cmdagent.exe undesirably modifies files and their last write time


I’m using only the firewall feature of Comodo Firewall I expect that a firewall never changes the last write time of any file on the file system (apart from it’s own files) because it is to control network traffic only. However, I stumbled over the problem that it does modify files, probably by writing alternate file streams.

The problem occured when extracting files from a zip file. After extraction, the last write time was not equal to the time in the archive. I was blaming the author of 7-zip for this problem, however, it turned out that 7-zip was correctly setting the last write time to the value store in the zip file.

After some research (see picture below) it turned out that Comodo firewall caused this problem because cmdagent.exe modifies the extracted files. I do not want this as it is not required for a firewall controlling network traffic only. Even if it was unavoidable, the last write time shuld be set back to what it was before. Otherwise, I have no chance to extract files with the correct last write time.

Go to the Advanced Settings > Security Settings > Defense+ > Sandbox > Auto-Sandbox > Deselect “Enable file source tracking” and then click OK.

As I disabled everything but the firewall, including disabling auto-sandboxing, I did not expect that a sandboxing setting still has any influence.

Anyway, this did the trick.

Thanks for the very quick and correct reply!

Maybe it should be made a bit clearer in the UI because if one (like me) looks at the “Auto-Sandbox” tab and “[ ] Auto-Sandbox” is disabled, he thinks everything on the Auto-Sandbox tab is considered irrelevant even if it’s not disabled explicitly.

EDIT: I still think the modification date shouldn’t be affected.

I agree that it’s very confusing and frankly illogical behavior, disabling the module should disable other parts of that module to be honest. There’s a wish to add the setting to the installation choices so that users becomes aware of it and may disable it before it causes any issues.

I agree, the modification date change is a side-effect of CIS modifying the ADS of files for file source tracking purposes (to make the auto-sandbox more “user friendly”. There is a wish for CIS to try to avoid changing the modification date and if they can’t do that then at least save the old date and then write it to the file again after CIS has added the ADS to it.