100% CPU load when (parallel) installing I/O intensive apps (3.0.25.378, x32)

Additional software info:

  • Windows Vista Ultima SP1
  • BitDefender 2008

I have installed CFP and I am very happy with it in daily use. BUT I have one serious (reproducible) problem especially when I am installing new applications:

At that point (especially when I have more than one installation in parallel) my computer freezes for several seconds. Then a CFP warning message comes up (of different type) which I allow and just after a short time the computer freezes again until the next CFP warning message. This way an installation takes a long time.

Using SysInternals ProcMon I monitored what’s happening. It’s definitely the CFP.exe process that sucks up the CPU. In addition this process makes an awful lot of requests to the registry (reading policies and rules…)

As I am a developer myself I would recommend a more clever algorithm when accessing the rules from the registry. For example: Build a hash across all rules and only re-read the rules when the hash has changed. Otherwise buffering them in memory should be the choice. Once you add another rule (to the registry), calculate a new hash and update it in the registry.

What’s really bad: I have not even the chance to disable CFP during such a period. A right click in the try simply is ignored (probably gets lost due to high load / opening the waring dialogs). Updating FF3 from 3.0.0 to 3.0.1 took me ~15 minutes now. :frowning:

Your suppose to use install mode when installing anything. Hope this helps. Also do not post bugs unless you have read all the important topics. When ever I install something I open up Comodo and click “switch to install mode”. Works like a charm.

https://forums.comodo.com/help_for_v3/games_application_installation_comodo_firewall_pro_3-t24179.0.html

Also read the help file system. Here is a quote.

Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. The firewall will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity. Similarly, the firewall will not automatically create ‘Allow’ rules for any executables - although you still have the option to treat an application as ‘Trusted’ at the Defense+ alert. Choosing this option will generate the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.

Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing ‘Treat this application as a Trusted Application’ at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in ‘Clean PC Mode’ then Safe Mode’ is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled.

‘Installation Mode: Installer applications and updaters may need to execute other processes in order to run effectively. These are called ‘Child Processes’. In ‘Paranoid’, Safe’ and ‘Clean PC modes’, Defense+ would raise an alert every time these child processes attempted to execute because they have no access rights. Whilst in one of these 3 modes, Comodo Firewall Pro will make it easy to install new applications that you trust by offering you the opportunity to temporarily engage ‘Installation Mode’ - which will temporarily bestow these child processes with the same access rights as the parent process - so allowing the installation to proceed without the usual alerts.

If you are installing a new, unknown application. Defense+ will alert you with a pop-up notification and, as you want to allow this application to continue installing, you should select ‘Treat this application as an Installer or Updater’ at the Defense+ alert. You will subsequently see the following:

Updating Firefox via the internal updater found under the Help tab in Firefox took me all of 5 secs.

I am aware of that feature. However - sometimes (I did not yet find a way to reproduce) when I am installing / updating stuff this option is not available.

So… if you are saying this is the way to go I can live with it. However: I still find it weired that during an installation CFP would take so much CPU power due to HIPS (my Defense+ setting is “Safe mode” meanwhile after a learning phase of ~2 month).

I mean: After all, there is room for improvement, right? Especially the registry usage as I mentioned is (IMHO) not the best you could do.

The option to switch to install mode is always available. If I download and before I install what I download I open up Comodo and click “Switch To Install Mode”.

Ah - this option you mean (didn’t realised this exists 88)). Ok… I got that part wrong. I thought you mean the choice “treat as installer” in the combobox of a warning window.

If you have a program that updates daily you need to make that program an updater under D+. Such as your av updater or Logitech’s updater.

To install an app you need both “treat as installer” and Switch CFP to installation mode.

D+ policies in treat as menu are context sensitive, anyway you’ll surely find an option to treat as installer/updater as soon as you get an alert that is different from “run an executable”

PS: please add URL to download few installer that trigger this issue when not run simultaneously.

ok… my last try - then I will hoestly shut up.

I really believe the HIPS as it is now is not best you can do. I’ll give you another example which has the same cause IMHO: I am using the ProcMon utility of SysInternals very often. This causes the same 100% CPU load as installers do if you not switch to installation mode. Hence it really makes no sense to me to switch to an “installation mode” whenever I use such tools. Simply because that is not an installation at all. You can try yourself: Just use this tool in combination with an I/O extensive application.

Just to clarify: The Comodo firewall is GREAT. I don’t want to blame here in any way. But such strange conditions are no good for your product. I really would like to know what causes this high CPU load. I know of other firewalls (like Sunbelt/Kerio) which have HIPS, too but this runs way faster and does not require a special “mode”. Now don’t worry - I switched from Sunbelt to Comodo for enough reasons and I won’t go back. So I am not saying “product XXX” is better".

But really: From a technical point of view: What happens with CFP in such cases? Registry access could be a reason but I doubt that’s the major cause meanwhile. But what is it?

With regards, Morten.

Install mode is for installing. If you want to use SysInternals tools then make each tool trusted under D+ which is what I do. Why dont you try using D+ in training mode for a bit.

I’m not a developer but I guess the purpose of bugreport board is to define scenarios that can either confirmed or await other members’ cooperationin odrer to fill the missing gaps.

Since this is a performance issue and system specs and installed softwares are different I guess there are too much gaps to draw a conclusion.

I guess the relevant thing to be objectively evaluated is the difference in performance (overhead).

What is your CPU type and speed?
What is your free memory + cache memory?
What CFP modes do you use during those tests?
What CFP policies for the tested applications?
Are there any related entries in CFP Logs?
How much difference (Seconds,CPU load, etc.) is there with CFP D+ disabled mode?
How much difference is there with CFP D+ permanently Deactivated?
Can you provide an URL to download few installer that trigger this issue when not run simultaneously and without procmon?
Can you post a gmermlware scan log and a list of running processes?

About procmon what does happen if you disable all the monitoring functions?
Did you left BitDefender 2008 realtime scaning enabled during those tests?
Can you disable and uninstall BitDefender 2008 to test the performance hit.
What I/O intensive application do you use to carry these tests?

With these infos anyone that read this topic could try to test this in a reproducible way.