Too Easy Termination of cfp.exe and cmdagent.exe

[Guest]

[deepcut]

I have Defense+ disabled, Firewall and Antivirus enabled.
I am able to terminate both cmdagent.exe and cfp.exe from Windows Task Manager.

To me this seems a serious flaw in the security of CIS.
If I had seperate firewall and antivirus applications, I would fully expect them to protect themselves from termination.
Otherwise, any malware that infects the system simply needs to terminate them to render the system completely vulnerable.

I understand that enabling Defense+ causes CIS to be protected in this manner.
But what about anyone who wants to use a seperate HIPS solution, or to use CIS as a standalone firewall or antivirus.

I mentioned this in a previous post for one of the release candidates.

I hope this will be taken seriously, and perhaps some of the regulars can reply to confirm/agree or whatever.

[Guillermo391]

This is only the GUI you are termiating.
Firewall and AV keep functioning. Firewall blocks all unknown comunnications, and Defense Plus all unknown hooks of programs.
You are still protected.
Just restart in safe mode, and kill whichever malware caused it,.

[John Buchanan]

CFP.exe is just the GUI.  If it is terminated, the software still protects as default deny (you just won't see it).

Deepcut, may I ask how is Defense+ supposed to protect itself if it is disabled?

The AV will notify you if any virus it detects tries to run or is about to be accessed.
The firewall will notify you about all incoming and outgoing connections.

If you are using a separate HIPS program, shouldn't it be monitoring your system for unintentional/undesired application shutdowns?

Please note, even with Defense+ enabled, if you the user wishes to shut down this or any software, Defense+ will allow this.  If another software tries this same however, you will be notified and asked to confirm or block the attempt.

Just my opinion here, but I don't see this as a flaw in design.

[deepcut]

It would be nice if you read what I wrote before replying.

CFP.exe is just the GUI.  If it is terminated, the software still protects as default deny (you just won't see it).

This is only the GUI you are termiating.

I know that cfp.exe is the GUI, but cmdagent.exe is the main service that provides the actual protection and I can terminate that just as easily.
And even though cfp.exe is the GUI, the only way I should be able to terminate it is from CIS itself.

The firewall will notify you about all incoming and outgoing connections.

If malware is able to simply terminate the firewall, it cannot notify anything.

[John Buchanan]

I read yours, you failed to read mine. 

[Toggie]

deepcut, perhaps you would care to submit details regarding how you 'terminated' the two processes in question.

When ever I try to terminate either of the processes (logged on as Administrator) I get an access denied message...

[BigMike]

deepcut, perhaps you would care to submit details regarding how you 'terminated' the two processes in question.

When ever I try to terminate either of the processes (logged on as Administrator) I get an access denied message...

He already wrote, that he disabled Defense+ completely. If you do that, you won't get an access denied message, since it's Defense+ that takes care of what happens on your machine and protects important processes like cmdagent.exe and cfp.exe.

But I support John Buchanan's opinion. If you install CIS, just CFP or CAV you'll in any case end up with an enabled Defense+ that will protect the components and itself.
If you decide to change the recommended/predefined settings (or even use another HIPS), you should know what you're doing and what the consequences are - and set up your system according your wishes.

[Agent420]

I used sysinternals, Autoruns to stop cmdagent. The trouble with doing that is that the Anti-virus will not scan when cmdagent is stopped. BUT, with it stopped, it will no scan the computer. On the flip side, I have my computer back without having to wait for that POS cmdagent to finish whatever it is doing beside wearing out my disks.

[EricJH]

I used sysinternals, Autoruns to stop cmdagent. The trouble with doing that is that the Anti-virus will not scan when cmdagent is stopped. BUT, with it stopped, it will no scan the computer. On the flip side, I have my computer back without having to wait for that POS cmdagent to finish whatever it is doing beside wearing out my disks.

With Autoruns you disable the start up of cmdagent. That is not what is being discussed here.

[John Buchanan]

Again, you are manually terminating the process.  CIS can't prevent this.  Again, if another program made the attempt (a malicious program), you would be notified before it was permitted to proceed with this action.
(This assumes Defense+ is not disabled).

[kail]

I'd just like to say: Whilst you may well be able to terminate cmdagent.exe (the service), you'd still need to tackle CIS's drivers (the business end) to actually circumvent it in anyway. And even if by some miracle you managed this.. I strongly suspect you would need to reboot to return the TCP stack back to a workable state. In fact, given CIS's hooks you may not have the choice. In any event, it will only end tears.

[adioz86]

Easy thing.

When you disable Defense+, and do not have another HIPS, it would be easy to terminate both process.

Other Firewall and Antivirus solutions works a little bit like an HIPS, but just for their own applications. I think this is the selfprotection of these FW and AV solutions you mean. They try to prevent everything from terminating their process.

In Comodo this selfprotection is integrated in Defense+. You haven't the choices to not install it. It will always be installed. So this is the selfprotection part of CIS. This selfprotection works, when you have Training Mode or higher level of D+, 'cause then it cares about the rules. In disabled mode every action is applied, and no rule will be triggered.

By disabling this, there wouldn't be a opportunity that CIS can protect its self.

So if you use another HIPS, it should be able to protect Comodo Firewall and AV from being terminated.

[fragglerockboy]

I am also able to terminate both cfp.exe and cmdagent.exe of CIS from the task manager without any problem whether as a regular user or as an administrator. I have Defense+ set to safe mode, with all options checked under Defense+ monitor settings. I see from the last post that self protection is integrated into Defense+ , however I am curious as to why I'm able to terminate them if they are protected. When someone else may be using my pc under any login, then I don't want them to be able to disable any of it.  For years I always used Norton, which was too paranoid/ too many false positives at times, but a feature I truely to this day like: Tamper Protection.   With Tamper Protection enable in Norton you were unable to kill/terminate any of the running processes whether intentionally or accidentally even with trying multiple methods to close them. You couldn't terminate them unless you went into the Norton control panel option, unchecked tamper protection, then restarted your pc.   Is there any way for CIS to integrate tamper protection like Norton?

[Dennis2]

Welcome to the forum fragglerockboy

Whilst you do not have Defence+ disabled you should not be able to kill cmdagent screenshot.

Possible problems with install leftover drivers etc.

Dennis

[Tags:]