cmdagent.exe is delaying apps from loading

Hello velurrel,

Already reported to CIS dev Team and they are checking in it.
Have a nice day!

Dharshu,
Is that added to bugs and will it be fixed soon?

CFW.TN,
did you manage to patch CIS to disable OCSP checks?

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
yes. 100% reliable.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: download and install windows 10
2. download Firefox installer (“Firefox Setup 80.0.1.exe” or ANY digitally signed program, such as Putty.exe, VLC player installer, FileZilla Client installer, etc), don’t install it
3. download and install CIS (“cispremium_only_installer.exe”)
4. click Fix it, CIS will reboot the system.
5. disconnect your main router in the LAN from the Internet
6. set system time +4 days from current date
7. reboot
8. start Firefox installer

instead of 6-7 you may just run the command from the command line:
powershell -command “Set-Date -Date (Get-Date).AddDays(4)” & ipconfig /flushdns

One or two sentences explaining what actually happened:
there is 30(!) seconds delay before Firefox installer (or ANY digitally signed program) actually starts - this is the main problem.
What happens on deep level and why the delay appears: CIS tries to verify each digitally signed .exe certificate via OCSP.
For example, for Firefox Browser, CIS (cmdagent.exe) tries to connect to ocsp.digicert.com and check the certificate,
however the LAN is disconnected from the Internet and CIS can not resolve ocsp.digicert.com,
CIS tries it several times, then fails and starts the Firefox installer .exe.
If you run Firefox .exe second time, there will be no delay, because CIS will not try to resolve ocsp.digicert.com again, but it will try it in couple of days, that’s why for the next test you have to add 4 days to system time or run the powershell command that i provided above.

One or two sentences explaining what you expected to happen:
Firefox (or any digitally signed exe) should start without delay
How I see the fix: CIS should have an option to disable .exe checking via OCSP. For no-internet LANs it’s vital.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

Any software except CIS/OS involved? If so - name, & exact version:
any digitally signed .exe/.msi

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
yes. 100% reliable.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: download and install windows 10
2. download Firefox installer (“Firefox Setup 80.0.1.exe” or ANY digitally signed program, such as Putty.exe, VLC player installer, FileZilla Client installer, etc), don’t install it
3. download and install CIS (“cispremium_only_installer.exe”)
4. click Fix it, CIS will reboot the system.
5. disconnect your main router on the LAN from the Internet
6. set system time +4 days from current date
7. reboot
8. start Firefox installer

instead of 6-7 you may just run the command from the command line:
powershell -command “Set-Date -Date (Get-Date).AddDays(4)” & ipconfig /flushdns

One or two sentences explaining what actually happened:
there is 30(!) seconds delay before Firefox installer (or ANY digitally signed program) actually starts - this is the main problem.
What happens on deep level and why the delay appears: CIS tries to verify each digitally signed .exe certificate via OCSP.
For example, for Firefox Browser, CIS (cmdagent.exe) tries to connect to ocsp.digicert.com and check the certificate,
however the LAN is disconnected from the Internet and CIS can not resolve ocsp.digicert.com,
CIS tries it several times, then fails and starts the Firefox installer .exe.
If you run Firefox installer .exe second time, there will be no delay, because CIS will not try to resolve ocsp.digicert.com again, but it will try it in couple of days, that’s why for the next test you have to add 4 days to system time or run the powershell command that i provided above.

One or two sentences explaining what you expected to happen:
Firefox (or any digitally signed exe) should start without delay
How I see the fix: CIS should have an option to disable .exe checking via OCSP. For no-internet LANs it’s vital.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

Any software except CIS/OS involved? If so - name, & exact version:
any digitally signed .exe

Any other information, eg your guess at the cause, how you tried to fix it etc:
no

B. YOUR SETUP
Exact CIS version & configuration:
Comodo Firewall 12.2.2.7036, default configuration

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
all default
Have you made any other changes to the default config? (egs here.):
no
Have you updated (without uninstall) from CIS 5, 6 or 7?:
no
if so, have you tried a a a clean reinstall - if not please do?:
yes
Have you imported a config from a previous version of CIS:
no
if so, have you tried a standard config - if not please do:
yes
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Clean: Windows 10 x64 [Version 10.0.19041.450]
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
no.

Not a bug any form of blocking CIS by the user from doing its function is a user problem, what you are asking for is a wish request which there already is.

i am not blocking CIS.
no applications are blocked.

CIS tries to resolve hostname on the LAN that is not connected to the Internet.

I configure Comodo Firewall with a default-deny outgoing policy for everything, including Comodo itself. I leave ALL other features completely disabled: HIPS, File Rating, VirusScope, Website Filtering etc.

However, even with these features completely disabled, Comodo still tries to do some kind of cloud lookup on most executables I run. When it does that, the executable I launched does not start until Comodo gives up. This can be seen with TCPView together with Wireshark. Right after launching some executables (BleachBit, for one example, but happens with most executables), cmdagent.exe makes requests to ocsp.comodoca.com and crl.sectigo.com and is blocked (by itself, due to my firewall rules). It keeps trying for about 15 seconds and only then the executable starts.

With the ethernet cable disconnected, this does not happen.

It also lists every executable I run under the File Rating → File List section. But all options under File Rating Settings are disabled, as I already mentioned.

I’ve used Comodo for many years and many versions and always had this issue. This behavior pretty much forces the user to allow Comodo through so that it can do these lookups despite being configured not to.

Hi everybody,

I am using CIS for over 10 years now and never had any problem. A couple of days ago I installed CIS .7062 on several computers and all of them show the same problem. All apps start with a delay of about 5 to 10 seconds. For example Steam, Origin, VLC Player, Acronis True Image.

I have no idea why this is. I went back to CIS 10 and/or 11 and this problem never appeared.

Any ideas what could cause this behavior? I read about it by another user that file ranking could be the problem. I marked all my files as trustworthy, but nothing changed.

Appreciate every help.

Thank you.

CIS-Fan

Hi CIS-Fan,

Are these apps where running in a container/sandbox? You may check it by running the app without closing it then go to CIS Advanced View, in there you can see the number of contained apps.

Is your computer doing some scheduled task or activity? Windows maintenance, etc… or scanning files?
Try to run the apps when your computer is in idle.

Other than that, I think a compatibility issue with some software. Do you have any other security software installed?

Hi Arceus,

thank you for your comment. I use Firewall and HIPS only. I do not use sanbox/containment, also no scheduled tasks and also no other security software is installed. Software being used and installed is Office 365, Acronis True Image, Winrar, Steam, Origin and LAV Filters. I also use portable apps.

But what I found out is, that after deactivating CIS Firewall apps start immediately as they did with CIS version 10 and 11. As soon as I activate the CIS firewall, it takes approximately 10 seconds until apps start.

It seems that a Comodo .exe file tries to connect to the internet when starting an app and that is what is causing the delay.

I was able to reproduce this behaviour on 5 different computers.

Why is that so?

Yes, you should not block it. The thing is when CIS detects that you have internet connectivity. It will try to connect and wait for a response or a timeout before it gives up and might try again to number of times before giving up totally and allows the application to run.

You might try disabling Cloud Lookup.

What do you mean by writing “you should not block it”? I never had this behaviour with the versions 10 and 11 of CIS, using the same individual configuration.

Cloud Lookup is disabled. So why is an internet connectivity required when I start an app? Are there any release note I can lookup for?

I was thinking that you had a configuration that blocks the CIS executable, if not then something might blocking it.
Internet Connectivity is not required, if you don’t have internet connectivity it will not try or attempt to connect.

For a test:

1. What happen if you are totally offline or no internet connectivity(no wifi/lan)?
2. When you have internet connectivity, can CIS connect to internet? Have you tried to manually cloud lookup file rating?

Thank you @Arceus.

I meant that the CIS executables are blocked in the firewall. That was always the case in my configuration.

Regarding your questions:

1. Starting apps is still delayed for about 10 seconds.
2. As already written before, when I grant the CIS executables internet connection apps start immediately.

So why is all the sudden an internet connectivity required for the CIS executables when I start an app? Even though Cloud Lookup is disabled?

I have never ever had this behaviour by CIS.

Would someone of the Comodo team put a light on this matter, please?

Hi CIS-Fan,

I have the exact same issues as you are having. I can reproduce this over and over. Went back to Comodo 10 version.

In my testing when I disable cloud lookup it didn’t attempt to connect to internet(no delay).

I can reproduce the problem only once when I’m connected to internet and when I change the date in 5 days advance but no problem at all when network adapters are all disconnected.

A. THE BUG/ISSUE (Varies from issue to issue)

Can you reproduce the problem & if so how reliably?:
Yes.

• I have blocked COMODO from getting through to the internet. This includes “cmdagent.exe”.
• I have disabled file rating. More specifically I have disabled everything besides the plain firewall.
• Every time when I start a new (unknown to COMODO) application / executable, I see failed attempts from “cmdagent.exe” trying to to to 151.139.128.14:80 for example. I see multiple blocks in the log. My application start is delayed for 5-25 seconds.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
See above

One or two sentences explaining what actually happened:
See above

One or two sentences explaining what you expected to happen:
I expect:

• At the very minimum not To delay my app starts – this is extremely annoying and makes me look for alternative firewall solutions every day currently searching for a solution
• Utimatively COMODO should NOT try to call home on every (unknown) app start if I have disabled file rating etc.
• COMODO should not even create a huuuuge list of observed application AT ALL, if I have disabled file rating etc.

If a software compatibility problem have you tried the advice to make programs work with CIS?:
N.A.

Any software except CIS/OS involved? If so - name, & exact version:
any software!

Any other information, eg your guess at the cause, how you tried to fix it etc:
I tried to fix it by uninstalling COMODO - my software started blazingly fast. Installed COMODO again, same issue =(

B. YOUR SETUP

Exact CIS version & configuration:
COMODO free firewall only (no antivirus) – using only the firewall (no HIPS, file rating, safe browsing, etc.) – version 12.2.2.7062

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Firewall only – custom ruleset – generally I am a network expert an know what I am doing there

Have you made any other changes to the default config? (egs here.):
What are “other changes”?

Have you updated (without uninstall) from CIS 5, 6 or 7?:
yes

 [b]if so, have you tried a a a clean reinstall - if not please do?[/b]:
 yes

Have you imported a config from a previous version of CIS:
No, today I did a completely new config

 [b]if so, have you tried a standard config - if not please do[/b]:
 N.A.

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10 20H2 b19042.630
UAC: Never notify
Account type: local administrator user

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
Nothing

Intentionally blocking CIS from doing what it needs to do to work correctly is not a bug and you can’t disable file rating as it is fully integrated with all the components. You are only disabling cloud lookup but you also have vendor rating which even that can’t be fully disabled as Microsoft and Comodo signed applications are always trusted.

Utimatively COMODO should NOT try to call home on every (unknown) app start if I have disabled file rating etc.

COMODO should not even create a huuuuge list of observed application AT ALL, if I have disabled file rating etc.

Btw Windows does this checking as well, it is only now that Comodo does this on its own instead of relying on Windows to do it.

Also use the search as this has been covered many times already.

This is a very unpleasant effect. And Comodo is the culprit - delaying apps from loading for ~10 seconds. This is not normal.
What if someone uses Comodo in a closed network?