I want to use D+ to protect a process from being terminated abnormally (for example by virus), so I created a rule for this process and in “Protection settings” I enabled the “Processes’ Termination” option. However in windows task manager I can still kill the process manually. Why is this?
plus: the taskmgr.exe is trusted by default, so is trusted program allowed to terminate another program even its “Processes’ Termination” option is enabled?
Thanks all.
Not sure what you did, you need to go to Defense+ find the rule for that application.
Then click edit click on Customize then choose Protections and change Process terminations to active.
Dennis
Yes, that’s exactly what I did. The process I want D+ to protect is MSE’s engine MsMpEng.exe.
The screenshot is attached below.
[attachment deleted by admin]
I did try before I posted works fine on Windows 7 x 32.
Can you kill cfp.exe with the Task manager?
Dennis
No. cfp.exe is denied to be terminated.
This is very weird. I then tried to apply the exactly same rule to notepad.exe (and other 3 processes), and the protection works! It cann’t be killed in task manager. I checked the path of MsMpEng.exe, no error. The protection just won’t work on MsMpEng.exe.
So I guess the reason may be Comodo cann’t hook into MsMpEng.exe (It’s microsoft antivirus engine process)?
I tried the protection rule on more processes, and it turns out that the Comodo D+ protection will not work if the user name of the process is “NT AUTHORITY/SYSTEM”.
So, any suggestion?
OK, I find that for “SYSTEM” process, when “Interprocess Memory Accesses” is also enabled then it can’t be terminated in task manager. This kind of solved the problem.
Then, another question: I set the “Access Rights” of “SYSTEM” processes all to “ask”, but it seemed that the rules don’t work. D+ never asked. So, could I make the conclusion that Comodo D+ is not able to restrict access rights of “SYSTEM” processes?
Settings: D+=clean PC mode, Firewall=safe mode, V5.3
Were have change system rules?
I presume you still have the preset rules in Defense+, system should be in the group Windows System applications.
Dennis
I didn’t change default rules.
The processes tested are not included in “Windows System Applications” group.
Two example “SYSTEM” processes: MsMpEng.exe and SbieSvc.exe, the former is the anti-virus engine of MSE, and the latter is the service process of Sandboxie.
D+ never asked even though “ask” rules are applied.
You have to change Defense+ to Paranoid to have alerts as these processes are Trusted no alerts.
Any Trusted process works like this in Clean PC and Safe modes.
Dennis