A.V. persistently disrupts simple bat/CScript operation

A. The bug/issue

  1. What you did:
    I ran a simple script which measures the time taken for multiple instances of a choice of 3 different operations.
    By default it runs 100 instances of mode “C” which uses CScript which A.V. conflicts with.
    Modes A and B seem to be free of conflict.
    The conflict is removed when I set Antivirus to DISABLED, and delays one operation by 3 or 4 seconds once every 5 seconds when set to Stateful or On Access
  2. What actually happened or you actually saw:
  298 187 C 17:08:49 : 17:08:49.55 - 17:08:46.57  = 6172955 - 6172657 = 2980 mSec 
   86 188 C 17:08:50 : 17:08:50.41 - 17:08:49.55  = 6173041 - 6172955 = 860 mSec 
   13 189 C 17:08:50 : 17:08:50.54 - 17:08:50.41  = 6173054 - 6173041 = 130 mSec 
   14 190 C 17:08:50 : 17:08:50.68 - 17:08:50.54  = 6173068 - 6173054 = 140 mSec 
   11 191 C 17:08:50 : 17:08:50.79 - 17:08:50.68  = 6173079 - 6173068 = 110 mSec 
   12 192 C 17:08:50 : 17:08:50.91 - 17:08:50.79  = 6173091 - 6173079 = 120 mSec 
   11 193 C 17:08:50 : 17:08:51.02 - 17:08:50.91  = 6173102 - 6173091 = 110 mSec 
   11 194 C 17:08:51 : 17:08:51.13 - 17:08:51.02  = 6173113 - 6173102 = 110 mSec 
  295 195 C 17:08:53 : 17:08:54.08 - 17:08:51.13  = 6173408 - 6173113 = 2950 mSec 
   87 196 C 17:08:54 : 17:08:54.95 - 17:08:54.08  = 6173495 - 6173408 = 870 mSec 
   14 197 C 17:08:55 : 17:08:55.09 - 17:08:54.95  = 6173509 - 6173495 = 140 mSec 
   14 198 C 17:08:55 : 17:08:55.23 - 17:08:55.09  = 6173523 - 6173509 = 140 mSec 
   11 199 C 17:08:55 : 17:08:55.34 - 17:08:55.23  = 6173534 - 6173523 = 110 mSec 
   13 200 C 17:08:55 : 17:08:55.47 - 17:08:55.34  = 6173547 - 6173534 = 130 mSec 

  1. What you expected to happen or see:
    At 17:08:55 I switched from stateful to disabled and all conflict ceased
     7 100 C 17:08:55 : 17:09:38.05 - 17:09:37.98  = 6177805 - 6177798 = 70 mSec 
    7 101 C 17:09:38 : 17:09:38.12 - 17:09:38.05  = 6177812 - 6177805 = 70 mSec 
    7 102 C 17:09:38 : 17:09:38.19 - 17:09:38.12  = 6177819 - 6177812 = 70 mSec 
    8 103 C 17:09:38 : 17:09:38.27 - 17:09:38.19  = 6177827 - 6177819 = 80 mSec 
    7 104 C 17:09:38 : 17:09:38.34 - 17:09:38.27  = 6177834 - 6177827 = 70 mSec 
    7 105 C 17:09:38 : 17:09:38.41 - 17:09:38.34  = 6177841 - 6177834 = 70 mSec 
    7 106 C 17:09:38 : 17:09:38.48 - 17:09:38.41  = 6177848 - 6177841 = 70 mSec 
    7 107 C 17:09:38 : 17:09:38.55 - 17:09:38.48  = 6177855 - 6177848 = 70 mSec 
    7 108 C 17:09:38 : 17:09:38.62 - 17:09:38.55  = 6177862 - 6177855 = 70 mSec 
    7 109 C 17:09:38 : 17:09:38.69 - 17:09:38.62  = 6177869 - 6177862 = 70 mSec 
    8 110 C 17:09:38 : 17:09:38.77 - 17:09:38.69  = 6177877 - 6177869 = 80 mSec 
    6 111 C 17:09:38 : 17:09:38.83 - 17:09:38.77  = 6177883 - 6177877 = 60 mSec 
    8 112 C 17:09:38 : 17:09:38.91 - 17:09:38.83  = 6177891 - 6177883 = 80 mSec 
    6 113 C 17:09:38 : 17:09:38.97 - 17:09:38.91  = 6177897 - 6177891 = 60 mSec 
    8 114 C 17:09:38 : 17:09:39.05 - 17:09:38.97  = 6177905 - 6177897 = 80 mSec 
  1. How you tried to fix it & what happened:
    I can only avoid it by disabling the AntiVirus.
    My testing has been with Defence+ at Safe (no apparent impact) and FireWall Disabled (so no virus comes in)
  2. If its a software compatibility problem have you tried the compatibility fixes (link in format)?:
  3. Details & exact version of any software (execpt CIS) involved (with download link unless malware):
    Windows 7 Ultimate + SP1
  4. Whether you can make the problem happen again, and if so exact steps to make it happen:
    The problem lasts for a few hours and then is gone for a few hours.
    I have not allowed a virus database update since 5th Nov but this problem continues to happen and then disappear
  5. Any other information (eg your guess regarding the cause, with reasons):
    Although the AntiVirus causes 20 off 3 or 4 second delays
    Windows Task Manager shows cmdagent.exe as only taking 1 second of CPU time.
    I noticed that cmdagent.exe added about 2 MBytes to its memory use during execution, and never released memory afterwards.
    I have no interest today in the time-stamp of the file that cscript is processing,
    but I have much more complex CScripts that I am interested in,
    and these suffer just as badly.
    This problem was disrupted me earlier with CIS 5.3. and to get smooth operation I had to :-
    Disable A.V.
    Disable Defense+
    DISABLE Firewall (but for safety I unplugged the router first).
    I found with v. 5.3 that if the Firewall was set to Block All, then Comodo inserted a 5 second delay at 32 second intervals.
    Perhaps this will also appear in v.5.8 tomorrow >:-D
    B. Files appended. (Please zip unless screenshots).
    T.BAT This can be double clicked under Windows, or launched from CMD.EXE.
    If no arguments are imposed it calls itself with default arguments thus “T 200 C”
    T.TXT This captures the timings of many operations.
    T.LOG This captures only the operations that exceed 400 mSec, and clearly shows one or two monstrous delays at approx 5 second intervals.
  6. Screenshots of the Defense plus Active Processes List (Required for all issues):
    Screenshot Attached.
    T.Bat near bottom and displayed whilst it runs.
    CScript just below and very fleeting appearances.
  7. Screenshots illustrating the bug:
    As pasted above and as held in attached files.
  8. Screenshots of related CIS event logs:
    AntiVirus - There are no items to show
    Firewall - last event on 20th October
    Defense+ D:\Test\T.bat Create Process C:\Windows\System32\cmd.exe 11/8/2011 9:44:13 PM
    Defense+ D:\Test\T.bat Create Process C:\Windows\System32\cscript.exe 11/8/2011 9:43:55 PM
    My Summary - nothing at all recorded from my testing today.
  9. A CIS config report or file.
  10. Crash or freeze dump file:
  11. Screenshot of More~About page. Can be used instead of typed product and AV database version.

C. Your set-up

  1. CIS version, AV database version & configuration used:
    Product version 5.8.213334.2131
    Configuration - Internet Security
    Virus version 10676
    Sandbox Disabled
    Defense+ Safe
    AntiVirus Stateful

  2. a) Have you updated (without uninstall) from from a previous version of CIS:
    Yes
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
    No

  3. a) Have you imported a config from a previous version of CIS:
    No
    b) if so, have U tried a standard config (without losing settings - if not please do)?:

  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):
    No

  5. Defense+, Sandbox, Firewall & AV security levels: D+=Safe, Sandbox=Disabled , Firewall =Safe , AV = Stateful

  6. OS version, service pack, number of bits, UAC setting, & account type:
    Windows 7 Ultimate + SP1, 64 BITS, UAC OFF, Standard Administrator

  7. Other security and utility software currently installed:
    None

  8. Other security software previously installed at any time since Windows was last installed:
    None

  9. Virtual machine used (Please do NOT use Virtual box):
    None

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Moved to Verified.

Many thanks again

Dennis

Supplementary information :-

I recognise that CScript was extracting the time-stamp of a rapidly changing text file,
so created a variant of T.BAT which is attached as Ta.BAT.
This has a new test mode “D” with CScript simply running a 100 mSec SLEEP instead of looking at a time-stamp.

Very soon after a long power-down this evening no problem could be seen.
I launched Firefox and logged into my GMail account and still no problem.
Perhaps 5 minutes later I tried again and the problem was seen by both T.BAT and Ta.BAT.
To avoid confusion with the output files already posted I have given the outputs new names.
T.BAT has created T_.TXT and T_.LOG
Ta.BAT has created Ta_.TXT and Ta_.LOG

Ta_.LOG shows approx 1700 mSec pause at 4500 mSec intervals whilst executing a 1 line VBS file
and T_.LOG shows approx 3000 mSec pause at 4500 mSec intervals whilst executing a 3 line VBS file.
The logs show this at 20:50.xx and 21:24.xx this evening.
Whilst posting this I have just rerun both tests and get the same results at 22:30:xx

Regards
Alan

[attachment deleted by admin]

Excellent report thanks.

Just wondering what happens if t.bat is made a trusted file, or listed under AV exclusions. APL shows it running as unrecognised.

Still would not explain variations though

Best wishes

Mouse

Hi

Has any one else tried my script to see if the problem is general or only specific to my Desktop ?

I noticed yesterday that the problem was. as usual, absent for the first few minutes after start-up,
but then I launched Firefox and a bit later CIS gave a pop-up reminding me that the A.V. database was out of date.
I wondered if CIS had been too busy till then to check the database,
and whether it had also been too busy to worry about CScript till then.
I immediately launched the test and A.V. was conflicting once again.

This morning I logged on at 08:24 13/11/2011
No A.V. Conflict
Also no conflict at 08:26 and 08:27
Windows Notification Network icon showed no Internet for no reason
Launched Firefox and it worked and Network Icon saw its mistake and cancelled.

08:28
New notification - Solve PC Issues
Ran test and A.V. was in conflict.
Clicked on Solve PC Issues and as expected it was
“1 IMPORTANT MESSAGE”
“Update COMODO Anivirus (Important)”
“Open Action Centre”

This afternoon at 16:11 I did A.V. Update from 10676 to 10770.
Windows Action Centre no longer warned of A.V.
A.V. Conflict continued till after 16:31, but at 16:51 it was O.K.
but it has often conflicted for several hours and suddenly behaved itself so it could well strike at the next reboot.

I will try your suggestions of Trusted File and AV Exclusions,
but if that works I will be more confused than ever ???

My script suffers no conflicts in modes A and B when there is no use of CScript.
It only suffers conflict in C and D when CSript is used.
The strange thing is that although my script is always unknown,
Defense+ rates CScript as Trusted.

Regards
Alan

I shut down the PC for 2 Hours.

Same results on start-up with the latest bases.cav, i.e.
no A.V. conflict for the first 3 or 4 minutes,
but 5 minutes after log on the conflict resumed.

I then added Td.Bat and Td_SD.vbs to A.V. exclusions, and also to Defense+ Trusted Files.
The A.V. conflict continues just the same.

Td.Bat is my latest version.

Mode C still creates afresh the same 3 line VBS script each time it runs,
so C.I.S. is unlikely to trust what is brand new.
Mode C uses a 3 line CScript and suffers approx 3600 mSec duration conflicts

Mode D only creates a short 1 line Td_SD.vbs if that file is missing,
so whilst it remains it continues as trusted and excluded.
Mode D uses a 1 line CScript and suffers approx 1500 mSec duration conflicts

I suggest that C.I.S. needs to avoid conflict with mode D before considering mode C

Td.Bat will run Mode D by default if invoked without arguments.
By default there will be 101 periods of 150 mSec delay, numbers 100 through to 200.
When A.V. is conflicting then approx 3100 mSec from start the first conflict occurs,
and subsequent conflicts are at 4500 mSec intervals. Each conflict lasts about 1500 mSec.
Td.log captures each conflict which extends a nominal 150 mSec delay beyond 400 mSec.
Td.log extract :-

13/11/2011 20:21:58.36
  157 116 : D : 20:22:03.08 - 20:22:01.51  = 7332308 - 7332151  = 1570 mSec 
  155 132 : D : 20:22:07.62 - 20:22:06.07  = 7332762 - 7332607  = 1550 mSec 
  152 148 : D : 20:22:12.15 - 20:22:10.63  = 7333215 - 7333063  = 1520 mSec 
  151 164 : D : 20:22:16.68 - 20:22:15.17  = 7333668 - 7333517  = 1510 mSec 
  150 180 : D : 20:22:21.24 - 20:22:19.74  = 7334124 - 7333974  = 1500 mSec 
  148 196 : D : 20:22:25.77 - 20:22:24.29  = 7334577 - 7334429  = 1480 mSec 
 
13/11/2011 20:24:09.66
  161 115 : D : 20:24:14.40 - 20:24:12.79  = 7345440 - 7345279  = 1610 mSec 
  147 131 : D : 20:24:18.94 - 20:24:17.47  = 7345894 - 7345747  = 1470 mSec 
  147 147 : D : 20:24:23.48 - 20:24:22.01  = 7346348 - 7346201  = 1470 mSec 
  147 163 : D : 20:24:28.01 - 20:24:26.54  = 7346801 - 7346654  = 1470 mSec 
  146 179 : D : 20:24:32.56 - 20:24:31.10  = 7347256 - 7347110  = 1460 mSec 
  145 195 : D : 20:24:37.09 - 20:24:35.64  = 7347709 - 7347564  = 1450 mSec 
 
13/11/2011 20:26:50.17
  174 115 : D : 20:26:54.90 - 20:26:53.16  = 7361490 - 7361316  = 1740 mSec 
  151 131 : D : 20:26:59.44 - 20:26:57.93  = 7361944 - 7361793  = 1510 mSec 
  151 147 : D : 20:27:03.98 - 20:27:02.47  = 7362398 - 7362247  = 1510 mSec 
  150 163 : D : 20:27:08.52 - 20:27:07.02  = 7362852 - 7362702  = 1500 mSec 
  150 179 : D : 20:27:13.06 - 20:27:11.56  = 7363306 - 7363156  = 1500 mSec 
  150 195 : D : 20:27:17.60 - 20:27:16.10  = 7363760 - 7363610  = 1500 mSec 
 
13/11/2011 20:37:58.14
  176 115 : D : 20:38:02.87 - 20:38:01.11  = 7428287 - 7428111  = 1760 mSec 
  154 131 : D : 20:38:07.43 - 20:38:05.89  = 7428743 - 7428589  = 1540 mSec 
  152 147 : D : 20:38:11.97 - 20:38:10.45  = 7429197 - 7429045  = 1520 mSec 
  152 163 : D : 20:38:16.51 - 20:38:14.99  = 7429651 - 7429499  = 1520 mSec 
  152 179 : D : 20:38:21.05 - 20:38:19.53  = 7430105 - 7429953  = 1520 mSec 
  148 195 : D : 20:38:25.58 - 20:38:24.10  = 7430558 - 7430410  = 1480 mSec 

I am fresh out of ideas on what other tests to perform.
I attach my latest Td.bat plus its outputs Td.Txt and Td.Log,
and also the stable VBS script Td_SD.vbs

[attachment deleted by admin]

Thanks Alan, puzzling indeed.

Mouse

Even after being shut down for the night,
a few minutes after start-up this morning the problem is exactly as before.

Can anyone else get similar results with my scripts, especially Td.Bat.

Regards
Alan

Update :-
After several prolonged shut-downs for meal breaks etc,
the A.V. Conflict still occurs for about one in every 15 iterations,
i.e. 6 or 7 stalls in each 101 step run,
but the problem clears after the second or third time of running the script in succession,
until I try perhaps 20 minutes later.

The weirdest thing is that I have copied my scripts from Primary HDD partition D:\ to Secondary HDD partition E:,
and I see exactly the same initial problem that rapidly clears up,
EVEN THOUGH I have not excluded the E:\ script from A.V. nor Trusted it.

I have now cancelled the exclusion and the trust for D:\ and the problem is again quite continuous for both E:\ and D:.

My intentions for this afternoon are to partition image C:\ and then see how much of 64 bit C.I.S. is tracked down by free 32 bit Revo-Uninstaller, follow up with the latest User un-install tool, and then try a clean install of C.I.S.
I am lazy and I did not want to work through the configuration settings,
but if that is what it takes to have CScript running free then so be it.

Regards
Alan

Update

I uninstalled C.I.S. and ran Jacob’s cleanup tool which hit access denied errors on 18 keys.
Not what I would call a clean uninstall, but good enough that the fresh installation of C.I.S. hit no problems,
other than the A.V. Tab was missing and I thought the download was only FireWall plus Defense+,
but the A.V. appeared immediately install was completed by a reboot.

Brand new installation of C.I.S. and the problem seemed to have gone for the last hour of the night.
Since then it appears and then disappears again just as it was before.

Comodo and CScript just do not play nice on my system.
I have just checked and a binary file comparator shows that CScript is identical in both System32 and SysWOW64.
CScript is file version 5.8.7600.16385 and modified 14 ‎July ‎2009, ‏‎02:14:16.

I have copies of TD.bat on both Primary HDD D:\ and Secondary HDD E:,
and if I run one and on completion run the other, they both have identical results,
e.g. no pauses for a run duration of 9 seconds, or alternatively,
3 second pauses every 4.5 seconds for a run duration of 28 seconds.

I have never yet seen any pause in Mode D unless Mode C is also liable to pause.
When Mode C is liable to pause there is a 50% chance that Mode D will also pause.
I do not understand the asymmetry.
N.B. The significant differences between Mode C and Mode D are :-
Mode C:\ uses a newly created VBS script to examine the time stamp of Td.Bat, whilst
Mode D:\ uses a frozen VBS script to have a little sleep.

Regards
Alan

Can you try to add the scripts to ‘Defense+, Image Execution, Exclusions’ and reboot, see if that makes a difference?

I only have to disable A.V. protection to avoid the problem,
but I do not know what interactions me lurk in the background between Defense+ and A.V. so I tried anyway.

I have specifically excluded all the files within E:\T
and refrained from excluding those within D:\Test\

There is no difference between the conflicts when using either set of files.

I have not tried this before, but today I also switched A.V. from Stateful to “On Access”,
and the conflicts have not been affected,
i.e. CScript will run 15 times in succession and obtain the file time stamp with only 110 mSec delay per run,
but the next run takes 2870 mSec


   10 176 : C 16:50:30 : 12:12:01.30 - 12:12:01.20  = 4392130 - 4392120  = 100 mSec
   11 177 : C 16:50:30 : 12:12:01.41 - 12:12:01.30  = 4392141 - 4392130  = 110 mSec
   11 178 : C 16:50:30 : 12:12:01.52 - 12:12:01.41  = 4392152 - 4392141  = 110 mSec
  287 179 : C 16:50:30 : 12:12:04.39 - 12:12:01.52  = 4392439 - 4392152  = 2870 mSec
   13 180 : C 16:50:30 : 12:12:04.52 - 12:12:04.39  = 4392452 - 4392439  = 130 mSec
   11 181 : C 16:50:30 : 12:12:04.63 - 12:12:04.52  = 4392463 - 4392452  = 110 mSec
   11 182 : C 16:50:30 : 12:12:04.74 - 12:12:04.63  = 4392474 - 4392463  = 110 mSec
   11 183 : C 16:50:30 : 12:12:04.85 - 12:12:04.74  = 4392485 - 4392474  = 110 mSec
   11 184 : C 16:50:30 : 12:12:04.96 - 12:12:04.85  = 4392496 - 4392485  = 110 mSec
   11 185 : C 16:50:30 : 12:12:05.07 - 12:12:04.96  = 4392507 - 4392496  = 110 mSec
   11 186 : C 16:50:30 : 12:12:05.18 - 12:12:05.07  = 4392518 - 4392507  = 110 mSec
   11 187 : C 16:50:30 : 12:12:05.29 - 12:12:05.18  = 4392529 - 4392518  = 110 mSec
   11 188 : C 16:50:30 : 12:12:05.40 - 12:12:05.29  = 4392540 - 4392529  = 110 mSec
   11 189 : C 16:50:30 : 12:12:05.51 - 12:12:05.40  = 4392551 - 4392540  = 110 mSec
   11 190 : C 16:50:30 : 12:12:05.62 - 12:12:05.51  = 4392562 - 4392551  = 110 mSec
   11 191 : C 16:50:30 : 12:12:05.73 - 12:12:05.62  = 4392573 - 4392562  = 110 mSec
   11 192 : C 16:50:30 : 12:12:05.84 - 12:12:05.73  = 4392584 - 4392573  = 110 mSec
   11 193 : C 16:50:30 : 12:12:05.95 - 12:12:05.84  = 4392595 - 4392584  = 110 mSec
   11 194 : C 16:50:30 : 12:12:06.06 - 12:12:05.95  = 4392606 - 4392595  = 110 mSec
  286 195 : C 16:50:30 : 12:12:08.92 - 12:12:06.06  = 4392892 - 4392606  = 2860 mSec
   14 196 : C 16:50:30 : 12:12:09.06 - 12:12:08.92  = 4392906 - 4392892  = 140 mSec
   11 197 : C 16:50:30 : 12:12:09.17 - 12:12:09.06  = 4392917 - 4392906  = 110 mSec
   11 198 : C 16:50:30 : 12:12:09.28 - 12:12:09.17  = 4392928 - 4392917  = 110 mSec
   11 199 : C 16:50:30 : 12:12:09.39 - 12:12:09.28  = 4392939 - 4392928  = 110 mSec
   11 200 : C 16:50:30 : 12:12:09.50 - 12:12:09.39  = 4392950 - 4392939  = 110 mSec
 18/11/2011 # : 12:12:09.50 - 12:11:41.64 =  4392950 - 4390164  = 27860 mSec
Press any key to continue . . .

Regards
Alan