2 running processes of cavse.exe and HIPS problem

I have just uninstalled CAV v1.1 and installed v2.0. I used the uninstaller mentioned in these forums to remove v1.1.

I have a couple of issues that I need help with.

Issue 1:
I now have two instances of cavse.exe running under processes in Windows Task Manager. One using 18,556K and the other 18,560k. While I’m not great on computers this does not seem correct. If it is supposed to run two … great… if not, how do I stop one from starting and how do I determine which one needs to start?

Issue 2:
I have had to shut down the HIPS part of the program. I use an all purpose program called PowerPro to start other applications through a menu system as well as reminders, startup programs, etc. Whenever I enable HIPS and try to start a program such as Opera, IE or any other program for that matter through the user created menu HIPS throws up a warning with the “Allow” - “Deny” choices and completely freezes the computer. An hour glass shows on the cursor when placed over the popup from HIPS but I can not select either allow or deny. I can not shut down the computer under this condition except to hit the power button. Any advice on how to get HIPS to allow PowerPro would be greatly appreciated. I think I understand why HIPS stops PowerPro and asks as it is an application starting another application. I did have to allow each startup of Opera and IE6 as well as most of my other Internet Apps to connect through Comodo Firewall Pro.

Any help would be appreciated,
Stan
OS: XP Home SP2 - all updates installed except IE7

I found the answer to issue 1. It seems 2 cavse.exe is normal.

https://forums.comodo.com/index.php/topic,6013.msg44699.html#msg44699

Still have the problem with HIPS. I tried again and waited over an hour and my computer stayed locked. Tried ending task on PowwerPro and CAV but had to use the power off. On startup XP ran chkdsk, all was ok then powered up. I did place the PowerPro folder in the exclude from HIPS application control list but it didn’t make any difference.

It may be worth uninstalling powerpro, removing any entries for it in CAVS and then re-installing it whilst CAVS and HIPS is running.

:SMLR

Hi Stanr,
Yes, two instance of CAVse.exe is normal.
Can you pls add the powerPro installed directory as user marked safefiles for HIPS and check again?
To do that select
Settings->HIPS application control->General->Manage Allow/Block List->Manage. You will get allow/block manager dialog.
Then select “show user marked safe files” and click on “Mark Safe…” button to select PowerPro installed directory.

regards
Kishor

Hi Kishor,

Thanks for the reply.

I checked the “Manage/Allow” list however PowerPro is not listed as I can’t get by the “Allow/Block” dialog popup when HIPS is running without the computer freezing. Let me more clearly identify the “Freeze”. It is more like CAV Hips is freezing not the entire computer. I can open the main XP menu and get to the Shut Down selection however the computer then goes through a series of programs not responding and clicking the “shut down now” does not work and I end up using the power switch.

If I understand correctly the popup dialog is the only way to get the program on the list. Is there any way of manually entering it? I did put the PowerPro folder on the “exclude from HIPS control” list but it didn’t make any difference. Perhaps I need to enter each program folder that PowerPro uses to get by this. That would be just about every program I use.

Perhaps I am not clearly identifying what PowerPro does. Here is the home page:
http://powerpro.webeddie.com/
This will give you a more clear overview of PowerPro functions should you wish to explore it.

I have a few programs on the HIPS Allow/Block list including CAV, cmain.exe. It just will not process PowerPro.exe or it’s configuration exe.

Stan

Sounds to me like PowerPro is acting like a form of application control that is similar top a HIPS program in that it controls startup of various programs. Having checked the website and searched around a bit it seems likely that PowerPro and CAVS HIPS are not going to be compatible - it is like trying to run two HIPS programs at once?

:SMLR

Hi Anderow,

Thanks for the reply and your time in looking into my problem.

PowerPro does control the startup of applications along with many other functions that I rely on in the daily use of my computer. So I guess HIPS will have to remain off as I have used PowerPro for many years. I am not that computer savvy to understand the ramifications of not using HIPS.

I had to give permission in each instance of an application that I started with PP that wanted to connect to the Internet through CFP. I have read that v3.0 of CFP will have a HIPS control as well. I hope it will have an option to disable it as CAV does.

Thanks again,
Stan

I suspect it will have that option. If it does not initially have this I am sure forum members will use weight of numbers to persuade Comodo to add it.

(:LGH)

I certainly hope there is a HIPS on/off option in v3 otherwise I will be out of luck.

It seems that HIPS would not be compatible with any program launcher other then the OS quick launch menus. Then again I’m not sure what I’m talking about.

Is there any more information on HIPS that can better explain what it’s doing? (I’ve read the help files)

Is it possible to have PowerPro added to the Comodo “Safe List” and how is the “Safe List” updated on my computer? Or would it not work even if on the "Safe List?

Thanks for your patience in dealing with my lack of knowledge on this.

Stan

It may be worth you submitting a support Ticket at:

I suppose it is possible the Comodo team may be able to sort this problem out for future releases.

:SMLR

By submitting the powerpro executable to Comodo for analysis, it will go thru a process for inclusion to the safelist in the future.

In addition to the method Kishor gave, you can also completely exclude powerpro in HIPS. Go to Settings/HIPS/General/What Items to exclude from HIPS application control. Click on New. Then flick the folder icon button to browse to powerpro’s program file. You can either include the whole file (using the “subfolders” checkbox) or just the executable (which would be more secure).

As far as the ramifications of turning HIPS off… HIPS is the “Prevention” aspect of the application. Its purpose is to give the user an opportunity to stop an application (or .exe, .dll, etc - depending on the level you select) from running. This means that when an malware would try to run, you get to stop it. This happens before your AV gets a chance to detect it, meaning that you don’t get infected and then have to remove it - you never get infected in the first place. And yes, with CFP v3, you will have the option to turn off HIPS, just as in CAVS. You will also have a much larger safelist, due in part to users submitting files like powerpro to Comodo.

LM

‘By submitting the powerpro executable to Comodo for analysis, it will go thru a process for inclusion to the safelist in the future.’

There are still files that I submitted five months ago that are not on safelist - even BOclean files are not on it.

In addition to the method Kishor gave, you can also completely exclude powerpro in HIPS. Go to Settings/HIPS/General/What Items to exclude from HIPS application control. Click on New. Then flick the folder icon button to browse to powerpro’s program file. You can either include the whole file (using the “subfolders” checkbox) or just the executable (which would be more secure).

Stanr has said that he has already tried this and it does not work.

:SMLR

The safelist databases that are currently used by CFP and CAVS do not contain the full safelist database Comodo has. The fully functioning database (which has over 300,000 files, compared to 11,000 in the databases being used) will be first added in CFP v.3. It will then be added to CAVS. There are over 3,000 files being added to this database on a daily basis thanks to users submitting files.

Mike

That is great Mike and I look forward to CPF3. However, users like Stanr are having problems now and I am sure would rather not wait too long to be able to use the great HIPS feature of CAVS. As he has said, he has added the PowerPro folder to exclusion list and PowerPro still does not work with CAVS. Surely he should submit a support ticket so that Comodo can look into getting CAVS HIPS to work with programs such as PowerPro - this may not be a case of exclusion list problems but of some kind of clash between the applications.

:SMLR

I’m sorry for the delay in responding to the recent posts regarding the problems I’m having with HIPS. I work 14 hour days and needed some time to think about all that has been said plus the energy to look in to what was going on in depth. This is my first day off and have been at it since 5:00 am.

I’m happy to say that I have resolved my problems with HIPS and PowerPro.

With the explanation from Little Mac on what HIPS is doing as well as posts from Mike, Androw and Kishork, no specific order of appreciation, I came to the conclusion that in fact there was not a problem with HIPS, CAV or any of the programs on my computer. The problem seemed to be that a program not on the safe list, PowerPro, was trying to start another program not on the safe list. This froze both the PowerPro, the program it was trying to start and CAV/HIPS.

What I did is go back to the beginning and remove all programs from my start list, including PowerPro. Turned on HIPS and started each one from the XP menu. As each program started I gave it permission through HIPS. This lead me to start every program on my computer and add them to HIPS as it requested. I was quite surprised at the programs that HIPS passed without objection, perhaps they were already on the safe list. I was also surprised at those not on the list like win32k.sys.

I agree that if a list of 300,00 files already exists it should be released now not later. I would have a lot more hair then I do now. Please don’t misunderstand, I appreciate all that Comodo is doing with the free programs and keeping us safe from the bad guys. However if the list is that large and the list released with the program is only 11,000 some form of warning should be given on the install. Maybe there is and I just missed it.

In any event I’m sure I missed a few and am still looking over all my installed programs so that I don’t have the lock up, shut down, restart situation again.

One more question, when submitting the programs I have marked as safe does CAVS send the file or just the name of the file? I am on the worlds worst dialup connection of about 11 to 24 kpbs and to send all these complete files will take forever.

Thanks for all your information and help. This is a great forum and you folks are very kind to put in your time helping those of us that are wandering around in the darkness of little knowledge and frustration. Perhaps in time I will be able to return the favor to someone less knowledgeable then I. However, they will really have to be at the bottom of the knowledge base.

Thanks again,
Stan

Great news Stan, I am glad you sorted your problem. Very logical the way you went about it I must say, I should have thought of that (hindsight ha ha).

Lets hope we get access to the full database soon…

:SMLR (:CLP)

That’s a lotta work, Stan; I’m glad it paid off for you. Yes, when you submit the file, it sends the whole thing. That way Comodo can do their analysis. You can uncheck items from the list, so that in effect you only send one at a time. Still a pain, but it might hurt a little less…

My apologies if you had already tried the Exclusion list; it looked to me as if you had only tried the Manage Allow/Block List, which is different. Some users reported issues with using the Excluder anyway, but looks like today’s update should have fixed that issue.

There is an option under the HIPS/Advanced tab, to verify a file thru the Comodo Safelist Server, if it’s not found as safe. I think (although I don’t know for fact) that this will update your list when you encounter a new file; I don’t know if that update would be from the Mega-safelist, or the Mini-safelist. :wink:

LM

Yes it was a lot of button clicking but in the end at least I have the protection which was the objective and what hair I didn’t tear out the first few days remains.

I’m afraid the work isn’t done yet. I’ve found that even if a program has been placed on the allow list it will again require approval if the command parameters are different then the first allow. For example I use Directory Opus as my file manager, allowing dopus.exe was fine as in C:\Program Files\GPSoftware\Directory Opus\dopus.exe. However, if you add the command parameter C: as in C:\Program Files\GPSoftware\Directory Opus\dopus.exe C:
HIPS requires you to again allow it. Kind of a pain as you can add any directory as a command parameter and each will require an allow form HIPS. I think I’ve found a work around but not sure yet.

As to submitting files to be examined for the big list. Some of these files are 7 to 10 MB or larger and I have 57 already. That’s about a months worth of connect time at 1.0kbps upload & if I could keep this awful dialup thing connected for that long. I will plug away at them, at least the lesser known ones like PowerPro Hosts Toggle and a few others. The rest I will have to rely on being used and submitted by someone else that has a higher connection speed or until I get the satellite internet up and running, which may be a while. I can’t be the only person using Winrar, Jet Audio, HighJackThis and the like.

To bad I can’t send them a CD or at least know which ones have already been sent.

Be well,
Stan

You can lower the security level of HIPS from Medium to Low; perhaps that will reduce the activity some. Then again, it may not. It may be a pain, but technically that shows the protection it offers; the program is (ever so slightly) different because of the different parameter. The option would be to use the Excluder rather than the Allow manager, and exclude the entire file folder in which the application resides.

By all means, only focus on those out of the ordinary programs. I’m pretty sure I’ve sent winrar myself, and I’m sure others have. That & HJT are not that unusual.

LM