Watching my processes with procmon.exe,I noticed that Comodo was continuously scanning msctf.dll
http://img1.imagilive.com/affiche/0410/cfp.jpg.htm
strange isn’t it ? ??? ??? I’m under xp sp3 with the up to date cis av/d+/fw on proactive security.
i didn’t notice that under vista… only xp :o
any idea ?
Today is June 24th, 2010
I have this behavior also, using the latest Comodo Firewall (and only the firewall). 4.1.150349.920
This is from Procmon (sysinternals.com) log:
2:00:22.2410143 PM 0.0000114 cfp.exe 1556 QueryOpen C:\WINDOWS\system32\msctf.dll SUCCESS CreationTime: 8/4/2004 8:00:00 AM, LastAccessTime: 6/24/2010 2:00:08 PM, LastWriteTime: 2/26/2008 7:59:50 AM, ChangeTime: 7/6/2009 11:41:33 AM, AllocationSize: 294,912, EndOfFile: 294,912, FileAttributes: ANCI n/a
2:00:22.2413216 PM 0.0000150 cfp.exe 1556 CreateFile C:\WINDOWS\system32\msctf.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened n/a
2:00:22.2414808 PM 0.0000053 cfp.exe 1556 QueryStandardInformationFile C:\WINDOWS\system32\msctf.dll SUCCESS AllocationSize: 294,912, EndOfFile: 294,912, NumberOfLinks: 1, DeletePending: False, Directory: False n/a
2:00:22.2416543 PM 0.0000095 cfp.exe 1556 CloseFile C:\WINDOWS\system32\msctf.dll SUCCESS n/a
2:00:22.2419350 PM 0.0000157 cfp.exe 1556 CreateFile C:\WINDOWS\system32\msctf.dll SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened n/a
2:00:22.2420943 PM 0.0001363 cfp.exe 1556 CreateFileMapping C:\WINDOWS\system32\msctf.dll ACCESS DENIED SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE n/a
2:00:22.2423804 PM 0.0000097 cfp.exe 1556 CloseFile C:\WINDOWS\system32\msctf.dll SUCCESS n/a
2:00:22.2426438 PM 0.0000101 cfp.exe 1556 QueryOpen C:\WINDOWS\system32\msctf.dll SUCCESS CreationTime: 8/4/2004 8:00:00 AM, LastAccessTime: 6/24/2010 2:00:22 PM, LastWriteTime: 2/26/2008 7:59:50 AM, ChangeTime: 7/6/2009 11:41:33 AM, AllocationSize: 294,912, EndOfFile: 294,912, FileAttributes: ANCI n/a
2:00:22.2429343 PM 0.0000148 cfp.exe 1556 CreateFile C:\WINDOWS\system32\msctf.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened n/a
2:00:22.2430877 PM 0.0000056 cfp.exe 1556 QueryStandardInformationFile C:\WINDOWS\system32\msctf.dll SUCCESS AllocationSize: 294,912, EndOfFile: 294,912, NumberOfLinks: 1, DeletePending: False, Directory: False n/a
2:00:22.2432464 PM 0.0000092 cfp.exe 1556 CloseFile C:\WINDOWS\system32\msctf.dll SUCCESS n/a
2:00:22.2434978 PM 0.0000145 cfp.exe 1556 CreateFile C:\WINDOWS\system32\msctf.dll SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened n/a
2:00:22.2436691 PM 0.0001846 cfp.exe 1556 CreateFileMapping C:\WINDOWS\system32\msctf.dll ACCESS DENIED SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE n/a
2:00:22.2440261 PM 0.0000101 cfp.exe 1556 CloseFile C:\WINDOWS\system32\msctf.dll SUCCESS n/a
2:00:22.5505005 PM 0.0000101 cfp.exe 1556 QueryOpen C:\WINDOWS\system32\msctf.dll SUCCESS CreationTime: 8/4/2004 8:00:00 AM, LastAccessTime: 6/24/2010 2:00:22 PM, LastWriteTime: 2/26/2008 7:59:50 AM, ChangeTime: 7/6/2009 11:41:33 AM, AllocationSize: 294,912, EndOfFile: 294,912, FileAttributes: ANCI n/a
2:00:22.5507494 PM 0.0000134 cfp.exe 1556 CreateFile C:\WINDOWS\system32\msctf.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened n/a
2:00:22.5508922 PM 0.0000053 cfp.exe 1556 QueryStandardInformationFile C:\WINDOWS\system32\msctf.dll SUCCESS AllocationSize: 294,912, EndOfFile: 294,912, NumberOfLinks: 1, DeletePending: False, Directory: False n/a
2:00:22.5510428 PM 0.0000089 cfp.exe 1556 CloseFile C:\WINDOWS\system32\msctf.dll SUCCESS n/a
2:00:22.5512752 PM 0.0000142 cfp.exe 1556 CreateFile C:\WINDOWS\system32\msctf.dll SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened n/a
2:00:22.5514409 PM 0.0001246 cfp.exe 1556 CreateFileMapping C:\WINDOWS\system32\msctf.dll ACCESS DENIED SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE n/a
I have tried several Defense+ configuration changes with no joy.