Hi CPU consumption by cmdagent when running browsers

[Guest]

[Stuntman Mike]

Hi Stuntman

You active process list will help to see what permissions files are running with. Lack of permissions can cause CPU issues.

I am afraid the links you posted don't work on my computer.

Best wishes

Mouse

there you go

[mouse1]

Well something is causing files in a temporary directory to run and access CIS in memory, probably your browsers. Unfortunately your screenshots are very blurred and do not show full paths so I'm not clear what is running in many cases, though one program is TCP optimiser.

Also you are running at least one suspicious file - see your active process list.

So things are beginning to look a little bit worrying. Could you please post clearer and more complete screenshots, showing all the contents of all columns and several days worth of logs. You can append .jpg files direct to posts.

Meanwhile I would also 1) quarantine the suspicious file, unless sure it is safe 2) run a full scan of your computer on max scanning settings and quarantine anything that is detected 3) make sure your CIS security levels are at least as strong as those set by the proactive security configuration (if you think they are not just activate this config). Then post your AV logs if anything is detected.

I'll split this off from this trace as its a bit lost

Best wishes

Mouse

[mouse1]

Also, if you are technically knowledgeable you could try running CCE as explained in this post here.

Please note that CCE can itself cause problems so please don't do this without further guidance unless you understand what you are doing.

[Stuntman Mike]

Well something is causing files in a temporary directory to run and access CIS in memory, probably your browsers. Unfortunately your screenshots are very blurred and do not show full paths so I'm not clear what is running in many cases, though one program is TCP optimiser.

Also you are running at least one suspicious file - see your active process list.

So things are beginning to look a little bit worrying. Could you please post clearer and more complete screenshots, showing all the contents of all columns and several days worth of logs. You can append .jpg files direct to posts.

Meanwhile I would also 1) quarantine the suspicious file, unless sure it is safe 2) run a full scan of your computer on max scanning settings and quarantine anything that is detected 3) make sure your CIS security levels are at least as strong as those set by the proactive security configuration (if you think they are not just activate this config). Then post your AV logs if anything is detected.

I'll split this off from this trace as its a bit lost

Best wishes

Mouse

sry for blurry pic its 1280x1024.. suspious file i use is program for fast switching between speakers and my usb headset so i dont need to go in control panel.. the tcpoptimizer i used to optimize my connection for broadband thats all i have done full scan of my computer with quick sound switcher in startup and it has found nothing..

[algorian]

Just add chrome.exe to exeptions list.

Comodo AV -> Scanner Settings -> Exclusion -> Add -> Running Processes -> Chrome.exe

[mouse1]

Just add chrome.exe to exeptions list.

Comodo AV -> Scanner Settings -> Exclusion -> Add -> Running Processes -> Chrome.exe

Good thought, might help, but I am unsure whether this will affect whether CIS scans browser add-ons. D+ should still give some protection though. Anyone know?

You can always try some of the other solutions in this faq, too.

Solving high CPU problems.

To really diagnose what is happening we'd need to know more about your system and settings, you could for example answer some of the the bug report questions to give us this:

(I think you have answered 2 already, so just leave this out). It would also be good to know processor speed and RAM,

1. CIS version, AV database version & configuration used:
2. a) Have you updated (without uninstall) from from a previous version of CIS:
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
3. a) Have you imported a config from a previous version of CIS:
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
4. Have you made any other major changes to the default config? (eg ticked 'block all unknown requests', other egs here.):
5. Defense+,  Sandbox,  Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV = 
6. OS version, service pack, number of bits, UAC setting, & account type:
7. Other security and utility software currently installed:
8. Other security software previously installed at any time since Windows was last installed:
9. Virtual machine used (Please do NOT use Virtual box):

[Stuntman Mike]

Good thought, might help, but I am unsure whether this will affect whether CIS scans browser add-ons. D+ should still give some protection though. Anyone know?

You can always try some of the other solutions in this faq, too.

Solving high CPU problems.

To really diagnose what is happening we'd need to know more about your system and settings, you could for example answer some of the the bug report questions to give us this:

(I think you have answered 2 already, so just leave this out). It would also be good to know processor speed and RAM,

1. CIS version, AV database version & configuration used:
2. a) Have you updated (without uninstall) from from a previous version of CIS:
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
3. a) Have you imported a config from a previous version of CIS:
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
4. Have you made any other major changes to the default config? (eg ticked 'block all unknown requests', other egs here.):
5. Defense+,  Sandbox,  Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =  
6. OS version, service pack, number of bits, UAC setting, & account type:
7. Other security and utility software currently installed:
8. Other security software previously installed at any time since Windows was last installed:
9. Virtual machine used (Please do NOT use Virtual box):

2. a) Yes
   b) Yes
3. a) no
4. no
5. defense=safe mode (exclusions(dkservice.exe,chrome.exe)), sandbox=off, AV/firewall=safe mode
6. windows xp sp3
7.auslogics boostspeed
8. no clean windows xp install
9. nope..

AMD FX 4000+ 2.41 ghz 2 GB RAM, and dont bother anymore its just old computer

[mouse1]

OK there are a few problems you can sort here:

• Programs accessing cmdagent in memory. If you go through your D+ logs you should be able to find quite a few of these. If and only if you know they are safe you can allow them to access CS in memory as described here.
• You seem to be running quite a lot of installers without allowing them the privs they need to install software properly. Check whether they are safe, and if so allow the unlimited access the installers normally request. If they don't request this maybe you have switched off 'automatically detect installers', probably when you switched the sandbox off. If you have you need to apply the installer/updater policy to such installers in the Computer Security Policy D+ rules. Otherwise program installations may be incomplete. Possibly you have some incomplete browser installations.
• You may be be installing or running software direct from browsers, without saving the files first. This is undesirable security-wise, and may lead to high browser CPU when the installers are blocked from doing their stuff
• You are running quite a lot of files that are not immediately recognized by CIS as safe, so you need to check unrecognized files regularly and make those you trust, trusted files
• Adding your suspicious file to AV exclusions and adding it to the D+ trusted files list should prevent CIS from re-scanning it constantly

You might find that CIS works better for you if you revert to more default settings. Running with the sandbox switched off demands quite a lot of thought and quite a lot of knowledge about CIS, and software more generally.

Are you sure your Firewall logs show nothing? With your setup, I'd expect something in there....

Best wishes

Mouse

[Stuntman Mike]

OK there are a few problems you can sort here:

• Programs accessing cmdagent in memory. If you go through your D+ logs you should be able to find quite a few of these. If and only if you know they are safe you can allow them to access CS in memory as described here.
• You seem to be running quite a lot of installers without allowing them the privs they need to install software properly. Check whether they are safe, and if so allow the unlimited access the installers normally request. If they don't request this maybe you have switched off 'automatically detect installers', probably when you switched the sandbox off. If you have you need to apply the installer/updater policy to such installers in the Computer Security Policy D+ rules. Otherwise program installations may be incomplete. Possibly you have some incomplete browser installations.
• You may be be installing or running software direct from browsers, without saving the files first. This is undesirable security-wise, and may lead to high browser CPU when the installers are blocked from doing their stuff
• You are running quite a lot of files that are not immediately recognized by CIS as safe, so you need to check unrecognized files regularly and make those you trust, trusted files
• Adding your suspicious file to AV exclusions and adding it to the D+ trusted files list should prevent CIS from re-scanning it constantly

You might find that CIS works better for you if you revert to more default settings. Running with the sandbox switched off demands quite a lot of thought and quite a lot of knowledge about CIS, and software more generally.

Are you sure your Firewall logs show nothing? With your setup, I'd expect something in there....

Best wishes

Mouse

thanks for help.. problem is i'm behind a nat of router and since i got router i had never any entries even though its on safe mode.. can you explain bolded part i use all predefined policies of comodo where u see i dont use correct one?
also problem is i don't have any unrecognized files in logs

ty again for help..

[mouse1]

You are running installers, eg Flash player, and these are asking for extended permissions, thus generating log entries, eg 'access Com interface'.

You might be allowing these, or they may be being blocked silently. Even if you are allowing the ones in the logs there may be others which are being silently blocked (CIS very occasionally does this), or in which the installer times out before you allow them.

This is all probably happening because you have disabled the sandbox, and therefore automatic installer detection.

If you apply the installer updater policy to installation files before you run them this will not happen. You do this in the computer security policy ~ D+ rules, making sure you place the rule above any all applications rule.

(The other points i make are maybe more important than this one, though it may be relevant).

Best wishes

Mouse

[Stuntman Mike]

You are running installers, eg Flash player, and these are asking for extended permissions, thus generating log entries, eg 'access Com interface'.

You might be allowing these, or they may be being blocked silently. Even if you are allowing the ones in the logs there may be others which are being silently blocked (CIS very occasionally does this), or in which the installer times out before you allow them.

This is all probably happening because you have disabled the sandbox, and therefore automatic installer detection.

If you apply the installer updater policy to installation files before you run them this will not happen. You do this in the computer security policy ~ D+ rules, making sure you place the rule above any all applications rule.

(The other points i make are maybe more important than this one, though it may be relevant).

Best wishes

Mouse

but it asks me when unknown installer starts installing isnt that the same thing?

[mouse1]

but it asks me when unknown installer starts installing isnt that the same thing?

If it is giving you a unlimited access alert, and you are allowing it that's fine. Some of your installatiosn are generating log entries that should not be generated if you had allowed an unlimited access alert - eg Flash installation.

You may find it helpful to read the 'guide to the sandbox' - see my signature for a link.

A thought from another trace is that the situation may improve if you clear the browser caches. Not sure why this should help cmdagent, but worth trying none-the-less.

Guess probably best now to leave you to try out all the things we have discussed.. then feed back.

Hope one of them helps

Best wishes

Mouse
Best wishes

Mouse

[Stuntman Mike]

just to tell you after enabling sandbox, it automatically fixed cmdagent lol thats strange

[mouse1]

just to tell you after enabling sandbox, it automatically fixed cmdagent lol thats strange

Thanks for the feedback. Interesting.

Possibly the sandbox alerts/notifications lead you to grant some files the permissions they needed? Or maybe the sandbox suppressed attempts to access cmdagent in memory.

Best wishes

Mouse

[Stuntman Mike]

Thanks for the feedback. Interesting.

Possibly the sandbox alerts/notifications lead you to grant some files the permissions they needed? Or maybe the sandbox suppressed attempts to access cmdagent in memory.

Best wishes

Mouse

yes, seriously its strange before it was cmdagent on 60%-100% cpu usage and now its at most 40% and very rarely.. i think that u are right that sandbox supressed to access cmagent in memory..
tyvm for help and suggestions.. never thought that sandbox on off is a problem..

[Tags:]