Cannot move file from "My Pending Files" to "My Own Safe Files"

Product: CFP 3.0.13.268 (downloaded and installed today)

Before starting the CFP3 install, I uninstalled v2.4, deleted the remnant files and folders, and cleaned up the registry. I then install CFP3 with the following selections:

  • “Advanced Firewall with Defense+” selected.
  • Yes to certified apps.
  • Defense+ custom settings: advanced level
  • No e-mail address provided.
  • Restart the computer. Here was the first glitch with Windows shutdown delayed several minutes longer than normal. The bootup seemed okay, though.

I have Microsoft’s User Profile Hive Cleanup Utility (UPHCLEAN) installed; see http://preview.tinyurl.com/6g8nd. Apparently Comodo doesn’t yet know about the uphcleanhlp.sys file so it listed it in the My Pending Files list. Since I know what it is for, I selected the file (checked its checkbox) and tried to use the Move button to move this file to the My Safe Files list. No joy. What I get is a popup from CFP3 saying:

Can’t add C:\Windows\system32\drivers\uphcleanhlp.sys to safe files (looks like it’s already in that list)

Wrong! The My Safe Files list is completely empty. So I am not allowed to move files from the My Pending Files list that I know are good using the Move button provided there to get them under the My Safe Files list. (rolls eyes in in disgust)

Also, I have tried submitting this pending file to Comodo but I cannot tell if it ever got submitted. After clicking the Submit button, a popup appears in the lower right corner of the screen saying the file is being submitted but closes so fast that I cannot see whether or not the submission was successful. I also never get a chance to add commentary to the submission, like specifying what the file is for and who is its author. I was going to try the manual submission via the Submit Suspicious Files feature but now the uphcleanhlp.sys file is no longer listed under its path as though CFP3 is hiding the file. While I was trying to manually add the file in the My Safe Files list, CFP3 crashed and its GUI window disappeared. I looked in Event Viewer but found no events listed at the time that CFP3 crashed. I had to manually reload CFP3. It’s bad enough that malware could kill the firewall without the firewall itself doing a self-destruct.

UPHCLEANHLP.SYS is used for completely terminate the user session when a user logs off. I cannot find this file (to submit it or add manually to the My Safe Files list). Is CFP3 hiding it? The actual file that gets ran for this service is uphclean.exe. Maybe uphclean.exe creates uphcleanhlp.sys when the user logs off (or after they have finishing logging off tothen do the registry release). Under the Computer Security Policy list (which would better be named the Application Rules list), the uphclean.exe file is already listed. If I look at the NT service (services.msc applet), yep, it loads uphclean.exe to start that service.

Perhaps this uphcleanhlp.sys file doesn’t exist until the user logs off. That means that I can never browse to it to add it to the My Safe Files list. CFP3 won’t let me manually specify it but only lets me browse to it (which means that I won’t find it since it doesn’t exist yet) probably because CFP3 wants to save a hash for an existing file so it can use the hash later to ensure that version of the file is the one being checked from the safe file list. There are other utilities that generate their executables on-the-fly, like SysInternals’ Rootkit Revealer (which has to generate a random filename for its executable to circumvent rootkits that were hiding this program’s file so you couldn’t execute it). I don’t know if uphclean.exe is generating the uphcleanhlp.sys file. I only know that CFP3 stuck this file in the My Pending Files list and that I cannot find it on the drive under any path (and I use Agent Ransack, the free version of File Locator, to get around deficiencies in the file search in Windows XP).

I can (and have) removed this file from the My Pending Files list but I suspect CFP3 will trigger on it again and re-add it to the My Pending Files list the next time that I logoff. Because of the need to use these on-the-fly programs (to avoid malware from hiding them or for other reasons deemed necessary by the program’s author), CFP3 should be calculating the hash for the memory copy of the program and save that value with the item it adds to the My Pending Files list. Then the user could move it to their My Safe Files list because a hash has already been calculated for it. CFP3 already calculates the hash to then compare against its own pre-defined safe list so obviously that computation time is already expended when the file gets loaded.

Obviously a file that doesn’t exist until the caller program generates it cannot be submitted to Comodo because it doesn’t yet exist to select it. Games are like this, too. Many times for copy protection schemes I have seen the called program create a new file which then gets executed as the child process.

I’ve found that as well, but for me its the driver for process explorer. I get the exact same message, and when I check in “my safe files”, it’s not present.

Based on my other posts regarding defects in CFP3, some of which are critical, I’ll be reverting back to CPF 2.4. If I want more IPS (instrusion protection system) protection, I’ll put System Safety Monitor or Antihook back on my host. CPF3 crashes too often, hangs up explorer.exe (i.e., the desktop), doesn’t obey the rules, and other problems. Like their anti-virus product, CPF3 should have been labelled a beta release (and, based on the problems being reported here, perhaps an alpha release). This new version is severely marring the respectability of this product.

The newest version 3.0.14.276 suffers from the uphcleanhlp.sys problem also. The file cannot be sent to Commodo because it is not existent on the system. It seems as it is recreated with boot up or restart of the machine and then it gets deleted somehow. The CPF sees it when it’s created, registers it in the “My Pending Files” and then…

Any ideas anyone?

My solution because none was available for version 3 was to revert to version 2.4 of Comodo’s firewall. Since that time, I’ve changed to a different firewall but am waiting until the beta version of Online Armor gets released and will go with that firewall.

Latest version is 3.0.14.276

Regards,
Mike

I would expect that a paradigm change in handling program files that are created on-the-fly and saving a hash value for them (rather than doing that by using a browser to point at an existing file) would require a minor version change, like going 3.0 to 3.1. I doubt a hundredth change in version x.0.13 to x.0.14 is going to include that functionality. Comodo needs to capture the process’ source file at the time it ■■■■■■■ about it, not after the process is gone and so might also the file for it.