Alerts may be issued but not appear during boot/log-on - may cause freezes [298]

After updating to Comodo 5.xx I have an issue when I login too fast into Windows Vista: I see my desktop but then quickly the whole desktop freezes and the taskbar becomes unresponsive. I waited very loing, but nothing happens. When I pres the shutdown button on my computer it takes action after a while and then usually I see a Comodo defense+ warning quickly before the shutdown is completed. My assumption is that the window becomes somehow invisible and stops the logon process.
Notice If I wait a long time at the user screen (before login) this does not happen. It seems at that point many drivers… are already loaded.


The bug/issue

  1. What you did:
    Turn on computer, when User screen appears login (“quickly”) with name and PW as default user.

  2. What actually happened or you actually saw:
    I see the desktop but then the taskbar freezes and the whole computer becomes unresponsive.

  3. What you expected to happen or see:
    The l0onmg continues and the applications to be loaded on startup are loaded.

  4. How you tried to fix it & what happened:
    I pressed the shutdown button of the computer. The computer shuts down and I see a Comodo Wndows of defense+ which might have causued the freeze as it was invisible. If I wait a long time before login this does not happen.

  5. Details (exact version) of any software involved with download link:
    Comodo Internet Security PREMIUM 5.0.163652.1142
    Signature DB version: 6315
    Windows Vista ULTIMATE, patch level as of today (all SP’s / patches applied)

  6. Any other information (eg your guess regarding the cause, with reasons):
    I am guessig it’s related to Comodo. This did ot happen with version 4.xx and started after the update to 5.xx

Files appended

  1. Screenshots illustrating the bug:
    (unable to do as the computer is frozen)

  2. Screenshots of related event logs or the active processes list:
    (unable to do as the computer is frozen)

  3. A CIS config report or file.
    (not being produced)

  4. Crash or freeze dump file:
    (not being produced)

Your set-up

  1. CIS version, AV database version & configuration used:
    Comodo Internet Security PREMIUM 5.0.163652.1142
    Signature DB version: 6315

  2. Whether you imported a configuration, if so from what version:
    Not really imported, but it got updated from 4.xx.

  3. Defense+ and Sandbox OR Firewall security level:
    Defense+: Safe mode
    Anti-Virus: Stateful
    Firewall: Safe mode
    Sandbox: Disabled

  4. OS version, service pack, no of bits, UAC setting, & account type:
    Windows Vista ULTIMATE, patch level as of today (all SP’s / patches applied)
    32 bits, UAC in default settings (active), default user (not admin nor power user).

  5. Other security and utility software running:
    TrueCrypt, Desktops (Sysinternals)

  6. Virtual machine used (Please do NOT use Virtual box):
    None.

I have experienced that too and you solve it by letting your computer be; after a time (takes less the 1 min) the sandbox will come up.

I hope this will help

Regards,
Valentin

Thank you for making a report in standard format.

If you wait, does it free up?

If you tick ‘disable defense plus permanently’ and reboot, you should be able to access CIS

Do you have “Block all unknown requests if the application is closed” ticked?

Please post a screenshot of your defense plus event logs. covering your last 2-3 boots, and state what date and time you disabled defense plus. They’ll contain retrospective information which we can use to diagnose the problem.

Please also post a screenshot of your windows application and system events logs, covering the last 2-3 reboots. You’ll find these in Control Panel ~ Administrative tools

Best wishes

Mouse

We would very much appreciate an answer to the above questions.

Mouse

Thanks for the reminder via PM - it seems I am not getting notified if someone answers.

Well for me the problem is solved meanwhile. I somehow managed from time to time to login to the right moment so that I could tick the “remember” checkbox for the rules popping up. Meanwhile it works - so it seems I have allowed all queries at startup that lead to the effect.

I don’t believe this is related to my settings though, instead I think it’s a general problem: It seems Comodo shows windows in a stage during login where they appear on a desktop (the logon one?!) which is no longer visible. Thus the windows isn’t, too. I think this could be solved by using a timer for messages during boot-up/logon that checks periodically if the window is really shown (there is an API function available). Alternatively or in addition it could be put top-most or alike.

However, here are some answers:

Do you have “Block all unknown requests if the application is closed” ticked?
No - in fact IMHO that’s not relevant because no application closes during logon.

Please post a screenshot of your defense plus event logs.
I’ve inspected the logs - there not much relevant entries. Most entries present in the log are applications 100% launched after logon. I’ve attached the ones in the time frame where it happened that may be the reason (CIS_log.png).

Please also post a screenshot of your windows application and system events logs
Again: Not much relevant entries except I get a million “CAPI2” errors as I’ve attached. These are the only errors/warnings relevant to the time frame. The rest are success messages. Strangely I get these errors even today (see Admin_log.png).

HTH…

[attachment deleted by admin]

I’ll forward this. Maybe a dev will know a question to ask that will reveal the problem. I have had similar problems myself but only running Avast (for testing purposes), so probably unrelated. Your point about the alerts chimes with my experience of sandbox alerts being not always shown on reboot.

Best wishes

Mouse

Well for me the problem is solved meanwhile. I somehow managed from time to time to login to the right moment so that I could tick the "remember" checkbox for the rules popping up. Meanwhile it works - so it seems I have allowed all queries at startup that lead to the effect.

Can you remember what the alerts were that you tried?

It must have been Defense+ because I have disabled the sandbox functionality. And it can only be caused by applications loaded during startup which are drivers, tools (like email checker), sound manager, dell components (for whatever purpose these are), modem /network/wireless tools and (system/software) update checkers.

As I am a developer myself the sandbox feature is really major annoying if you run a lot build scripts and so on… But that’s another story - I am happy with the ability to force running applications in the sandbox manually.

I seem to have the same issue on Window XP Pro SP3, i.e. the Windows GUI freezes occasionally during Windows boot/log-on. The entry in Known issues in current version, says “Alerts may be suppressed during boot causing freezes (Reports needed). No fix.” I don’t know if the freeze is caused by any invisible alerts, but here’s an additional report about one of my two freezes. I hope it helps.

The bug/issue

  1. What you did: Booted the computer. It’s configured to automatically log me into my account. Shortly after the session seemed ready to use, I clicked on the RefreshLock icon in the Quick Launch section of the task bar. (When the freeze occurred the other time, I hadn’t clicked on anything. The Comodo Firewall GUI was being displayed in the middle of the computer screen – it’s usually just in the System Tray), wouldn’t respond to mouse clicks, couldn’t be dismissed, and none of the rest of my startup utilities were running.)
  2. What actually happened or you actually saw: The icon retained its “pressed” appearance. Windows no longer responded to any mouse clicks.
  3. What you expected to happen or see: I expected Windows to respond to mouse clicks.
  4. How you tried to fix it & what happened: I tried to shutdown Windows. Pressing the Windows key should have brought up the Start menu, but pressing the key had no effect. The Task Manager came up when I pressed Ctrl+Alt+Delete, but I was unable to shutdown from there either. I rebooted the computer by pressing its reset button, booted into Safe Mode, disabled Defense+ with the Comodo Firewall GUI, and haven’t had a problem for over a day, so far.
  5. If its an application compatibility problem have you tried the application fixes here?: I can’t tell if it’s a compatibility problem.
  6. Details (exact version) of any application involved with download link:
  7. Whether you can make the problem happen again, and if so exact steps to make it happen: I cannot get the problem to happen reliably. It’s only happened twice since I installed Comodo Firewall a couple of days ago.
  8. Any other information (eg your guess regarding the cause, with reasons):
  • Setting the Alert timeout to 999 seconds may exacerbate the problem. Perhaps the freeze would have gone away if I had waited seventeen minutes, but I doubt the setting itself caused the problem.
  • I have a clean PC. I put Firewall and Defense+ both in Training mode and used it somewhat for a day. At least a couple of my programs do automatic updates during the night and when the computer is otherwise unattended. Training mode ensured I wouldn’t miss any possible alerts. It looks like all the applications that were learned are listed in Computer Security Policy > Defense+ Rules. It lists no files which appear unfamiliar.

I then switched Firewall and Defense+ to Safe Mode. Windows froze up the next time I started it.

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug: None. GUI is frozen.
  2. Screenshots of related CIS event logs and the Defense+ Active Processes List: No entry added to event log.
  3. A CIS config report or file. CIS.cfgx.zip attached. I’m afraid I’ve made some changes to the config since the most recent freeze. I’ve disabled Defense+. It was in Safe Mode at the time of the freeze.
  4. Crash or freeze dump file: No dump. I was able to restart the computer by pressing its reset button.

Your set-up

  1. CIS version, AV database version & configuration used: Comodo Firewall version 5.0.163652.1142. AV not installed. (I use Avast5.) Configuration: Firewall Security
  2. a) Have you updated (without uninstall) from CIS 3 or 4: No
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: No
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): I changed Keep an alert on the screen for (seconds): from 120 to 999. (I would like alerts to be displayed until I dismiss them even if I’m away from the computer when they’re displayed, so I’ve set the time out to the maximum allowed.)
  5. Defense+, Sandbox, Firewall & AV security levels: D+= Save, Sandbox= Disabled, Firewall = Save, AV = Not installed.
  6. OS version, service pack, number of bits, UAC setting, & account type: Windows XP Pro SP3 - fully up-do-date, 32 bit, Admin account
    System is a ten year old dual CPU machine. CPU: two 600MHz PIII. RAM: 1GB. ATI Rage 128 video card.
  7. Other security and utility software installed:
    The following start up with Windows:
    Avast Free 5.0.677,
    WinPatrol 19.3.2010.2 - http://www.winpatrol.com
    Sandboxie 3.50 - http://www.sandboxie.com
    NetPerSec 1.1
    Mem Info 2.2 - http://www.carthagosoft.net
    Java Update Scheduler: jusched.exe
    Microsoft User Profile Hive Cleanup Service 1.6.30.0 - uphclean.exe
  8. Virtual machine used (Please do NOT use Virtual box): None

Additional comments:
I’ve permanently deactivated Defense+. I’m content to use just the Firewall for now, since that’s what I downloaded Comodo Firewall for in the first place, i.e. I want control over Internet connections. The inclusion of Defense+ was a nice surprise, but I don’t want to use it if it causes any problems while booting Windows.

[attachment deleted by admin]

I don’t know if these questions are relevant to my report, but I’ll try to answer them anyhow.

No.

Please post a screenshot of your defense plus event logs. covering your last 2-3 boots, and state what date and time you disabled defense plus. They'll contain retrospective information which we can use to diagnose the problem.

Attached DefensePlusEvents.png, which contains all the events since I installed Comodo Firewall.
Last five reboots occurred at:
12/14/2010 11:52:47 PM
12/15/2010 7:43:02 PM
12/16/2010 7:28:40 PM Boot, then freeze
12/16/2010 7:40:27 PM Boot into Safe Mode, deactivate Defense+
12/16/2010 7:43:37 PM Boot with Defense+ deactivated

Please also post a screenshot of your windows application and system events logs, covering the last 2-3 reboots.

Attached AppEvents.gif, SystemLog.gif.
System Event log notes:

  • The seven errors starting at 12/16/2010 7:40:57 PM were all because Windows was in safe mode.
  • The two DCOM errors each state
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service upnphost with arguments "" in order to run the server:
I've seen several of these, but only since I first installed Comodo Firewall. They all have the same description, i.e. reporting that the Universal Plug and Play Device Host service is disabled. None of these events occurred while the computer was booting. These events have persisted even after Defense+ was deactivated. I've had Universal Plug and Play disabled for years with no problems. Does Comodo Firewall require this service to be running? I can't find any documentation saying that it requires this service.

[attachment deleted by admin]

Welcome to the forum Alan Baxter :slight_smile:

Thank you for the bug report.

Please note as you have disabled Defense+ the service is now not protected from shutdown.

Dennis

Thank you for the warm welcome, Dennis.

Not sure what you mean here. Are you referring to the firewall’s self defense feature which would prevent another app from shutting down cmdagent.exe? I hadn’t considered that, so thanks for mentioning it.

I currently use Sandboxie to protect my system while web browsing and evaluate new downloads. I’m pretty careful about what I download and practice safe hex in general. That approach has worked for years, but I find Comodo’s implementation of a cloud-based whitelist, detailed examination of the behavior of unknown programs, and built-in sandbox appealing. I’ll definitely try Defense+ in the future if Comodo is able to fix the freeze on boot problem.

Alan. On a possible side note. I recently bumped into a topic where Avast v5 and CIS interfered. It turned out that the constant memory access attempts of Avast made the CPU usage of cmdagent.exe go haywire. The Comodo files are protected against memory access.

The problem went after the CIS folders were added to the Avast exclusions. If you have ever feel like testing can you try this?

I haven’t noticed any CPU problems. There are no Avast memory access entries in the D+ event log. I’ve never had a problem with either of those things either before or after I applied the following changes a couple of days ago.

Since my last post I decided to give D+ another try:

Is this problem now solved? Any updates appreciated.

Best wishes

Mouse

For the time being I didn’t see this issue anymore. Thanks.
(Sorry for the late reply btw…).

Thanks Morton, much appreciated.

Mouse