Solving High CPU problems [v5]

[mouse1]

SIX STEPS TO SERENITY
The following assumes that you are running CIS 5.12. If not please update to 5.12 before trying the below, as a common problem with AV updates and cpu has been progressively resolved in later versions of CIS 5.x. (This FAQ is a simpler version of the original more diagnostically-based FAQ which can still be found here).

Try the following six steps, in order:

• Check Defense+, Firewall and AV logs and make trusted or exclude files generating log entries, including any D+ Unrecognised files if you are sure they are safe. To address log entries which cannot be addressed in this way see programs accessing CIS in memory, peer-to-peer firewall problems.
• Exclude any file that causes hi CPU when it starts, or is batch AV scanned, using Scanner settings ~ Exclusions if you are sure they are safe. To determine files causing batch (ie scheduled or manual) scan problems see here.
• Uninstall and re-install CIS completely using the process here and consider disabling Geekbuddy on re-install.
• Try the Low CPU Config here. If this solves the problem but you are not willing to accept the small reduction in security involved, then relax the changed settings one by one until you find the problematic setting. Then load say the proactive config & change just that setting.
• Uninstall any other security program you may have installed using standard uninstaller then rebooting then using forced uninstallers. If this resolves the problem and you want to retain the program try the recommended options here.
• Finally, there may be an application incompatibility that does not create log entries. Follow the FAQ for resolving application incompatibilities. Or you may just have too many programs running!

MORE SERIOUS MEASURES
If none of the above work you are left with more serious measures, like detailed technical investigation of application conflicts or switching off some AV functionality (safer than it seems if you are technically competent).




Please help us improve this FAQ by posting suggestions to the 'Help materials - Feedback topic' here.

This FAQ has been prepared by a volunteer moderator – with input from many other moderators (Thanks everyone, especially: Kail, HeffeD). It has been produced on a best endeavours basis - it will be added to and corrected as we find out more. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.

Updated: 31 January 2011, to reflect changes up to CIS version 5.9.xxx

[mouse1]

                                 APPLYING LOW CPU SETTINGS

EITHER: Apply settings using the config file
The config file is a proactive config file with all the low cpu changes listed in 'Settings to Change' below except the theme/skin change. To use it:

• Download the low cpu config file by clicking on here. Simply save it to the main CIS directory & unzip it. Then import and activate it using More ~ Manage Configurations.
• Go to More ~ Preferences ~ Appearance and set the Windows theme and reboot. Answer any network configuration dialogs

OR: Apply settings by hand

• Settings to change.
• Settings to ensure set to proactive defaults.

THEN:

• Check Defence+, Firewall and AV event logs after a few days. If files that you trust are being blocked, make them trusted or exclude them from monitoring. Then disable all logging under More ~ Preferences ~ Logging. (Logging can cause cpu problems & does not directly affect security). You may need to re-enable it if you have an application malfunction that could be caused by CIS or you need to research a security issue.
• If all is working well (including AV scans) after a day or so, try re-enabling Adaptive Mode in Defense Plus settings. It is preferable to have this enabled security-wise, but it does cause cpu or freezing problems on some XP systems (eg mine!).

About these settings - please read!
Low CPU settings inevitably have some impact on security but this has been kept to a minimum.

• The core of CIS (Defence Plus and firewall) is unchanged on 32 bit systems.
• The 64bit Advanced Protection Mode has been disabled as most systems with cpu problems are 32 bit. This should be re-enabled on 64 bit systems
• Real time and scheduled AV scans are downgraded a little as, contrary to popular belief, this area is less important for your security that D+ and the firewall and tends to cause the most cpu problems.
• The manual AV scan is left at normal strength so you can always used this to check your computer.

[attachment deleted by admin]

[mouse1]

                                SETTINGS TO CHANGE


MORE/PREFERENCES
General tab:
Enable Comodo Message Center: Disable (Default = Enabled).
Show traffic animation in tray: Disable (Default = Enabled).

Appearance tab:
Set to windows theme

Logging tab:. (Apply after a few days as described in instructions above)
Disable Antivirus logging: Consider Enabling (Default = Disabled).
Disable Firewall logging: Consider Enabling (Default = Disabled).
Disable Defense+ logging: Consider enabling (Default = Disabled).


AV SCANNER OPTIONS
Change where applicable on real-time and and scheduled tabs:
Scan archive files: Disabled (Default=Enabled).
Show scanning progress: Disabled (Default=Enabled).
Do not scan files larger than: 20 MB (Default=40MB)
Create a scheduled scan profile and task to scan any one file daily to ensure AV updates.
(Realtime tab only:) Automatically update AV database: Disable


FIREWALL
Network Security Policy:
Simplify and purge application rules and any other rules. If you have a lot and don't know why they are there, consider a re-install (see notes at top of post).
Reduce number of trusted and blocked files


DEFENCE PLUS
Trusted files:
Reduce or purge trusted files, make trusted unrecognised files

D+ rules:
Simplify and purge. If you have a lot and don't know why they are there, consider a re-install without importing settings (see notes at top of post).

D+ Settings, general tab:
Enhanced Protection mode: Disable (Default = Enabled).
Adaptive mode: Disable (Default = Enabled)

[mouse1]

  SETTINGS TO ENSURE SET TO PROACTIVE DEFAULTS


MORE/PREFERENCES
General tab:
Show balloon messages: Disable (Default = Disabled).
Logging tab:
If the log file's size exceeds (MB).  (Default = 20MB).
'Delete it and create a new file'. (Default = Enabled).


AV SCANNER OPTIONS
On real-time and manual and scheduled TABs:
Enable Cloud Scanning (Default = Disabled).
Submit unknown files for analysis (Default = Disabled).
Enable rootkit scanning (Default = Disabled).
Heuristics Scanning Level  (Default=Low)
Do not show AV alerts (Default=disabled)
Show notification messages (if logging disabled - see More above): Default=yes
(All tabs apart from real time). Automatically update AV database: Enable


FIREWALL
General tab:
Do not show pop ups (if logging disabled - see More above): Default=disabled

Advanced tab:
Enable IPv6 filtering (Default = Disabled)
Protect the ARP Cache (Default = Disabled).
Block Gratuitous ARP Frames (Default = Disabled).
Block Fragmented IP datagrams (Default = Disabled).
Monitor NDIS protocols other than TCP/IP (Default = Disabled).


DEFENCE PLUS
General tab:
Create rules for safe applications (Default = Disabled).
Do not show popup alerts (if logging disabled - see More above): Default=Disabled

Sandbox tab:
Show notifications for automatically sandboxed processes (if logging disabled - see More above): Default =yes

[mouse1]

Complete re-installation will resolve a lot of CPU problems as it removes the registry clutter or corruption that often causes them.

Please note: All personal CIS settings will be lost,

Uninstall

• Uninstall using the normal CIS uninstaller then reboot
• Uninstall CIS using the forced uninstaller tool and reboot
• Run the forced uninstaller tool a second time and reboot

All parts of CIS will now be removed.

Reinstall
Now re-install using default settings (do not import a personal config file) and consider seriously:

• not re-installing Geekbuddy, as it consumes significant RAM, and is of most value if you get infected which you hope to avoid
• consider not installing the AV module. Defence plus is strong enough to protect you if you are a) disciplined enough never to allow an alert unless you are sure it's safe, and b) expert enough that you will not block things too frequently for convenience as a result.

[mouse1]

Detailed investigation of a CPU problem caused by an application conflict

The following set of steps should enable you to work out the cause of an obscure and difficult to fix conflict between a program and CIS. But its not for the faint-hearted! Steps 1-3 are easier than the rest and may give you enough info to hazard a guess though.

• Download Process explorer from: here.
• Add the cpu history and i/o history column to the default Process Explorer display, stretch out these columns and watch for cmdagent peaks. Look for an I/O or cpu peak in an executable just before or at the same time as the cmdagent peak. Any reasonably strong correlation is a suspect.
• If you find a suspect you can look at the graphs in more detail by looking at them in the properties of cmdagent and the suspect file
• Now you have the information needed to use another sysinternals program, procmon to find out what the application and CIS are doing when the CPU is spiking. So download this from here.
• Set up a filter that shows just actions by the application file and cmdagent.exe or cfp.exe and each time the spike starts to happen in process explorer note the time in procmon.
• Look at the procmon log around the appropriate times, identifying similar events
• Now you know what is happening, you should be able to set CIS up to ignore it, if you know the application to be safe

Using this approach I found in a previous version of CIS that the fact that a router monitoring program (routerstats) was writing huge image files (graphs) with an unusual extension to the disk, and CIS AV was scanning them for some reason. Excluded this directory under AV exclusions, and all was well.

[mouse1]

Switch off real time AV
Consider switching off real time AV using the security level slider, or removing all scheduled scans. Also consider uninstalling and re-installing CIS completely using the process here without installing the AV module.

Defence plus and the firewall alone are strong enough to protect you if you are a) disciplined enough never to allow an alert unless you are sure it's safe, and b) expert enough that you will not block things too frequently for convenience as a result.