] make those changes.
Windows XP Pro SP-3
Comodo Firewall Pro v3.0.25.378 (Defense+ HIPS enabled)
I installed a game (FEAR Gold). When I go to run the game, Comodo will alert that the game is attempting several suspicious action. One was to modify a file with dinput8.dll. That's Microsoft's DirectX support library that gets injected in a program's files to add DX support, so I allow that change by the game. Some other alerts were about the game trying to install some global hooks. I haven't made up my mind what to do about those attempted actions; so far, I've blocked them. The one I'm concerned about is the game wants to modify sptd.sys. I'm no expert at this copy-protection paranoia so please bear with me as some of my conclusions based on a couple hour's of browsing and reading could be inaccurate.
sptd.sys, although it is described as SCSI Pass-Through Driver, doesn't really seem to be its intended purpose but rather to behave in rootkit-like fashion to operate at kernel-mode level to hide or deny access to some registry keys and perhaps to some files. One of the HIPS alerts from Comodo is that the game is trying to modify sptd.sys. Obviously this is not a file that is part of the game so the game is trying to modify files that don't belong to it. So far, I've chosen to block that attempt to modify sptd.sys but I'm not sure that I have to. If DT is protecting itself, perhaps it provides a bogus target for this file so it can appear to get modified but not really happen. I don't know if DT protects the sptd.sys file. I certainly can't look inside using a hex editor (I get denied access).
From what I've read, it looks like the game uses some version of SecureROM. I'm not keen on the game's startup trying to modify any file that isn't part of the game itself, like sptd.sys that DT uses. However, if it is just a bogus target that DT will replace if it gets modified or DT prevents modification of its files then I could see what happens if I allow Comodo to let the game to modify sptd.sys.
While allowing some actions by the game start to occur, like direct screen access, direct keyboard control, and injecting dinput8.dll into its files, I have blocked the global hooking and modification of sptd.sys. The result is that the game starts, plays its intro screens and movie, and then the game hangs at a black screen and hangs the host so I have to hit the Reset button to restart Windows. So I'm blocking more actions than the game can tolerate.
Understand that I am NOT trying to play the game from a DT virtual drive. I don't mind putting the game's DVD into the drive and let it check for its protection. My question is about the game wanting to modify DT's files and if I should permit the game to [try to] make those changes.
Comment