blockedvolumes

I am running XPSP3 and Comodo Internet Security which is up to date. My drives are partitioned as dynamic volumes.

I have a number of files that are turning up locked similar to the following file:

Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1\sysinternals\pskill.exe

A variant that also shows up is:

\?\Globalroot\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolumes\sysinternals\pskill.exe

I am trying to determine if some other system process has locked these files. I can quarantine them with Comodo, however I can not access them any other way.

I have searched the forums, google and bing and really can’t determine if this a windows problem or something that Comodo is doing.

I have a large number of files that are typically flagged by virus and malware programs, such as pwdump etc that are zipped off in other directories that are also blocked in this format. I know where these are and have been playing with them for years with microsoft virtual machine.

Is this something that Comodo is generating or is Comodo just reading a location and path and I should be looking for another issue?

Welcome to the forums. :slight_smile:

Well, I can see that the files such as ‘pskill.exe’ that are being locked from Comodo are from Sysinternals. A quick google found out this:

No, PsKill.exe is NOT a virus. And no Anti-Virus program reports it as Virus either, they do say it's potentially harmful, though. This is because PsKill from Sysinternals is used to silently "kill" processes. In Reatogo there are certain reasons for this and some other programs also make use of PsKill, too. So, PsKill has legitimate uses. The other side is that a hacker could for example use it to kill your antivirus and start his own copy of it instead ... that's why you are being warned.

My guess is that these Sysinternals files are locked for the exact reason stated above; so they cannnot be used for malicious purposes. Because of this, the locked files won’t let any other program modify them, including Comodo which is trying to scan them.

There’s really nothing you can do about this. You can try uploading the locked files individually to Virsutotal.

So is Comodo locking the files?

No, Sysinternals is locking their own files because they are protecting it from other programs trying to access it (i.e. Comodo).

But like I said, this is a guess. I might be wrong, but that’s what it looks like to me.

I just pulled sysinternals out of the list. I have other files like pwdump.exe that are locked and I can’t figure out how or who is placing the lock.

Does Comodo physically move a file when it quarantines it?

Only thing I could dig up pertaining to “pwdump.exe” is a “LanMan Password Grabber”. Do you have anything like that installed?

When I say the file is “locking itself” I mean that the files themselves (the files that are locked) have a lock on them so no other program can modify them. No program is putting the lock on them, they are simply locked because that’s the way the file is.

I’m not sure if Comodo actually “moves” the file when quarantining, but i know it does convert the file into a different format (that makes the file no longer dangerous) until you decide to delete it.

No, I do not have LanMan installed. However, I have pwdump.exe and samdump.dll in a directory along with other programs that are routinely flagged a malware. Even my hex editor is flagged as malware. I know where and what these programs are and have added them to Comodo’s exclusion list.

Something had to change the path or permissions of the file, whether it is XP or Comodo.
The problem is that some of the files have been changed to this “blockedvolume” path and I get an “Access Denied” error when trying to access them. It appears to be something Comodo is doing to the permissions for the files. Whatever program is doing it is also flagging the files that my MagicJack uses. The common denominator is that every file has been Dectected by Comodo in one fashion or another. I have my files for my phone, actual malware files that I know are malware, files for my cell phone, most of sysinternals programs that now show up as “Access Denied” and have their drive paths changed to this Device\BlockedVolume. It seems to be a low level file permission change that I can’t access in XP. I am trying to find out if Comodo does this type of file permission changing. I did not have this issue until I dumped McAfee and started running Comodo.

Hmm. I’ve never heard of this problem with using Comodo. On google, it seems this might have to do with hard disk corruption. Have you tried running a full “chkdsk” on boot up and/or a “sfc /scannow” in the command prompt?