I’m new to firewalls and HIPS and so far Defense+ is a mystery to me. I’m seeing several events a day being blocked by Defense+ (Safe Mode). Most of the blocks have a target of cmdagent.exe and once cfp.exe (I realize these are heavily protected Comodo processes). For example, the following apps are being blocked on Memory Accesses:
Unlocker.exe – a known safe app that looks for handles on objects like files and folders.
drwtsn32.exe – Dr. Watson system app.
filemon.exe – a file access monitor
firefox.exe – browser running an ActiveX creating a list of running processes (see my other post at https://forums.comodo.com/defense_help/superantispyware_whats_running-t31283.0.html
Are the memory access blockings normal?
Do you just live with them popping up in the logs?
–Larry
Running v 3.5.57173.439
Hey larry.
Once you understand defense+ it is extremely powerfull security tool and easy to use 
stick with it for a little while longer and then decide 
What you do in this case is… Comodo → Defense+ → Advanced → My securtity policy → Edit Comodo Internet Security
Click protection settings → ‘Modify’ interprocess memory → Add the apps there that were popping up in the logs.
I mean, I don’t think you have to do this unless it’s causing a problem. Every now and then I will get the same things with other apps… But I just ignore them.
https://forums.comodo.com/defense_guides-b144.0/
^ Look here to get a bit more familiar with defense+
Kyle,
Thanks for the help. I added unlocker.exe as you suggested but it didn’t help. A couple days ago I enabled the balloons to see what they would tell me. It was interesting – when I had unlocker check a file the Comodo balloons went on for a long time telling me that it was learning about unlocker accessing the memory of xxxx It appears to me that unlocker takes a look at all the running programs/tasks looking for handles (I guess). But Comodo still gets tweaked and logs a blocked suspicious action. I’ll just ignore them.
By the way, I took a look at the tutorials you gave a reference to. They are fine but they tell you HOW to do something but not WHY. It’s the WHY that’s hard to grasp. Usually once you know that you should do something then doing it is not overly difficult.
On that subject, it’s not clear to me WHY I would add unlocker where you asked me to add it. What is the Comodo Internet Security policy and how does it differ for the policies for each app listed in the “All Applications” section? I’ve noticed that now I have Unlocker in both places – the All Applications and the Comodo Internet Security sections. I have no idea if that is good or bad.
I have to admit that so far a firewall is the most mysterious thing I have ever run into and I was an operating system developer for over 38 years! Maybe things will be less foggy over time – I’ve been reading a lot of the Comodo help recently.
–Larry
If you look at the Defense+ policy for CIS programs (a group of programs near the top of the Computer Security Policy page) - you will find that the programs in that group have protection for Interprocess Memory Accesses. This is found by clicking on the entry and then clicking the Edit button on the right of the window. On the Application System Activity Control dialog (I think they could have managed a shorter name for that dialog) - Click on the “Protection Settings” link. The reason that they are protected is simple - they aren’t much use if malware just shuts them down or otherwise interferes with them. The addition of a program to the Modify list is a way to make it an exception to the list of programs (all programs in this case) that are not allowed to access those processes in memory.