able to kill cmdagent

sephiroot · January 6, 2009, 10:06pm

Hi,

Why i’m able to kill cmdagent process ? After doing this Diagnostics didnt report any problems… but CIS tray icon shows “disabled” an CIS was really disabled. It happens twice. Once itself ??? Second by me.

Win XP Pro SP3
CIS 3.5.57173.439
D+ Enabled Clean PC Mode
Firewall Enabled Safe Mode
etc

I’m not too good in english so i cannot provide any more details :-\

(R)

Kyle142 · January 6, 2009, 10:08pm

Hello, How did you kill cmdagent?

sephiroot · January 6, 2009, 10:12pm

By default i cannot do that.
Happens only twice.

Second time just selected cmdagent.exe and ‘Kill Process’ :))

Sysinternals Process Explorer

Kyle142 · January 6, 2009, 10:15pm

Hello, Perhaps Comodo did not install correctly. Could you please re-install and try again? Please post back your results.
Thank you for reporting this. (CNY)

sephiroot · January 23, 2009, 11:41am

its possible to kill by using Comodo Active Process Viewer
ieg. Terminat and Block

it wouldl be hard to intercept term sig msg from Active Process Viewer and use it to disable protection ?

who_te_fuc · January 23, 2009, 4:29pm

hm I did a run with Sysinternals Process Explorer downloaded at technet:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

I got a error “Access Denied”.
Your installation could be damaged as Kyle said.

What version of CIS/comodo are you running?
(misc > about)

I tried on a vista machine, so the setup is not similar.
If you use the latest version, then this could possible be a bug, since I belive CMDagent should not close so easily!

Lysias · January 23, 2009, 5:11pm

Using Process Explorer, I wasn’t able to kill cmdagent.exe (D+ logs inform that PE was trying to access the memory of cmdagent.exe).

BUT, using the Active Process List built into CIS I was able to terminate and block cmdagent.exe. Oops :o And CIS still showed that all systems were active and running. I removed cmdagent.exe from the block list and restarted it from the Services window.

Is this a bug or intentional? Or maybe I have some odd rule somewhere?

Win XP Home SP3
CIS 3.5.57173.439
D+ Enabled Safe Mode
Firewall Enabled Safe Mode

alaertsxan · January 23, 2009, 5:13pm

It’s intentional, but I don’t understand why you would like to kill CIS using CIS ???

Why can CIS kill cis and no other product can ? Because it won’t monitor the things it does itself, and it does monitor the others…

Xan

Lysias · January 23, 2009, 6:00pm

Yes, I see. I was just experimenting whether and how CIS can be killed. And also testing the methods suggested by the original poster.

alaertsxan · January 23, 2009, 6:28pm

Well, it seems that there are 2 ways to kill CIS.

using CIS itself
download Icesword, make it a trusted app on CIS and then you can kill it…

Xan

Ragwing · January 23, 2009, 8:07pm

You can kill CIS by using CIS, IceSword, Process Explorer. All the programs I named uses a driver (cmdagent.sys itself is a driver). Drivers have very high privileges, and can do pretty much anything without CIS offering any protection at all. Is CIS unable to defend itself? No, Defense+ can prevent damage from being done. You can either deny the program to load and/or create a driver. Or for extra protection, use a Limited User Account, and you won’t even have permission to load drivers.

dchernyakov · February 17, 2009, 1:35pm

Hello

In latest CIS 468 diagnostics can detect and fix cmdagent malfunction
What D+ mode were you when you killed cmdagent, was process termination monitoring enabled.