blocked intrusion problems

Hello, everyone

I am running Comodo Firewall version 7 on a Windows 7 PC.
Windows & Comodo software are up-to-date.

I am having a problem of my own doing. I made an attempt to run
debug.exe from a command prompt & received an alert from Comodo.

I replied with “Block & Terminate” which I assumed would give me
another opportunity in the future to “Allow” running of debug.exe.

Now, when I try to run debug.exe I get an “access denied” message
which I have not been able to eliminate. The message is contained
in the command prompt window & appears to be coming from Windows,
not Comodo. An Windows elevated command prompt doesn’t help.

Comodo sees this as a “Blocked Intrusion.” The log file shows the
following: Application - C:\Windows\ystem32\cmd.exe
Flags - Create Process
Target- C:\Windows\System32\ntvdm.exe

There is also a “Related Alert” from the original attempt at debug.exe.
Description - cmd.exe is trying to execute ntvdm.exe
Answer - Deny
Flags - Remember

I have added cmd.exe, debug.exe & ntvdm.exe as “Trusted Files”
and added HIPS rules for them, to no avail. Any suggestions on how to
Un-remember my answer so that I can “Allow” debug.exe to run?

Note that other command prompt directives dir, fc, etc., etc. as well
as various batch files work fine - as they had previously.

Thanks in advance for your help.

Did you check Blocked Files list?

EricJH:

Sadly, the “Blocked Files List” is empty.

Thanks for taking the time to lend a “newbie” a helping hand.

JohnJW

Can you show a screenshot of Active HIPS rules?

Had a similar problem found answer here, I had my file as custom ruleset instead of ruleset. hope you get sorted op

Put up the screenshot of Active Hips rules at Advanced Settings > Security Settings > Defense+ Settings > Active HIPS Rules

Thanks EricJH

[attachment deleted by admin]

The HIPS Rules thought occuured to me also. I originally had “Custom ruleset” for debug.exe & ntvdm.exe but have since changed them over to “Allowed Application.” The “Custom Ruleset” for cmd.exe came from Comodo, (as mentioned, I have successfully been using other batch files, various command line entries, etc. - so I’m assuming it is of the correct format.)

Here are screenshots of HIPS Rules & the Custom Ruleset for cmd.exe

As an additional experiment, I temporarily turned off the Firewall & the Sandbox. Still receive the “access denied” message (the message appears inside of the command prompt window, which is why I think this is a Windows7 message.) Has Comodo made a change to the Registry? Just a thought on my part.

Thanks again.
JohnJW

[attachment deleted by admin]

Have you tried allowed application with ruleset, instead of custom ruleset, ticked. Disabling the sandbox allow my program to run and that was how I tracked it down but you have tried that

Someone who knows more than me will be able to help you more. Good luck

I am afraid you are looking in the wrong place, when you check logs you need to check the first mention item ie:-Application - C:\Windows\System32[b]cmd.exe[/b]

In cmd.exe in run a executable there should be a blocked application debug.exe

It is best when using custom rulesets to avoid having the box ticked remember my answer.

Dennis

Dennis2:

Are you suggesting getting rid of the “Custom ruleset” for cmd.exe?

If so, should it be replaced with “Allowed Application” or “Windows System Application?”

I’ve also attached the first & subsequent pages of the “Custom ruleset” for cmd.exe currently in effect, which I failed to properly do on my previous reply.

Thanks,
JohnJW

[attachment deleted by admin]

No you do not have to do that.

In your first screenshot it shows a blocked application with a 1 on the right for Run a executable.

Just click Modify then blocked files and folders then remove the blocked application.

Make sure you click OK on all open screens so that the change is saved.

Dennis

Dennis2:

Good catch. Everything back-to-normal again after deleting ntvdm.exe from the “Blocked Files/Folders” list.

Many thanks for your time and expertise.

JohnJW