Greetings all. It has been many years since I posted a question so go easy on me if its the wrong forum.
I seem to have some strange issues with comodo premium. I ran comodo diagnostics and it thinks everything is fine. Product version reports : 5.9.221665.2197 - virus database : 11441 .
I was previously running 5.8.xxx and I was having a hell of a time with the defense+ working properly. It was constantly showing dialogue boxes about applications being sandboxed but would never remember or honor when I clicked the "don't isolate" option, and also these were applications that were explicitly marked as safe. I tried everything, even uninstalling, formatting, putting a fresh version of win7 64bit on with nothing but drivers and browsers. After several hours I ran into the same issue again with 5.8.xxx. It was sandboxing every application that was launched regardless of its safe status or if I hit the "don't isolate again" option.
So I decided to move on to 5.9.221665.2197 with a clean install win7 64bit.
So far it works much faster than the previous version but I still randomly run into the duality problem. If I log into a user account too fast, CIS will report that every executable launched from that profile is unkown and being sandboxed. Examples - SynTPEnh.exe, dllhost.exe, consent.exe, and atieclxx.exe.
When I go into the log file and click on "add to trusted files" it says the files are already trusted, which doesn't explain why it was sandboxed. This is very similar to the problem I was having with the earlier version. It only seems to happen if I log into the user account right when the laptop is booted. If I wait awhile (for the disk activity to stop) then try to log in the user account it doesn't sandbox any of the items except atieclxx.exe, which always triggers a sandbox alert no matter what I do.
This behavior occurs even after a clean install, plain vanilla MS verified windows 7 64bit install cd.
I have three question.
One : Is there a way to turn on detailed logging (or debugging logging)? I need to see what is going on underneath and the logging system has been designed for extreme simplicity, not troubleshooting. If I could see a path logic, like why a file was determined to need to be sand-boxed, it could help me pinpoint the issue much faster, and I would respect the devs a lot more for providing some more transparency.
Two: Is there a way to turn on PID reporting in the firewall/defense logging sections?!?! It drives me bonkers that the logging mechanism only reports the .EXE file responsible for the communication attempt rather than the process hiding behind the .EXE. To go into more detail as to my need for such a feature, my firewall logs are full of EXE files trying to contact akamai servers but I have no way to pinpoint the code or service that is hammering the firewall to get out. I know any generic service or executable that is signed properly can use the underlying com system, which essentially lets it hide behind svchost.exe in the logs, in practice this makes it near impossible to track which spawn is the culprit. So in my humble opinion it is absolutely necessary to track the PID on firewall logging, otherwise its just a big guessing game.
Three: Why does code running in the sandbox disappear from the task list and comodo? Yet the task that is invisible to comodo (meaning it does not show up at all in comodos task list service) is visible in the windows task manager? It requires a complete restart to get comodo CIS to see the executable code again, otherwise for the current session it fails to see the executable and it fails to sandbox it properly until the system is restarted again. When this problem occurs, the problematic executable fills up the firewall log with requests to communicate to the internet via the SYSTEM service, which gets blocked. Nothing I can do short of rebooting the system will fix the problem, as terminating the executable and running it again just repeats the problem of it not being seen by comodo and not being sandboxed.
I would appreciate any help or pointers. I usually debug this stuff on my own but this one has me confused. It is almost like there are two OS's running in parallel on this system, and one occasionally gets out of sync with the other. I know it sounds strange, but I still can't figure out why processes just vanish out of Comodo's running task lists and then appear to be running as SYSTEM.
And this is the 4th clean install of Win7, with reformat, new boot sector, etc.
Virus scan reports all clear. Normally I would blame it on a bad windows install, but seeing as I have reinstalled several times now, I can't blame it on a configuration problem.
Anyway, uh, help? Suggestions? Is this a bug that needs to be filed or is this a known issue?