cmdagent.exe - high memory use - NOT the current A/V issue

Hi all,

First post from a Comodo beginner ( but a 20-year IT industry veteran )

Apologies if this issue has been discussed previously, but so much of the cmdagent-related discussion on the forum seems to be surrounding a CPU hogging issue with Comodo A/V updates that I’ve not managed to find anything related to any other aspect of cmdagent.exe resource hogging. So:

System:

XP, SP3
1GB RAM
3GHz CPU
Comodo Firewall - 3.12.111745.560 - No other Comodo products knowingly installed, especially A/V ;D

I ditched Zone Alarm a few months ago in favour of Comodo looking for something a little less temperamental. I still believe Comodo F/W fits the bill but for me it comes at a price.

Pre-Comodo, my PC would boot and load all selected apps in about 3-4 minutes. Slow for some maybe, but OK for me.

Now, with Comodo in the picture, power-on until the machine is settled and ready to use is always at least 21 minutes.

Monitoring startup using Task Manager I can see that cmdagent.exe is extremely memory-hungry.

Incidentally, in that 21 minutes, cmdagent.exe accumulates around 50 CPU seconds though is rarely above a few percentage points of CPU usage which for me doesn’t represent much of a problem.

However, memory use seems to be a big problem and moreover, the way it uses and then frees memory is truly odd.

Bearing in mind that I have 1GB RAM:

• cmdagent.exe starts and memory use slowly ramps up to around 400MB
• memory is then released and usage drops to about 20MB
• usage ramps up again to about 360MB
• memory is then released and usage drops to a few MB.
• usage then ramps up again to an eye-watering 480MB in just a few seconds
• finally, cmdagent.exe releases almost all memory and settles on about 2MB

hard disk activity more or less ceases at this point which I take to be the end of serious page file I/O.

My (fairly self-evident) questions are therefore:

• what does cmdagent.exe get up to at startup and why does it take such a long time to do it ?
• what’s that roller coaster memory usage all about ?
• can I do anything about either of them ?

By the way, I read somehere that disabling automatic update checking might reduce this problem, but it made no difference.

Many thanks for any enlightenment on offer.

With very best wishes,

Nick.

Hi Nick,

Welcome to the forums,

For starters there have been a few issues with “pre ZoneAlarm” users, ZA tends to not completely uninstall.
There could be hidden drivers left on the system. If you open Device Manager and allow it to show the “hidden devices” please check to see if there is any reference to ZA pieces.

Based on 2 things i have the suspicion that you have installed AV but set it to disabled, do you have the AV button present on the GUI ?

• The memory swing is completely a match with AV pattern updates, the DB is about 105MB large, while updating it get’s loaded completely in memory and re-written with the update so 210MB could fit, if there is an other incremental this will repeat and 315 is there, next 420 and if it drops after that i’d say 3 incremental updates…

• You refer to setting automatic updates to disabled

What you can do is completely “uninstall” the AV part of CIS, go to add/remove software and select comodo internet security, try to uninstall and the comodo install wizard will show up. In this wizard select Add/Remove and untick the AV box, now finish the rest and reboot after that’s finished.

This will remove the AV engine from the cmdagent.exe routines and now your problem should be gone.

Hi Ronny,

Thanks for the welcome and the useful advice:

• ZA devices - nothing seems to have been left behind after de-install. I can see two Comodo entries in the non-Plug and Play Drivers category and hence I’m assuming that this is where ZA stuff would show up ( if present ).

• AV button. I think the answer is no. When I right click on the system tray icon and open the main GUI I see four large icons in the top bar: Summary, Firewall, Defense+ and Miscellaneous. I assume the AV button would be there too. If not can you advise exactly where I might expect to see it.

• Memory swing - beautifully described ! I don’t think I need look much further, but Add/Remove doesn’t think so … I did:

i) start > settings > control panel > add / remove programs
ii) highlight Comodo and click on change/remove
iii) select add/remove radio button and then click next
iv) the AV box is not ticked suggesting that AV is either not installed or, conceivably, that the install wobbled mid-way and is in some kind of undefined state. As I said before, I didn’t knowingly install AV so I can’t be sure either way.

I see that in my install folder, I do have the sub-folder with the bases.cav file that’s causing so much comment in other threads. Might this support my theory about a partially installed AV ??

I look forward to your thoughts.

Best wishes and thanks again,

Nick

I have seen a couple of reports in the past where the AV button did not show up because of using the 120 DPI setting of your Windows UI. Other question. Does the Summary Screen show a report space for the Virus Defence?

You can try the following driver clean up tutorial.

We are gonna take a look to see if there are some old drivers of your previously uninstalled security programs are still around. Go to Device Manager → View → show hidden devices → now look under Non Plug and Play drivers → when you see a driver that belongs to your previous security programs click right → uninstall —> reboot your computer.

When the problem persists make sure there are no auto starts from your previous security programs. Download Autoruns and run it.

This program finds about all auto starts in Windows. This tool can therefore seriously damage Windows when not handled properly. After starting go to Options and choose to hide Windows and Microsoft entries, to include empty locations and then push F5 to refresh.

Now check all entries to see if there are references to your previous security program. When you find them untick them. After unticking reboot your computer and see what happens

Hi Eric,

Not much luck with those suggestions I’m afraid

I re-sized my display and nothing appeared.

My Summary Screen has spaces for: System Status, Network Defense and Proactive Defense but alas nothing for Virus Defense.

No luck with the cleanup either - in my case it seems that ZA was removed properly leaving no trace.

Never seen the autoruns tools before. Downloaded, installed and ran it just fine.

Again nothing belonging to ZA.

I could completely remove and re-install Comodo, confirming in the process that the AV component was not selected for installation.

Do you think there is anywhere else to go before we consider this ?

Many thanks,

Nick

Hi Nick,

Can you please check to see what the properties of the bases.cav file is in
c:\program files\comodo\comodo internet security\scanners\bases.cav

file size, date created, changed etc… maybe dump a SHA1 hash of it to compare it tomorrow etc…

Hi Ronny,

Sorry for the slow response :-[

I first looked at bases.cav as a possible cause when first reading the many AV-specific threads.

Before a started my thread, I followed the advice buried somewhere recommending that a later version be deployed.

Right now, my scanners directory contains ( amongst others ), these two files:

E:\Program Files\Comodo\COMODO Internet Security\scanners>dir b*
Volume in drive E is appsvg
Volume Serial Number is 58F7-ED47

Directory of E:\Program Files\Comodo\COMODO Internet Security\scanners

20/06/2009 20:28 54,104,215 BAD_bases.cav
21/10/2009 19:52 106,857,646 bases.cav
2 File(s) 160,961,861 bytes
0 Dir(s) 16,584,990,720 bytes free

E:\Program Files\Comodo\COMODO Internet Security\scanners>

FYI I load all third party apps into a separate E: partition for manageability.

The 54MB one was the “original” one - apparently not updated since June 20 - and the 106MB is the one downloaded as a replacement in response to Comodo’s recommendations.

Replacing the one with the other did not improve the boot time hence starting my thread hoping for some answers.

However, and this is what I really don’t understand, why do I even have this file ( and the boot-time read / re-read activity ) when I don’t have AV installed.

As before, thanks for all the insight so far.

Regards,

Nick

Looks like something went wrong with the installation.
I would suggest a uninstall, check for leftovers and then reinstall with other active security software “suspended”… maybe it could have something to do with the installation on drive letter E: but I’m not sure about that.

Hi Ronny,

A complete de-install / tidy up / re-install seems to have made all the difference. ;D

Before starting I downloaded ( and then deployed ) CIS_Setup_3.12.111745.560_XP_Vista_x32.exe

During the install I checked the “Install Firewall” and then “Firewall with Optimum Proactive Defense”

A much smaller bases.cav was created in the scanners directory:

E:\Program Files\Comodo\COMODO Internet Security\scanners>dir b*
Volume in drive E is appsvg
Volume Serial Number is 58F7-ED47

Directory of E:\Program Files\Comodo\COMODO Internet Security\scanners

02/11/2009 18:36 4,654,501 bases.cav
1 File(s) 4,654,501 bytes
0 Dir(s) 16,764,805,120 bytes free

After a couple of reboots, this file has remained the same size, even with automatic update checking enabled.

Question: does this mean that bases.cav is always created at install time regardless of whether you’ve elected to install Comodo A/V ??

Further good news is that my overall boot time has dropped from 21 minutes to about seven - which is quite OK for me.

Using Task Manager, I can see that cmdagent.exe never gets above about 6 or 7 MB and its VM Size stays almost constant at about 13.8 MB.

This suggests to me that the installation now knows that A/V isn’t installed and hence it’s not checking for updates.

Thanks for sticking with my query - if I can offer any further insight based on my installation e.g. with my non-standard E: installation, please don’t hesitate to ask.

:comodorocks:

All the best,

Nick

Yes, this bases.cav is part of the installer and contains database version 1.0

Good to hear everything is nice and fine now :-TU