BitDefender again

BitDefender again

[Michael Kairys]

BitDefender AntiVirus 2009 and Cygwin got along fine, but when I upgraded to 
2010 all my Cygwin-based apps started crashing. If I turn off their "Active 
Virus Control" the problem goes away.

They offer this advice:

=====================================
There is an incompatibility between cygwin and BitDefender AVC (Behavioral 
Scanner).

I'm going to get a little bit technical here in order to explain in detail 
what is happening :

Unfortunately, cygwin1.dll has a hardcoded image loading base (0x61000000) 
wich conflicts with one of the BitDefender AVC plugins injected into 
processes for monitoring their behaviour. Since, to offer maximum 
protection, the BitDefender AVC dlls are among the first to be loaded in the 
address space of any process, and well before cygwin1.dll, the cygwin1.dll 
cannot load at its desired image base, thus generating crashes. In a general 
purpose DLL written for Windows, this is not a problem, since such dll can 
work being loaded at any imagebase. But this is not the case for cygwin, 
wich insists on loading at the fixed address, and if not, generating 
crashes.

Now, how to fix :

1. Temporary disable AVC (BitDefender->Antivirus->Advanced Settings, uncheck 
AVC).
2. Make sure all cygwin applications are closed.
3. Open a cmd line and enter the following :
cd c:\cygwin\bin
copy cygwin1.dll cygwin_orig.dll
copy cygwin1.dll cygwin_tmp.dll
rebase -b 0x35000000 cygwin_tmp.dll
copy cygwin_tmp.dll cygwin1.dll
4. Reenable AVC (BitDefender->Antivirus->Advanced Settings, check AVC)

Try now to run cygwin.

By doing the above, we remapped cygwin1.dll to another imagebase 
(0x35000000). If it still does not work, please try remapping at various 
imagebases (such as 0x30000000 or 0x40000000 or 0x25000000 etc) until you 
find one that works.
=======================================

I have a very limited understanding here, enough to run rebaseall (which 
I've done) and that's about it. Can someone please interpret the above for 
me and tell me if there's anything I can do besides shop for a new AV vendor 
(again :)



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Christopher Faylor]

On Tue, Aug 25, 2009 at 08:09:52PM -0400, Michael Kairys wrote:
>BitDefender AntiVirus 2009 and Cygwin got along fine, but when I upgraded to 
>2010 all my Cygwin-based apps started crashing. If I turn off their "Active 
>Virus Control" the problem goes away.
>
>They offer this advice:
>
>=====================================
>There is an incompatibility between cygwin and BitDefender AVC (Behavioral 
>Scanner).
>
>I'm going to get a little bit technical here in order to explain in detail 
>what is happening :
>
>Unfortunately, cygwin1.dll has a hardcoded image loading base (0x61000000) 
>wich conflicts with one of the BitDefender AVC plugins injected into 
>processes for monitoring their behaviour.

This sounds fishy to me.  Cygwin does prefer to load at 0x61000000 but,
to the best of my knowledge, there is only one thing in Cygwin that
really cares about this and it is not crucial to the operation of the
DLL.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Dave Korn]

Christopher Faylor wrote:
> On Tue, Aug 25, 2009 at 08:09:52PM -0400, Michael Kairys wrote:
>> BitDefender AntiVirus 2009 and Cygwin got along fine, but when I upgraded to 
>> 2010 all my Cygwin-based apps started crashing. If I turn off their "Active 
>> Virus Control" the problem goes away.
>>
>> They offer this advice:
>>
>> =====================================
>> There is an incompatibility between cygwin and BitDefender AVC (Behavioral 
>> Scanner).
>>
>> I'm going to get a little bit technical here in order to explain in detail 
>> what is happening :
>>
>> Unfortunately, cygwin1.dll has a hardcoded image loading base (0x61000000) 
>> wich conflicts with one of the BitDefender AVC plugins injected into 
>> processes for monitoring their behaviour.
> 
> This sounds fishy to me.  Cygwin does prefer to load at 0x61000000 but,
> to the best of my knowledge, there is only one thing in Cygwin that
> really cares about this and it is not crucial to the operation of the
> DLL.

  Also, the suggestion to use a base address in the 0x35000000 area (or indeed
any of the others they mentioned) is going to horribly frag your heap and bork
your maximum allocatable memory limit, isn't it?

  Wonder if it wouldn't work just as well to rebase /their/ DLL?

    cheers,
      DaveK


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Michael Kairys]

Thanks for the replies...

> the suggestion to use a base address in the 0x35000000 area (or indeed
> any of the others they mentioned) is going to horribly frag your heap and 
> bork
> your maximum allocatable memory limit, isn't it?

I don't know. How would I tell?

>  Wonder if it wouldn't work just as well to rebase /their/ DLL?

I don't know. Sounds scary given the liberties an AV program seems to take 
with the operating system... Should I try? How would I?

That aside, it sounds like my options are:

(1)  Try what they said and see what happens
(2)  Run with their "active virus scan" turned off
(3)  Change to another AV product (any suggestions? :)



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Wilfried]

"Michael Kairys" <kairys@comcast.net> wrote:

> Thanks for the replies...
> 
> > the suggestion to use a base address in the 0x35000000 area (or indeed
> > any of the others they mentioned) is going to horribly frag your heap and 
> > bork
> > your maximum allocatable memory limit, isn't it?
> 
> I don't know. How would I tell?
> 
> >  Wonder if it wouldn't work just as well to rebase /their/ DLL?
> 
> I don't know. Sounds scary given the liberties an AV program seems to take 
> with the operating system... Should I try? How would I?
> 
> That aside, it sounds like my options are:
> 
> (1)  Try what they said and see what happens
> (2)  Run with their "active virus scan" turned off
> (3)  Change to another AV product (any suggestions? :)

(3) http://www.f-prot.com 
Works flawlessly with cygwin and any other software we have, on 
- a tower PC with XP Pro SP3 (Pentium 4)
- a laptop with Vista home premium SP1 (core 2 duo) however with UAC
disabled
- and two other laptops
I can even leave the scanning engine running while installing other
software. Never had conflicts with it. Tech Support is very responsive.
Disadvantage: F-Prot slows down startup of a few programs (most
significant: Opera browser). Slowdown is much less on Vista. F-Prot are
working on it and already had some success.


--
Wilfried Hennings


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Michael Kairys]

> (3) http://www.f-prot.com

Thanks for the suggestion... Seems some reviews give them low marks on 
detection rates:
http://www.virusbtn.com/vb100/RAP/RAP-quadrant-Feb-Aug09.jpg
http://www.virus-centre.com/

... and some low marks on features (19 out of 20):
http://anti-virus-software-review.toptenreviews.com/index2.html

... but I hear that you are happy with them...

I would in truth prefer to continue with BD at least until the subscription 
I paid for expires... 



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Wilfried]

"Michael Kairys" <kairys@comcast.net> wrote:

> > (3) http://www.f-prot.com
> 
> Thanks for the suggestion... Seems some reviews give them low marks on 
> detection rates:
> http://www.virusbtn.com/vb100/RAP/RAP-quadrant-Feb-Aug09.jpg
> http://www.virus-centre.com/
> 
> ... and some low marks on features (19 out of 20):
> http://anti-virus-software-review.toptenreviews.com/index2.html

Very interesting, thank you! 
I can well live with the limited features, but if the low detection rate
comes true it would indeed worry me.

I also had a look into
http://www.av-comparatives.org/
but unfortunately they did not test f-prot.
 
Regards

--
Wilfried Hennings


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Joe Smith]

"Michael Kairys" <kairys@comcast.net> wrote in message 
news:h73co7$tt1$1@ger.gmane.org...
> Thanks for the replies...
>
>> the suggestion to use a base address in the 0x35000000 area (or indeed
>> any of the others they mentioned) is going to horribly frag your heap and 
>> bork
>> your maximum allocatable memory limit, isn't it?
>
> I don't know. How would I tell?
>
>>  Wonder if it wouldn't work just as well to rebase /their/ DLL?
>
> I don't know. Sounds scary given the liberties an AV program seems to take 
> with the operating system... Should I try? How would I?

If you can figure out which DLL they are injecting, you can do exactly what 
they tell you to do, except using their DLL instead of the cygwin DLL.

Or you can go the easy route, and follow the instructions they have provided 
to rebase cygwin.dll. The person who wrote the message you quoted is 
obviously familar with Cygwin, since he has you use Cygwin's rebase utility. 
This indicates to me that he has actually tried the solution he mentions, 
and it has fixed the problem for him. 



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Michael Kairys]

> Or you can go the easy route, and follow the instructions they have 
> provided to rebase cygwin.dll.

I shall try their instructions and report back. (There must be other 
BitDefender users similarily inconvenienced by version 2010 :) 



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Michael Kairys]

"Michael Kairys" <kairys@comcast.net> wrote in message 
news:h7j7ha$474$1@ger.gmane.org...
>> Or you can go the easy route, and follow the instructions they have 
>> provided to rebase cygwin.dll.
>
> I shall try their instructions and report back. (There must be other 
> BitDefender users similarily inconvenienced by version 2010 :)

rebase -b 0x35000000 seems to have worked.

But can anyone say more about Dave Korn's comment that it could "horribly 
frag your heap and bork
your maximum allocatable memory limit"? Can I test this somehow? 



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: BitDefender again

[Michael Kairys]

> But can anyone say more about Dave Korn's comment that it could "horribly 
> frag your heap and bork
> your maximum allocatable memory limit"? Can I test this somehow?

Guess I'll just go with it then... :)

In the interim I've tried out a few other "leading" AV products: Avria, 
Nod32, and Kaspersky, and I must say BitDefender is still my first choice. 
My criteria are pretty simplistic though: score well in at least two 
independent tests and otherwise be as invisible and unobtrusive as possible. 



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple