Cmdagent.exe consumes 100% CPU for 30 seconds in 5 minutes cycles

BUG REPORT IS 10 POSTS DOWN IN THIS THREAD IE HERE. (MOD EDIT)

ORIGINAL FIRST POST:

Hello,

cmdagent.exe consumes 100% CPU for 30 seconds in 5 minutes cycles (see attached picture). I have tracked it for a few hours. The attached picture is just a fraction of the data, but it is repetitive.

What could be the 5 minute frequency? I would like to know so that I can switch it off. It is negatively impacting the battery performance of my device.


By the way, I am using the latest version of COMODO Internet Security Premium (5.9.219863.2196) with Antivirus disabled. Firewall, Defense+ and Sandbox are enabled.

Kind regards,
Anton

[attachment deleted by admin]

It’s likely the program updater.

Try going to More → Preferences and disabling Automatically check for program updates to see if that makes a difference.

Thanks for you reply HeffeD. That seemed the most obvious to me too, but it does not help. Even disabling the Sandbox and Defense+ does NOT help, I can tell now.

I will have to investigate this some more detailed. Check what resources cmdagent tries to access.

do you have the antivirus installed? you said its disabled im assuming its installed but just disabled?

Yes, the antivirus was installed, but in disabled state in my previous posts.

Now I have removed the Antivirus from the CIS and it seems that the frequency of 5 minutes is still there although the 100% CPU-usage duration is shortened from ~30 to a ~5 seconds. See attached picture.

[attachment deleted by admin]

ok cuz usually if the antivirus is not installed defense + and the firewall are very light on the system. are you running any other antivirus? can you attach the firewall and defense + logs?

I had disabled all COMODO logging. I just enabled them.

About the antivirus. I have explicitly unchecked the Antivirus option prior to installation. After the required reboot I noticed, that strangely enough also the antivirus was installed.

With antivirus uninstalled, the CPU-spikes seem to have reduced to only 3 seconds in duration and the spikes don’t hit 100% anymore. For now that is acceptable.

I remain curious what is that 5 minute cycle in cmdagent.exe when the automatic update feature is disabled, antivirus uninstalled, sandbox and defense+ features temporarily disabled?

I found out what causes this activity for my installation.

Since it happens every 5 minutes, it wasn’t hard to set up some monitoring with Procmon. What I noticed was a large number of files were opened and a lot of registry entries opened. I compiled a list of each file that was scanned and noticed that it was a direct copy of the list of files in Defense+'s “unrecognized file(s) observed” list.

Each file was opened and closed maybe 8 times each, in those sometimes just basic file information was read, sometimes it would read 10-250 bytes in a small number of operations. Presumably it was reading digital signature information. I presume this because it would also open a great number of reg keys around “HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed” and “HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed”.

So I had maybe 500 files in the unrecognized list. Every five minutes it would lock a core at 100% for ~20 seconds. I cleared the list and in the next five minutes, I no longer saw any similar behavior.

I’ve just tried this and it seems at the moment that it has has reduced a freezing problem I was having. :■■■■

We’d be very grateful if you would do a bug report on this in Standard Format

If you do I’ll move it straight to the bug reports section.

Many thanks and best wishes

Mouse

Assuming you were requesting this from me… I guess I can write it up into a different format but that one linked sort of makes the assumption that the user does something immediate and the program responds to it. In this case, the program does things behind the scenes if certain conditions are met during a schedule beyond the user.

Anyways… should I just post it as a reply here? I can describe COMODO’s activities in much greater detail, but it’s their program, so I don’t know how useful that is. Would [url=http://technet.microsoft.com/en-us/sysinternals/bb896645]ProcMon/url logs be of interest to them or should I just summarize what I determine from them?

Thanks if you would that would be very useful. Re what you do to make it happen you could say ‘Over a period of time allowed 500+ files to be added to unrecognised files’.

The procmon logs would be useful. Please also add a screenshot of your active process list.

TOPIC TITLE
Every five minutes, cmdagent.exe consumes 100% of a core for 10-30s


A. THE BUG/ISSUE:

  1. What you did: Set Defense+ to “Clean PC Mode” to allow files to appear in the “Unrecognized Files” listing.
  2. What actually happened or you actually saw: Every five minutes by period, cmdagent.exe would use 100% of a core for approximately 20 seconds.
  3. What you expected to happen or see: Negligible CPU usage when idle.
  4. How you tried to fix it & what happened: Clearing the “Unrecognized Files” listing will cease this activity.
  5. If a software compatibility problem have you tried the compatibility fixes (link in format)?:
  6. Details & exact version of any software (execpt CIS) involved (with download link unless malware):
  7. Whether you can make the problem happen again, and if so precise steps to make it happen: Any activity that populates the “Unrecognized Files” listing with several hundred entries. More files will increase the CPU time used every 5 minutes. COMODO’s AV component must be installed for this to be as noticable, enabled or not. Without AV installed, it still occurs every 5 minutes, but much less CPU time is used.
  8. Any other information (eg your guess regarding the cause, with reasons): According to ProcMon, every five minutes cmdagent will read through “C:\Program Files\COMODO\COMODO Internet Security\database\pending.n”, which is presumably the “Unrecognized Files” list. It will then systematically open/close each file in the list ~8 times, reading attributes like creation dates or file size and usually <512 bytes of the file in ~3 separate operations.

Some but not all files scanned from the list will prompt a secondary operation where cmdagent will open a great number of registry keys around “HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed” and “HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed”. Possibly only files with digital signatures prompt this secondary behavior, I have not checked.

B. FILES APPENDED. (Please zip unless screenshots).:

  1. Screenshots of the Defense plus Active Processes List (Required for all issues): Attachment 1
  2. Screenshots illustrating the bug: Attachment 3
  3. Screenshots of related CIS event logs:
  4. A CIS config report or file:
  5. Crash or freeze dump file:
  6. Screenshot of More~About page. Can be used instead of typed product and AV database version:
    -. Process Monitor *.pml log of cmdagent.exe’s activity for one occurrence: Attachment 2

C. YOUR SETUP:

  1. CIS version, AV database version & configuration: CIS 5.8.213334.2131 | AV 11154
  2. a) Have you updated (without uninstall) from a previous version of CIS: Only minor revision updates through the self-updater.
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: No
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): AV is disabled, cloud based scanning is off, sandbox is disabled.
  5. Defense+, Sandbox, Firewall & AV security levels: D+, Clean PC Mode; Sandbox, disabled; Firewall, Custom Policy; AV, disabled.
  6. OS version, service pack, number of bits, UAC setting, & account type: Windows 7 x64 SP1 (v6.1.7601), UAC disabled, admin type user.
  7. Other security and utility software currently installed: No security suites, some Sysinternals monitoring utilities.
  8. Other security software previously installed at any time since Windows was last installed: None
  9. Virtual machine used (Please do NOT use Virtual box)[color=blue]: COMODO is running on the host OS.

[attachment deleted by admin]

[attachment deleted by admin]

Thanks very much really appreciate it. Will check through tomorrow, if that’s OK

Forwarded meanwhile.

Best wishes

Mike

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse

Nothing new and apparently not fixed even after a year.

https://forums.comodo.com/format-verified-issue-reports-cis/cmdagentexe-high-cpu-usage-vista-x64-windows-7-x64-t73375.0.html

Ya. I still have the same issue still. 100% cpu usage. I uninstalled and installed something else.