System is trying to modify ...

[Guest]

[cska133]

I wanted to go to bed and switch the PC when in the middle of the sutting dowm Difense+ popped upsomething about that system is traying to modufy/creat folder... then PC went off.
I was curious and suspicious and started PC again. Then Defense+ popped up again (see screenshots).
I didnt take any action in Comodo.
Since then my Wifi is crashing every minute (it looses connectivity) after it connets again

whats is going on???


PC: the last popup System2 is coming every 10min

[aim4it]

I had a similar problem, getting a protect file popup for shutdown.etl even when I had automatically create rules of safe applications checked.  I manually had to edit the auto generated rule and gave it access to the entire LogFile/* directory.

[cska133]

yes exactly, when I shotdown Comodo pops up  something about shutdown.etl. Then it pops up every 10min that system is trying to modify the conteds of C:\Windows

I dont know why all this popups are coming suddenlly, nothing has changed yesterday

I manually had to edit the auto generated rule and gave it access to the entire LogFile/* directory.

How you did this?

PS: I tried to repair Comodo via Control Panel, but the option for repair is greyed out and not active Is this normal?

[aim4it]

I'll check my defense+ rules when I get home, at my university at the moment.

[cska133]

the popup is coming every 10min.
Dont know to allow or to block? If I create rule where should I find this rule for editing or removing it later?

[clockwork]

In defense +, computer security settings.

But wait.
If you control the allready existing list, you may notice the entry "system" under "windows system applications" as a predefined rule. This rule would allow the real system "file" to modify folders and so on. You should not get that question!

Thats why i would say: Click on the file name on top in the question window that you get all ten minutes, to verify where the file is located.
And until this situation is cleared up, its very suspicious that you get a question about a system "file", which would have been covered by an existing rule for the original allready!

[aim4it]

If you run Defense+ in paranoid mode you will get this popup, even with automatically create rules for trusted applications checked.  My guess is the shutdown action changes the state of CIS and rules cannot be created during the shutdown process, hence this popup occurs and the rule can't be automatically learned.

Although I never got the popup for \System, just for a few .etl files windows tries to update with during the shutdown event.

[cska133]

I run Defense+ in Safe mode.

Thats why i would say: Click on the file name on top in the question window that you get all ten minutes, to verify where the file is located.

I know that. Look on the 3rd screenshot in my first post. When I clicked on System there I thing it came the properties windows pointing to C:\Windows. I am not sure, have to look again when I am home later. On the second icon on the popup I can not click.

It is strange because as I alredy asked in http://forums.comodo.com/install-setup-configuration-help-cis/how-can-i-repair-cis-t82802.0.html my Repair option is greayed out and can not be repaired

[clockwork]

As you use safe mode, you should not get a question about the REAL system "file".
Can you verify that you have the predefined rule section for windows applications in the defense+ list? There are greyed things listed, like system, %windir%\system32\svchost.exe, ....

[BoredNow]

Take a look at this...

http://serverfault.com/questions/237637/what-is-stored-in-windir-system32-logfiles-wmi-rtbackup

if anyone would like to 'translate' this into simple english that would be nice.

Also, take a look a my thread from last Oct.

https://forums.comodo.com/defense-sandbox-help-cis/system-could-not-be-recognized-t78016.0.html;msg557902#msg557902

[Radaghast]

Take a look at this...

http://serverfault.com/questions/237637/what-is-stored-in-windir-system32-logfiles-wmi-rtbackup

if anyone would like to 'translate' this into simple english that would be nice.

I think he's just trying to illustrate the mechanism behind data collection for etl files, which are a standard part of the OS performance and reliability ecosystem. I think the reason D+ has a problem with these, sometimes, is when a a trace file is created with a new name, but that would need further investigation...

[cska133]

Can you verify that you have the predefined rule section for windows applications in the defense+ list? There are greyed things listed, like system, %windir%\system32\svchost.exe

where exactly do I have to look, could you please explain (maybe with Screenshot better)

thanks

[clockwork]

Defense+ rules list
There are your games, programs ect listed with notification about what kind of rules they got (custom, trusted, blocked).
Scroll down until you see the entry tree "windows system applications". Its a collapseable tree entry. It contains:
system
%windir%\system32\svchost.exe
%windir%\system32\services.exe
%windir%\system32\smss.exe
and so on

Do you have it?

The predefined policy "windows system applications" which these entries under the same name tree in the defense+ list have, allows to modify, allows everything apart from starting other files without question under safe mode.
Thats why i have doubts, that your question is about the real system "file", when you have that tree in the defense+ rule list (default).

[BoredNow]

Sorry to jump in here but since I have been getting the same "System can not be recognized" warning.

Please take a look at these screen shots...I no longer have any Predefined Policies since the latest
update...(5.10)

[mouse1]

Sorry to jump in here but since I have been getting the same "System can not be recognized" warning.

Please take a look at these screen shots...I no longer have any Predefined Policies since the latest
update...(5.10)

Does anyone else with this problem have no predefined policies?

If so its probably some form of update problem.

I'd suggest a bare metal re-installation as per Chiron's FAQ: Most effective way to re-install.

Best wishes

Mouse

[Tags:]