cmdmon.sys and inspect.sys cant be backed up?

Hi

I have just installed this latest beta 2.4.5.111.

I have this snapshot software: FirstdefenseISR. When creating a snapshot I get error in Firstdefense: cmdmon.sys and inspect.sys = access denied, meaning that they are not copied to the snapshot. When booting into that snapshot I notice that Comodo gets all messed up because those two files doesnt exist there.

Wont this create a problem with other backup software too?

see pic from FDISR log

[attachment deleted by admin]

What is your version of FirstdefenseISR?

I have the Leapfrog version 1.10 build 173.

But I´ve just learned that there is a way to walk around that problem: I disabled “Protect own registry keys and files from unauthorized modifications” in Comodo FW and then the two files got copied to the snapshot.

I can always disable the above mentioned rule before doing a snapshot. The only downside is that I can not use scheduled creating of snapshots.
I guess there are no way to tell Comodo to allow Firstdefense modify those files with this rule enabled?

I’ll give it a try (I’m testing the trial) and will report in a few minutes

Works fine on XP. No need to deactivate the protection on CF. :smiley:

Thanks for testing.
I have Windows XP PRO SP2 and all hotfixes too. Interesting result ???
I wonder why I have to disable the protection in Comodo in order to get those files into my snapshot…
I do not have any other software that could interfere with Firstdefense copying those files.

I will have to investigate further.

I used vss (Volume Shadow copy Service) for the backup.
Maybe you used RSS instead of VSS?

note from ISR
"By default, VSS is now used to copy the active snapshot instead of
RSS for Windows XP and later.

You can select which service using ISRSetup. In a Command Prompt:
cd $ISR$APP\Setup
ISRSetup -install -rss
(or -vss). A reboot will be required after selecting RSS."

I use VSS since I have not changed it after the install of FDISR. And I see in the processes that Volume Shadow Copy Service is started when I create/update a snapshot.
For the time being I have disabled the Firstdefense schedule and I will do manual snapshots with the CPF rule disabled only then.

I presume the protection of these two files is a new feature in this beta since I have not had this problem* with earlier versions of Comodo Firewall.

  • not a problem really, it is good that Comodo protects itself if that is a way for the bad guys to compromise Comodo Firewall. I can live with it :slight_smile:

that’s becuase CPF hooks the system api’s in order to prevent anything from deleting the registry keys and files for cpf when you have this protection option enabled.

a usefull feature I’d like to see added inside this framework (on a technical level) is reset and format protection.

:>

hmm… if I leave “Protect own registry keys and files from unauthorized modifications” checked and uncheck “Show the application window on system startup” instead, I can do a backup without problems ??? but not if I leave everything checked in “Miscellaneus”
One of those has to be unchecked in Comodo gui if I want those two files (cmdmon.sys and inspect.sys) to be copied to the snapshot.
very strange indeed.

Yes this is weird. System startup should not have any effects on this. Some backup programs may try to modify the files, like trying to move them etc. But when self defense is active, CPF should not allow so. Because the same thing can be achieved by a malware if we allow so.

Setting security to “Allow All” would also solve the problem.

Egemen