I was disappointed to learn that COMODO Internet Security 6.0 activates and uses the NTFS Volume Change Journal functionality. One change journal is kept for each NTFS volume. This journal keeps a log of all changes to the directories and files on that volume.
I discovered the activation of the NTFS Change Journal functionality when I restored an image copy of my music files. I have a separate partition on my hard drive for my music files. With previous versions of CIS, I was able to restore the image copy of my music partition while working online in my primary partition, which contains the Windows operating system (I am on Windows XP SP3). However, when I restored the image copy of my music under CIS 6.0, my computer had to go “offline” to perform the restore. By “offline”, I mean the computer had to shut down and reboot into DOS to perform the restore. This “offline” process is the same process used when restoring my primary partition, the one containing the Windows operating system. Obviously, when restoring the primary partition, I know and expect that the restore process will be “offline”. However, when I restore a non-operating system partition, I assume and expect the restore will be performed “online”.
After seeing that the music partition restore was performed “offline”, I researched the issue and discovered that the NTFS change journal functionality was activated and used by COMODO Internet Security 6.0. I am very disappointed that COMODO now uses NTFS change journals.
=================================================================
If interested, you can query the NTFS change journal on a given volume via the following command:
fsutil usn queryjournal C:
In the example above, the change journal stored on the drive letter C is queried. There is a command to delete the change journal but CIS 6.0 will reactivate and create a new change journal when the computer is rebooted.