Hi,
Sorry if this is the wrong forum for this question.
I have Comodo Firewall and Defense+ (but not the Comodo AV) installed (vers. 4.1.150349.920). I noticed the other day that cmdagent.exe is listed in Task Manager - it always seemed to be there with vers. 3.x. Is this OK? cfp.exe is listed there, and FW and Def+ still pass CLT and CPILSuite tests, as well as Shield’s Up.
Thanks for any help.
I have noted this too. But, if you load Process Explorer, you will see it is still running.
You are still fully protected.
Thanks for the response, John. I see that I posted “is” listed in Task Manager, when I meant to type “isn’t”, but you got the gist.
Last week an Avira scan revealed a Trojan - it was quarantined, and multiple follow-up scans found nothing. I posted a HJT log at WhatTheTech and they found nothing, so I just wanted to make sure the missing cmdagent.exe wasn’t some result of that.
By the way, the two or three times I’ve noticed it missing, it has always re-appeared after a reboot.
I just got around to running Process Explorer and it actually doesn’t show cmdagent.exe present. cfp.exe is there, highlighted in purple.
I still pass the Shield’s Up all ports test, and Def+ gives alerts, so everything seems to be doing its job.
Is cmdagent.exe necessary for Comodo FW and Def+ to do their jobs, or is cfp.exe alone required?
btw, thanks for the reminder of Process Explorer - I had an older version which I’d never used. I installed the new version and will have to learn its uses.
I ran the test above and I did find CmdAgent listed. Yes, CmdAgent is required for CIS’ firewall and D+ to function properly. It is the workhorse of CIS.
[attachment deleted by admin]
Please run the diagnostics on the ‘more’ tab of the GUI if you see that cmdagent.exe is not running.
See if that turns up with something, it should detect if it’s no longer running.
Also can you please check Defense+ “View active process list” to see if it shows up there?
Hi John and Ronny,
cmdagent.exe wasn’t in the Defense+ “active process list”. I ran the Diagnostic, which found some problems with the installation. I clicked “Yes” to repair; diagnostic said the problems were fixed and suggested I reboot, which I did.
Upon reboot cmdagent.exe is back in the Task Manager list, but that has been the case other times I’ve noticed it missing and rebooted without any fix from the diagnostic.
I’ll wait and see if it pulls another vanishing act.
I’m surprised there wouldn’t be some sort of alert, either from Windows Security Center or Comodo, if cmdagent.exe’s disappearence meant the FW wasn’t functioning properly (unless cmdagent.exe itself is responsible for making those alerts).
Thanks for the responses, and I’d appreciate any other thoughts you may have on the matter.
Please check your windows event logs for crashes of cmdagent or other cmdxxx files noted there.
Normally there are two reasons for disappearing, crashing because of AV issues, or malware attacking the process.
And I agree the GUI and security center should directly notify the user on loss of cmdagent.exe
It’s been requested before but didn’t make it for some reason…
Hi,
First time I’ve used Event Viewer - took me a little while to find it.
Under “Applications” for yesterday there are a few “crypt32” errors, and from last week and a little earlier “ntbackup” and “Application Error” errors, but I see nothing for cmdagent or cmd*** related. I have to admit what I’m looking at is foreign to me, and therefore can be a bit unnerving - for instance under “Security” in Event Viewer there’s an “anonymous logon” at one point.
I’ve run some malware scans recently, including an ESET online scan yesterday, which have not shown any malware since Antivir caught a Trojan couple weeks ago, so I’m hoping that’s not the issue.
Thanks again for help
Yeah Event viewer can be a bit overwhelming.
But don’t worry to much about it, just click trough it and see if there are not to much Red warnings.
also please try and see if GMER finds rootkit activity
http://www.gmer.net/#files
The anonymous logon can be a lot of things, that’s to hard to determine without knowing the full alert.
I have GMER and run it occasionally, but again, it’s something I don’t quite know how to read. I’ve just always assumed that since nothing was highlighted it wasn’t detecting anything. Once again, nothing highlighted.
That anonymous entry was:
Success Audit - 7/3/2010 - 3:26:20 PM - Security - Logon/Logoff - 540 - Anonymous Logon - Compname
Not sure how many Red warnings would be a lot. There were three yesterday (that crypt32). Prior to that there had been three last Saturday (Jun. 26) preceded by a couple Yellow warnings related toUserenv and WinMgmt. I updated to SP3 about the time those happened, so they may be related to that.
Thanks again for the info and suggestions.
Just make sure you run the latest available version, and normally if it does a quick scan at start up it will pop a message box that “rootkit activity” has been detected, if not it just shows a few entries probably.
If you do a full scan it will also return with a message box.
One tip, save the results to a file and do that every time you run it so you can compare results later if in doubt if anything has changed…
Hi Ronny,
Yesterday I did delete the version of Gmer I had and downloaded the version from the link you supplied.
It never has given a pop-up indicating detection of rootkit activity.
So, I just brought the computer out of stand-by for the first time today and cmdagent.exe was missing from Task Manager and Process Exp. again. I ran the Diagnostics program again but didn’t reboot yet. I ran GRC’s LeakTest and the firewall caught it.
I had opened Firefox with no problem, but then closed it and, when trying to reopen it, Def+ alerted me that Firefox was trying to access dwwin.exe. First I blocked it, which caused an Application Error message. Then I tried Firefox again, got the same alert and allowed it, which brought up a Microsoft send or do not send and error report type window. After that Firefox opened up OK.
Not sure what’s going on with this. I may just keep it shut down for the holiday and look into it more tomorrow.
That doesn’t sound like normal operating mode :-
Something must be wrong, can you reproduce this every time it goes in to standby?
ddwin = Doctor Watson for Windows, meaning that the process has crashed unexpected.
Please verify if this has caused new error messages on the windows eventlog.
Hi Ronny,
I ran into some troubles just after my last message yesterday. There was a message that “avwsc.exe has encountered a problem and needs to close”. I assumed that would have something to do with Windows Sec. Center checking if my AV was up-to-date, but a Google search indicates it’s an actual Avira program - it just opened for a second now while I had Task Manager open - I think it checks to see if I’ve updated Avira recently.
After that I tried to open Firefox and had the dwwin.exe alert from Def+ again. Trying to open Firefox again led to "A breakpoint has been reached. 0x80000003 occurred in the application at location 0x300074a9. That made me nervous, so I shut down til this morning.
This morning I booted to safe mode, ran Avira, MBAM, SuperAntiSpyware - all found nothing. I decided to run Auslogics Defrag but it wouldn’t open, then dwwin.exe Application Error recurred, followed by the Exception Breakpoint.
I let things cool down, rebooted, Avira automatically ran a scan which detected nothing. The Red errors recorded in Event Viewer for yesterday all have “Application Error” as Source, Category is None for one, (100) for the others, with 1000 as Event, and User as N/A. The one this morning is the same, with “None” as Category.
I’ll see if I can recreate cmdagent.exe being gone after coming out of stand-by.
Does this look like a malware problem to you, or do you think it may be worthwhile to try a reinstallation of Comodo? Or maybe it’s something to do with my update to SP3 last week?
Thanks for the help and info.
btw WSC just let me know that Avira needs updating, so I’m glad to see that didn’t cause an error this time.
I had it in stand-by for about 45 minutes, and for five minutes that it’s been out of stand-by cmdagent.exe has remained present in Task Man.
Heat here is a killer today (no AC) so I’m putting it stand-by again for a while.
I’ve brought the pc out of stand-by three times today, and each time cmdagent has been present in Task Manager. Each time I’ve used the computer for 20-30 minutes before putting it back in stand-by, and cmdagent.exe hasn’t pulled its’ vanishing act.
Thanks for the updates adamf!
Out of standby this morning, first thing I checked was Task Manager and cmdagent.exe was missing again.
Event Log -System for that time has Source: Service Control Manager - Category: None - Event: 7034 - User: N/A.
That matches with when I noticed cmdagent.exe missing when coming out of standby on 7/4.
Not sure if that sheds light on anything.
Can you post a screenshot of that message, does it contain cmdagent.exe?