Can't open/view- Intrusion Attempts, Firewall Events, or Active Applications

When looking at the Summary screen and clicking on the “Number” of Blocked Intrusion Attempts, the usual pop-up window does not appear… at least not in the normal way. It looks like it tries to pop up, but before I can even glimpse it, it disappears.

Same situation when in the Firewall\Common Tasks screen… clicking on View Firewall Events yields only the slightest flicker of a window attempting to open, then it disappears.

While confirming that all other links/buttons function properly, I discovered when I click on the “Number” of Active Applications Running in Memory, it responds just like to other two described above.

Interestingly, when using Alt-Tab to move between open windows, I can see CIS shield icons titled “Active Process List” and “Firewall Events”, but selecting them does nothing.

Logging is not disabled. Size is set to 2mb.
CIS version: 3.13.126709.581
OS: XP Pro sp3 32-bit

Recently updated: .Net Framework 3.5
-I’m unsure if it’s related but using Spybot S&D’s System Internals to check for registry inconsistencies revealed some missing common .dll files for .Net Framework 1.x? (see attached file)

Subsequent to discovering the problems the following were updated:

-.Net Framework 3.5 sp1 update (did not resolve missing common .dll files)
-Video card: BIOS, Drivers, and Software
-JAVA

Any help is greatly welcomed. Thank you.

Update:
Restoring the missing Framework files did not help.
Scans with NOD32, SuperAntiSpyware, and Spybot S&D revealed no problems.
Although the CIS shield icon(s) may visible in the Alt-Tab window, they are not on the task bar.

[attachment deleted by admin]

Are there other things you changed recently? Did you install programs that could change how Windows looks like Windows Blinds or Tweak UI?

Thanks for the reply. I hope you’ve moved this issue to a more appropriate location. I mean I hope it is a setup/configuration issue and not the result of some external influence tampering with Comodo to make monitoring their activity more difficult. Heh, sound paranoid? :wink: But when you consider I only discovered the problem after blocking an unsolicited IP which tried to make a connection to this PC, and that a whois search of that IP revealed a very dubious source, I have to wonder. I know the screens in question were working not that long ago. Anyhow…

No, no Windows Blinds running or any other Windows dressing software. No changes recently, other than the .net framework 3.5 which was required to properly run some music software, Helium Music Manager- Network. Other than that, this setup has remained unchanged for months. I did run CCleaner recently (after the intrusion attempt), I suppose I might have allowed it to “fix” something it shouldn’t have… if you could tell me what might effect those specific screens and not all the others, it might give me a starting point.

I can view the inbound/outbound connections screen fine. I can actually look at the firewall log going through the Defense+ blocked\more…\Firewall logs path. So those screens pop up fine.

I’ve always had TweakUI installed, no changes have been made to it since the original setup of XP. To help analyze what was going on I just installed the TweakUI (PowerToys) app, TaskSwitch (an alternate to the typical alt-tab). This was done only after discovering the problem. What exactly within TweakUI might you have concerns about?

The fact that the firewall blocked the intrusion shows that it does its job. You could follow What to do if you’re infected - eXPerience Rev.3 just to see if more scanners bring up something Spybot and NOD missed

The reason I asked about TweakUI and Windows Blinds as it is known that sometimes changes made to the UI with them may interfere with the Comodo UI. I never used these tools so I cannot further comment on it.

The only thin I can think of right now is to erase a filter in the Firewall when applying one.

Do the D+ logs show any blocking activity for CIS it’s self?

Despite believing this system clean and just for kicks, I ran the suggested software… MalwareBytes reported no problems, HiJackthis nothing abnormal. 15hrs later nothing but a variety of over rated false positives from a-squared :-TD (This PC isn’t slow, a-squared is. The shocking amount of false positives render this software near useless, imo.)

I don’t understand the meaning of this sentence, “The only thin I can think of right now is to erase a filter in the Firewall when applying one.”

The D+ logs show some blocking activity:

acrobatinfo.exe Action: access com interface Target: \RPC control\spoolss
mpcstar.exe (media player) Action: access com interface Target: shell.explorer.2
newspro.exe (news reader) Action: access memory Target: c:\Windows\system32\ctfmon.exe

I have to admit I am curious about these, are they anything I need to be concerned about?

The D+ alerts are not alarming and not relevant for your problem.

I don't understand the meaning of this sentence, "The only thin I can think of right now is to erase a filter in the Firewall when applying one."
I wanted to know if erasing the filters in the advanced log screen might help.

It looks like you are using a pop up blocker.;D

I asked the other mods to take a look as well.

A pop-up blocker would actually prevent a pop-up from initiating, not just allow it to run invisibly in the background, right? Anyhow, I am using no pop-up blockers other than any which may be on by default within NOD32, Firefox, and Comodo. Other than Firefox, I couldn’t locate anything related to pop-up prevention. I have very few processes running at boot. I guess I’m lucky because I get 0 pop-ups both in Windows or Firefox unless I initiate the action by clicking on something and they are nearly always intended/expected.

I went through every setting within NOD32 and temporarily disabled the only filter I thought remotely related, a JAVA filter (but it was within the Web Access area). After a reboot, the problem remains unresolved.

In Comodo, I went to Manage my Config and activated the default configuration (as opposed to my backed-up/imported one). Then removed any policies in Defense+\Advanced\Computer Security Policy which related to any suspect process, particularly those specific to Windows & JAVA (other than the default (grayed-out)). Rebooted, the problem remains unresolved.

I did notice another screen that doesn’t come up, not sure how I missed it before, but like the other links/buttons mentioned previously, the “My Port Sets” fails to remain visible when selected. In fact, when it is clicked, I can no longer do anything within Comodo until I hit the Return key. I assume when the My Port Sets screen pops up it must require immediate interaction before proceeding.

Anyway, no luck so far. I guess it is safe to assume it isn’t to clear what calls are made when clicking the problematic buttons/links mentioned? I mean they must call upon/require something similar to each other yet different from all the rest of the option screens right? I have not set up any special policies or anything… what about Services? Are there any specific services these particular screens might call upon/require? I do have some services turned off which others might keep on. But I guess this might not explain why the screens appear to be running and even interactive to a minimal degree (in the case of the Port Sets screen), yet not visible.
:THNK
Forgive my shooting in the dark, I know I’m showing my ignorance… but I guess I wouldn’t be bringing the problem to this forum if I wasn’t somewhat ignorant of the variables right?

Thanks for continuing to try and help with this issue.

I am at a loss as well at the moment. The only thing I can think of is to see what happens when you enable the disabled services.

I highly doubt it’s caused by disabled Services. Here’s my list of running services without any problems. The only service I found that CIS needs during an (un)installation is DCOM Server Process Launcher, but that’s another issue.

Did you already run the CIS Diagnostics to see if either the log viewer (cfplogvw.exe) or its driver (cfplogvw.dll) might be missing/corrupted?

I hope you’ll continue to ponder the problem, Eric. I’ll continue checking in now and then to see if you’ve had anymore thoughts.

Thanks for weighing in, Soya. Yes, I ran the diagnostic, everything is fine, supposedly. Is your process list just a partial, meant only to show what you have disabled? I ask because I’d expect to see several common XP services which are not on your list. Is your OS XP Pro?

I agree it is doubtful services could be the cause but I went through them again just to confirmed our suspicions.
It also occurred to me perhaps scripting had gotten turned off in Internet Options… I realize IO having an effect on Comodo was a long shot but I remember IO settings having an effect on Outlook and Outlook Express and other Internet capable software, so I thought I’d check it just to be sure. Scripting was not disabled. Everything was normal for the default IO security level.

I guess without someone helping who is familiar with CIS code, so that we might know what it is about these screens that sets them apart from the still functioning screens, we may not get the issue resolved.

I just wish I could access the the Intrusion Attempts through some other path. It disturbs me not being able to check that log. At first, I thought I was looking at them when I accessed the Firewall Logs via the path discussed earlier, but the numbers don’t add up. So, if Intrusion Attempts are not logged in Firewall Events, I know of no way to view them.
:-
I am considering reverting to an older version of CIS or maybe even CFP.

My list was meant to show you that even with that minimal number of services running, that CIS can run without problems, and that you don’t have to play the process of elimination to find out ;). (I’ve done a fair bit of system tweaking killing in my time like with nLite, so it’s not a surprised that you see some Services missing ;D) We share the same OS: XP Pro SP3 32-Bit :).

Have you tried opening C:\Program Files\COMODO\COMODO Internet Security\cfplogvw.exe ? What about a clean reinstall yet (without first importing your config)?

I took a closer look at the Intrusion Attempts and the Firewall Log Viewer via the aforementioned path, Defense+ blocked\more…\Firewall logs, which is the same as running the cfplogvw executable directly. At first look they seemed to be counting/logging separate events because the number of entries didn’t match up. After clearing the FW log and continually monitoring the two thereafter, I was able to determine that they are indeed the same.
I guess since I have alternate ways to view the more critical affected screens, I’m far less concerned about this issue. It would be nice if I could find an alternate way to access the My Ports Sets option screen, but I can live without it.
Despite not finding a resolution, I want to express my appreciation for the efforts. My thanks to both of you.

timogin