Bug Report (formatted): CIS generates huge log files every day.

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
1

CIS writes huge 20MB+ log files every day.

A. THE BUG/ISSUE:

  1. What you did:Nothing. Allowed CIS to update itself, I guess.
  2. What actually happened or you actually saw:Every day between 7am and 8am CIS generates so many “configuration changes” that it expands the log file past my 20MB limit and starts a new log. Almost all the “changes” revolve around two Windows files – c:\windows\system32\cidaemon.exe and c:\windows\pchealth\helpctr\binaries\helpsvc.exe. The log files created are so huge that when I open them and try to read through them the log reader software uses 100% of cpu and stalls for long periods.
  3. What you expected to happen or see:normal log files; a few entries every day… not the thousands of lines generated now.
  4. How you tried to fix it & what happened:I added those two files to CIS’s Defense/Executions Control Settings/Exclusions. But that did not help
  5. If a software compatibility problem have you tried the compatibility fixes (link in format)?: N/A
  6. Details & exact version of any software (execpt CIS) involved (with download link unless malware):Windows XP Version 5.1 (Build 2600.xpsp_sp3_gdr.120821-1629:Service Pack 3).
  7. Whether you can make the problem happen again, and if so precise steps to make it happen:just wait until next day. CIS does this every single day.
  8. Any other information (eg your guess regarding the cause, with reasons):
    This happened once before a long time ago… don’t remember which verison of CIS. I had to uninstall completely and reinstall a new copy downloaded from the Comodo website.
    B. FILES APPENDED. (Please zip unless screenshots).:10_12_2012_07_54_32.zip
  9. Screenshots of the Defense plus Active Processes List (Required for all issues):defense running processes screenshot.jpg
  10. Screenshots illustrating the bug:
  11. Screenshots of related CIS event logs:
  12. A CIS config report or file:see files appended (#8B, above)
  13. Crash or freeze dump file:
  14. Screenshot of More~About page. Can be used instead of typed product and AV database version:comodo version number screenshot.jpg

C. YOUR SETUP:Windows XP Version 5.1 (Build 2600.xpsp_sp3_gdr.120821-1629:Service Pack 3). CPU: AMD Sempron 2800+; 2GB RAM

  1. CIS version, AV database version & configuration:CIS 5.12.256249.2599; AV database: 14506
  2. a) Have you updated (without uninstall) from a previous version of CIS:
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:Sigh. I will try a whole new reinstall again. Seems crazy to need to do this.
  3. a) Have you imported a config from a previous version of CIS: No.
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): No.
  5. Defense+, Sandbox, Firewall & AV security levels: Defense+=clean pc mode; Sandbox=enabled; Firewall= safe mode; AV security= stateful
  6. OS version, service pack, number of bits, UAC setting, & account type:Windows XP (32 bit) Version 5.1 (Build 2600.xpsp_sp3_gdr.120821-1629:Service Pack 3).
  7. Other security and utility software currently installed:Ccleaner (used rarely) Spybot S&D updated and run manually, approximately monthly.
  8. Other security software previously installed at any time since Windows was last installed:none
  9. Virtual machine used (Please do NOT use Virtual box)[color=blue]:none.

[attachment deleted by admin]

[attachment deleted by admin]

2

I should have mentioned in the bug report that I noticed the excessive logging in the first place because I have CIS set to start a new log file and save to an old log files folder when the current one grows to 20+MB . Normally, that takes a very long time. So, I was shocked the other day when I looked in my old CIS logs folder to find dozens of 20+MB .sdb log files – essentially one for every day for the past several weeks. They are so big that when I open one of them cfplogvw.exe ( the CIS log reader program) eats 100% of CPU activity for minutes at a time during which the whole PC stops responding, making them impossible to read. I finally exported one to an html file which let me see which files were the source of the multiple configuration changes. I think I’ll change the maximum log file size so CIS will start a new log file when the current one reaches a smaller, more manageable size. I’m thinking maybe 5 MB? Something that won’t cause cfplogvw.exe to freak out like that. Any advice you have re: an appropriate log file size is appreciated.

Anyway, I eventually figured out what was happening… CIS Defense+ “Computer Security Policy/Defense+ Rules” had about a dozen Windows system files listed under “Treat As: custom policy.” I edited the rules to include them as “Windows System files” and now CIS no longer logs zillions of configuration changes for them every day. These were all in the \Windows\System32 directory and included things like cidaemon.exe, mmc.exe, etc. and a few .cpl files like sysdm.cpl and desk.cpl.

I am not sure if the “treat as custom policy” thing was created by CIS itself during an upgrade or not. The huge log files thing started around the time that CIS version 5.10 auto-upgraded quite some time ago but I didn’t try to figure out an exact correlation to that. It may well have been caused by one of the regular Windows XP updates --I try to keep my system fully patched and as up to date as XP can be-- so it’s hard to tell at this point. Anyway, it was nice to figure out what was happening without having to suffer through a complete manual CIS uninstall/reinstall episode.

If there are windows\system32 files that should NOT be treated as “Windows System Files” I’d like to learn about which ones – please let me know. Thanks!

Anyway, maybe this will be helpful if anyone else has the same issue of gigantic CIS creating gigantic log files most every day.

Cheers,
Eddy.

3

Thanks very much for a great bug report and the update. I will forward to resolved issues, where it will remain available for the life of CIS 5.x