Is CFP loaded early in Windows startup to avoid a window of opportunity?

[Guest]

[VanguardLH]

Some firewalls have the option to disable the TCP stack until they are fully loaded.  This prevents any malware from phoning home while Windows is still loading and before you even get to login.  Malware, like VirtuMundo, will add entries to startup registry keys, like BootExecute or WinLogon events so they run before most security (anti-malware) software has had a chance to load.

I cannot find a boot-time protection option in Comodo's firewall (v3).  So does Comodo's firewall, by default and without choice, disable the Winsock by inserting its own handler which remains disabled until CFP is fully loaded and ready?  How early does CFP get loaded?  Is it before the programs listed in BootExecute and WinLogon event registry keys?

For example, BootExecute contains an entry to run autochk.exe which checks if the dirty bit is set on a hard disk and, if so, will run chkdsk to fix the file system errors.  Does CFP load even before autochk can run?  BootExecute can be used to start any program, including malware, so CFP needs to load before this or use some other trick, like inserting a handler in the Winsock stack that remains disabled until a signed trigger from CFP enables that handler.

[Vettetech]

Yes look at your task manager. Just cause its not in the systray yet doesnt mean its not loaded.

[sded]

The kernel process cmdagnt.exe service is launched early, after some of the essential Windows services, but before any applications. The GUI cfp.exe you see in the tray is actually launched later in the cycle, but is not necessary for protection.  You can see from the attached Process Explorer run that cmdagnt is launched before the applications, along with the Avast! antivirus software in this case, and then the applications that might need these services start being launched.  This is a Vista example, but you can download free Process Explorer and see what your system is doing. Just click the "start time" header and PE will sort it for you.

[VanguardLH]

I found how to add the Start Time column.  Seems peculiar that the logging doesn't show the time down to the millisecond.  Since cmdagent.exe is bundled under the services.exe process, that means cmdagent was started as an NT service.  That is too late.  That is long after any malware has executed that was specified in the BootExecute registry key.  services.exe is listed under the WinLogon event which can also be used to inject malware so those could run before the NT services get started. 

cmdagent is the Comodo helper service.  It is an NT service.  That is too late for its HIPS function to prevent malware from loading during WinLogon events or when added to the BootExecute in the registry.  Perhaps if CFP injects a handler in the Winsock stack that remains disabled until it fully loads to enable that handler so only then can network connections be allowed but I can't find any information to corrobate that technique.  That still doesn't change that CPF is loading too late for its HIPS to prevent malware from loading.  I figured that a train mode was needed during a reboot so CFP could record what all it noticed was loading during bootup and also during login and then I would not train anymore to get prompted thereafter if something new wanted to run during bootup.  But having a HIPS program that loads as an NT service means there are auto-load points during the bootup that CPF will never be able to control.  NT services load too late to detect some very nasty malware.

I just went through a discussion of someone having bootup programs because it was noticed there was an unknown entry in the BootExecute registry key.  It wasn't the VirtuMundo pest although that is how that pest operates.  No wonder so many of these security programs cannot eradicate or detect some pests because they load far before the security software can load.

--- Avast

According to what I've read, Avast has a boot-time protection option that you can enable.  When enabled, it adds an entry to the BootExecute registry key.  In your image of Process Explorer, Avast is loading before cmdagent but not by many seconds earlier.  The svchost processes that roll-up several NT services are shown loading before Avast.  Do you have the boot-time protection option enabled in Avast?  If so, did it add an entry to the BootExecute registry key?

Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Data item: BootExecute

[sded]

There is no configurable boot time protection option in CFP.  You can try going to http://forums.comodo.com/help_for_v3/how_do_i_raise_a_technical_support_request-t14907.0.html and asking Comodo about it.  As far as I can tell, there is no boot time protection option in the Avast! free version either.  You might ask at their forum.  The only thing under BootExecute is Autocheck.  So if you have already let the malware in, CFP doesn't help you, nor does Avast! at boot time.  Both take the philosophy of keeping the malware out in the first place.  You can also go to http://forums.comodo.com/melihs_corner_ceo_talkdiscussionsblog-b36.0/ and take up your concerns directly with Melih, the CEO of Comodo. 

[VanguardLH]

Done.  Submitted a ticket and started a new thread in the other forum.

[panic]

G;day,

There are also two kernel level drivers that provide boot protection (inspect.sys - Comodo firewall driver and cmdguadr.sys - Comodo sandbox driver). These two are your boot time protection. This can be verified by running GMER or similar.

Cheers,
Ewen :-)

[ggf31416]

VanguardLH, I suggest you to run LoadOrder http://technet.microsoft.com/en-us/sysinternals/bb897416.aspx

Also the Session Manager key is included in the protected registry keys.

[VanguardLH]

Over in the other thread at:

https://forums.comodo.com/melihs_corner_ceo_talkdiscussionsblog/comodo_firewall_loads_too_late_to_provide_boottime_protection-t20728.0.html

I'm told that CFP will load the inspect.sys and cmdguard.sys as kernel-mode drivers.  As I recall, drivers load before any startup or logon events.

[sded]

OK, I can find the sandbox driver, but not inspect.sys .  There is a cmdhlp.sys a bit later, then nothing else from Comodo until Cmdagent.exe.  So where am I missing the firewall driver?  So the questions of the day:  What do they do, since they are undocumented?  What are their capabilities between the time they load and the time cmdagent.exe loads?  Which one protects the registry keys and program execution?  Which one prevents TCP?  And what else do they do? 

[Tags:]