closing big files with HIPS enabled slows down PC [M1541]

user1345 · July 15, 2015, 6:44pm

closing big files with HIPS enabled slows down PC
Can you reproduce the problem & if so how reliably?:
yes, about every time
started a few weeks ago
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1:open big file i.e. mount on trycrypt/start virtual machine
2:do something short
3:close file (dismount container/suspend virtual machine)
One or two sentences explaining what actually happened:
cmdagent starts reading the whole file after a few seconds causing heavy IO (100% in perfmon). This takes more than 10 minutes on my PC so mostly I will kill it. In perfmon the System process with PID 4 is shown as culprit but Procmon shows cmdagent reading the whole file.
It also prevents me from ejecting external drives when the file is on it.
One or two sentences explaining what you expected to happen:
When I set HIPS to disabled I dont observe this behavior. HDD IO stops after few seconds.
If a software compatibility problem have you tried the advice to make programs work with CIS?:

Any software except CIS/OS involved? If so - name, & exact version:
i.e. truecrypt 7.1a
Any other information, eg your guess at the cause, how you tried to fix it etc:
virus scan/file change scan?

B. YOUR SETUP
Exact CIS version & configuration:
CIS Version 8.2.0.4591
Comodo Internet security
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Auto-Sandbox is disabled and Sandbox-feature is not used.
Antivirus: happens with Stateful and Off
Firewall: Safe Mode
Virusscope: happens with on and off
HIPS Clean PC mode
Have you made any other changes to the default config? (egs here.):
Monitoring settings all checked
Popup verbose
alert timeout 30
heuristic cmd analysis
shellcode injection
everything else in HIPS settings off

Have you updated (without uninstall) from CIS 5, 6 or 7?:
dont think so
Have you imported a config from a previous version of CIS:
dont think so
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1 64 bit
UAC on
Admin
physical/laptop
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
uninstalled preinstalled mcafe before installing comodo

[attachment deleted by admin]

qmarius · July 15, 2015, 8:03pm

Hi user1345,

Please attach, if possible :

a diagnostics report
main interface window > question mark (?) > support > diagnostics
a full dump of ‘cmdagent.exe’ by utilizing KillSwitch while experiencing the issue
note: it’s recommended to attach multiple dumps

Thank you.

user1345 · July 16, 2015, 9:20am

It seems that I exceed to maximum file size limit. Posting failed. uncompressed 185MB, compressed 36MB per dump
here my original message:
dump of cmdagent
Steps for creation:
mount I:\tc.tc in truecrypt
dismount in truecrypt
wait for hdd IO going 100% in perfmon
wait a few seconds
create first full dump
wait a minute
create second full dump
remove cable for external harddisk to force stopping reading file
reattach
mount in truecrypt
dismount
wait for hdd IO going 100% in perfmon
wait a few seconds
create third full dump

I will atm only attach dump 1 because the dumps are so big and my upload so slow

user1345 · July 16, 2015, 9:30am

split file, remove last 7z (file type restriction) and open all together in 7z

[attachment deleted by admin]

user1345 · July 16, 2015, 9:36am

split 3/4

[attachment deleted by admin]

user1345 · July 16, 2015, 9:42am

split 2/4

[attachment deleted by admin]

user1345 · July 16, 2015, 9:48am

split 1/4 last part

[attachment deleted by admin]

user1345 · July 16, 2015, 9:51am

Finally finished.
I hope those files help, if you need more I can upload but it will take some time.

BuketB · July 16, 2015, 11:19am

Hi user1345,

Thank you very much for the report. We will investigate and get back you asap.

Kind Regards
Buket

user1345 · July 16, 2015, 11:37pm

I disabled HIPS the whole day now and since about an hour I am expiriencing the issue also with HIPS disabled.
All I did in the meantime was surfing with FF, playing videos with VLC, playing LoL, running virtual machines, using truecrypt container.
Only thing I changed in CIS: disabling HIPS.
Now, a few minutes later it behaves like described in my first post again.
Edit: This time it might also have been because I did big changes to the files.

BuketB · July 21, 2015, 1:21pm

Hello,

Thank you for the information. We will investigate it.

Kind Regards
Buket

wasgij6 · September 1, 2015, 4:50am

Even tho comodo is already looking into this im still going to log this in the tracker.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time, availability, and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Thanks again

qmarius · July 16, 2016, 2:29pm

Should be fixed with version <10.0.0.5144>.

Thank you.