Are there any proactive defenses that protect CIS Premium from being disabled


I had my sisters computer in the other room not protected with any antivrus and since it was XP SP2 it got infected with conficker C,D or E (and cis is now running a full scan with 20 viruses detected so far).

Anyway, I realized I needed to install an antivirus on it since it was obviously a virus disabling DNS queries to antivirus websites. So I install CIS Firewall by mistake, but it works after restart and Defense+ detects RPC calls by the worm and later the dll hook… so CIS firewall wasn’t disabled by Conficker…

So, I had to uninstall the firewall to install CIS Premium and he he, conficker easily disables it with it’s 1 second check so there is no way for a non experienced user to run that antivirus.

I got sick from all that so I this time I carefully read the definition that Defense+ detected on my other computer when I entered in my flash USB so I downloaded kaspersky’s removal tool for conficker.

It cleaned up my sisters computer and found no infections on the computer I am writing now (the flash is cleaned as well).

So, my question is, are there any proactive defenses for CIS that prevent shutdown of it’s core systems? And also core systems during startup?

The disable seems to be partial since only cfp.exe is magled while cmdagent.exe is running in the background (I’m guessing that’s comodo). Defense+ stil failed to find conficker so it was probably blasted…

Also, WTF is it with a IT security firm sending unencrypted passwords through email when a person registers on their forum? I understand that less then 1 second is not enough for defense+ to start so I wasn’t mad about that but how am I supposed to take you seriously now?


If cmdagent.exe is running then CIS is protecting you. Cmdagent.exe is the process doing the actual protective work. Cfp.exe is only the client program that helps the user to set up CIS; there is no security problem when it is not running for some reason.

It is odd that cfp.exe got disabled and not cmdagent.exe. Cmdagent.exe protects its self and cfp.exe.

a scan result coming out as “clean” after an infection
does not mean that the computer is clean again. first of all if the antivirus was installed later, which tried to clean.

a downloader trojan, who allready can change dns and disable security software, is the main user of your computer, with all the downloaded other things.

learn for the future. and really think about it: can you trust the computer now?

just as example: a downloader trojan is the ideal way to inject “zero day malware”. like a “backup” for possible cleanings. in this state you are even more in danger than before. because you THINK it is clean now after desinfection.
sometimes a reinstall of the operation system can save you from further trouble.

Let me rephrase the question then. Let’s imply that cmdagent.exe was not disabled. Lets imply that defense++ is supposed to protect the antivirus itself (it is).

Why is cfp.exe not considered a critical part of an antivirus?

My trouble is not that the AV was disabled (no matter how little), my trouble is that conficker did it. One of the most well known viruses, that even I was aware of, with definitions for that particular kind going back to 2009, that probably had 100 times more resources devoted to it with comodo devs that a random virus and it stil managed to disable even a small part of comodo premium.

Clock, no worries, it was mopped up by a specialist tool for that particular job, then scanned with comodo premium that removed most of it’s remaining non active parts… It’s clean enough… it it appears again, defense + will stop it… it’s capable of detecting it. Though it think the flash variant is A while it’s probably B or higher up. It stil detects it though…

I disregarded your part regarding zero day exploits by omision. You are right, they are possible. I don’t care about that, it’s not an important computer. Zero day will disable even my own laptop, if defense+ can’t stop it.

It’s probably already on both computers… nothing I can worry about except reinstall once it happens.

I appreciate your warning, but I can’t be bothered, I am to busy :slight_smile:

I am not sure why the AV was disabled with cmdagent.exe running.

Zero days may be stopped, but not all, by the buffer overflow detection.

This just goes to reinforce my opinion that installing an AV/AM onto a known “pre-infected” system isn’t the best course of action.If the user is running with admin privileges then the malware is able to do pretty much anything and any subsequent Anti-Virus installation could very well be compromised.

There’s a good reason for the likes of Kaspersky producing specific removal tools for the worst malware families,the same reason tools like Mbam and Combofix flourish;that is they require a very specific removal procedure.It’s just not efficient to include dozens of such algorhythms into the installation process in order to check in advance for infections that might or might not exist.That’s assuming that the malware can even be simply “removed” as quite a few can’t without replacing system files or drivers that’ve been modified.

Security software should be installed immediately after the OS,preferably before venturing online,any deviation from this greatly increases the chances of at least partial failure.