smss.exe is present in the Computer Security Policy using the Windows System Applications Predefined Policy, which has Protection Settings > Interprocess Memory Accesses set to Inactive, so to my (mis?)understanding, it’s strange to see an Access Memory event for this module.
Nevertheless, I tried adding a separate rule for smss.exe, with Protection Settings > Interprocess Memory Accesses set to Active, and adding procexp64.exe as an exception, but this did not stop the events being logged. Adding a rule for procexp64.exe with Access Rights = Allowed for everything also did not help.
Procexp64.exe is a file which exists only while Process Explorer (procexp.exe) runs. The process (and file) is created when PE starts, and is removed when PE is stopped.
I am running PE from my internal HDD (C:).
These events were not logged with prior versions of CIS.
Yes, that’s what I was getting in previous versions of CIS, even on x64, but these were “fixable” by adding procexp.exe/procexp64.exe to the CIS Protection Settings. Unfortunately, I can’t do the same with smss.exe.
I cannot reproduce the problem, Is there anything “Special” you did, other than just running ProceEXP64.exe as an Administrator, and the events starting to count?
You may try to solve it by add exclusions by CIS > Defense+ > Computer Security Policy > Predefined Policy’s > Windows System Application > Edit > Customize > Protection Settings >Interprocess Memory Accesses > Modify > Add (Make sure Process Explorer is running) > Select Both Procexp64 and procexp.exe is added to the list > Apply > Apply > apply (until you reach the Main GUI window) > Close
Your post prompted me to try running Process Explorer as Administrator, and lo and behold, no events showing. So now I try running it NOT as Administrator, and again, no events showing. Think, think, think… Now I run it again using my usual method via a shortcut key (using PS HotLaunch), and we get the messages again. So now we have a clue.
I recently submitted a bug report (Truncated entries Computer Security Policy) which is also related to running things via the same launcher. Something is clearly getting in the way. I’ll have to try to find a way to configure this tomorrow. At least now I know I can run PE without cluttering my system with hundreds of events.
As to your suggestion with Protection Settings, I mentioned in my original post that I had more-or-less gone through that process. but it can’t really be done because the Interprocess Memory Accesses is not Active for the Windows Systems Application Predefined Policy.
Sorry, no x64 user here. But what you’re describing is exactly my problem: Comodo 5.4 blocks memory access attempts to cmdagent.exe from Process Explorer 32 (on Vista 32), although Process Explorer is in the list of trusted files and has been added to the Protection Setting for Interprocess Memory Accesses (as Jacob described). And in my case it does not matter if I run Process Explorer as administrator: it is getting blocked.
Do you have another clue how to keep Comodo from blocking it? Or should I leave it this way and just ignore the warnings? Could it produce a self made security leak if I give process explorer memory acess rights? Thanks in advance!
Neither procexp.exe nor procexp64.exe have any Policy entries. They are merely in the Trusted Files list.
Running as Administrator makes no difference at all.
Please note that in my previous post I indicate that I discovered that the Events are logged only when I run PE via a launcher shortcut. No events showing if PE is run from Start Menu or Windows Explorer. I had repeated this several times (and I can show you hundreds of Events entries), so there was no question of the consistency of this behaviour.
BUT, BUT… when I started my laptop today, first thing I saw is that there were some new Windows Updates. I installed those, and guess what? No more Events, regardless of how I start PE.
Strange, but it is possible that the Windows Updates have something to do with this. In the absence of anything better, that’s what I’m going o assume. I’ll post updates if anything changes, but for now, all seems to be OK.
Firstly, I had no problems in making things work properly with respect to the problem you describe (i.e. memory access by PE to cmdagent). I got this to work on both 32-bit and 64-bit systems. However, I did at one time make an error in my changes, which caused me to be puzzled as to why I was still getting the Events. Although it wouldn’t be right for me to assume that just because I made an error, you did the same, nevertheless, please verify that you changed the CIS Protection Settings, not the Access Rights (which is what I did in my error).
Secondly, are you invoking PE via some shortcut? If so, please try running it from the Start menu or directly from Windows Explorer and let’s see if this makes any difference (it did for me, on x64, until today - see my previous post).
Sorry if this was a misunderstanding: I was referring to Erics answer above. He described the same memory access symptoms on a 32-bit system. Since our basic problems are/were the same (Defence + Events in regard to PE-blocking), I hoped the solutions might be the same.
please verify that you changed the CIS [b]Protection Settings[/b], not the [b]Access Rights[/b] (which is what I did in my error).
Yes, I tried changing the Protection Settings (Interprocess Memory Accesses), nothing more. PE has always been in the Trusted Files list (you mean this with Acess Rights, do you?) and I did not touch it.
Secondly, are you invoking PE via some shortcut? If so, please try running it from the Start menu or directly from Windows Explorer and let's see if this makes any difference (it did for me, on x64, until today - see my previous post).
I tried all variants: direct execution of PE and via shortcut, without and with admin rights. In every case Comodo blocks the memory accessing attemps of PE and reports this every second.
I realy don’t understand, since everything works fine on another machine (XP) with PE and Comodo. :-\
Strange, but it is possible that the Windows Updates have something to do with this.
Seems unlikely from my point of view, but I am no Commodo expert. Maybe rebooting (after some Comodo configuration changes) solved the problem. Could be the solution for me as well (I will try when getting home). Anyway, it is great that your issue solved itself, and thanks for your reaction!
Hey lounge7, yours and bxfs issues are slightly different. What you are seeing is Process Explorer trying to access cmdagent.exe in memory which it wont allow because it isn`t on the list of “Allowed Applications” for “Interprocess Memory Access”
You need to add it as an exclusion under Defence+ → Computer Security Policy ->Double left click the entry Comodo Internet Security → Customize → Protection Settings → Modify next to Interprocess Memory access → Add → Browse to process explorer executable and add to list → APPLY/OK to close all windows.
Check its there, then run again and you shouldn`t see it in the logs.
No misunderstanding, I knew what you were referring to. I decided to try to help simply because I had gone through this problem myself, and the indicated solution has worked for me on my x86 and x64 systems.
Yes, I do mean with Access Rights. And just to be sure, we are talking about Access Rights of the Comodo Internet Security entry in Computer Security Policy > Defense+ Rules. If I understand you correctly, that is what you have in fact changed. If this is not working for you, I have no other suggestions, I’m afraid.
Yes, that was my thought too, but I believe that I had already rebooted previously since making any configuration changes. Still, it is possible that the reboot fixed things. In fact, I am more and more getting the feeling that some changes are not immediately reflected in the lists. For example, if, while in the Events screen, I right-click on an entry and Add to Trusted Files, I may get the response that the item is already a Safe File, and yet it does not appear in the Trusted File list. There may be another explanation for this, I suppose.
That is expected behaviour in your case. What you are seeing is the self protection of CIS doing its job.
It depends on your preferences if you want to see it being logged or allow memory access to cmdagent.exe so you won’t see the D+ logs getting filled up.
To resolve the memory access problem:
Select Defense+ → Computer Security Policy.
Scroll down to Comodo Internet Security, select Edit → Protection Settings.
Interprocess memory Access (Active Yes) select Modify → Add -->Now use Running Processes or Browse to point to the concerned file(s) .
Then just “Apply” to each window as you exit.
Ah, oh, it works now! I am very sorry, Eric, that you had to post this solution again. Before writing here I read every post I could found in the forum on Process Exlorer cases or similar issues, and I had allready applied this solution, as posted by Jacob and many other of you. And it did not work!
The significant difference in my last try - and this hint might be usefull for other users - was: within the “Customize Policy” window I have now applied the Interprocess Memory Access exclusion in the Protection Settings tab and not in the Access Rights tab!
Bfx had allready tried to describe this critical difference to me, but I misunderstood this, since I did not see that there are these two tabs. Thank you Bfx, thank you Eric!
Tried this. Several times. The exceptions are all there. Still logging thousands of attempts by process explorer. About ready to uninstall this. Norton didn’t have this problem, and neither does any other antivirus system.
The issue is the file name.
Process explorer creates a x64 version of itself and run that when on an x64 system. run the program then while it is running do the above steps to stop the access memory logging.
CIS has to find the program to stop the logging.
When process explorer closes the x64 copy is also removed from the drive.
