(Apologies if this is the wrong board to post this on - it may not be related specifically to Defense+ but to CIS in general.)
I am running latest CIS (currently, version 10.0.1.6294) on 2 Windows PCs (one Windows 7 Pro and another Windows 10 Home). Both are having the same issue that did not used to happen on earlier CIS versions for same PCs. I use Proactive configuration with on-the-fly rule creation.
After working with USB Mass storage device (MyPassport drive), clicking on “Safely Remove Hardware and Eject Media” leads to error saying device is in use. This happens even after closing all programs. Comodo does not display any popups. It took me a long time to figure out this is even related to Comodo. I finally found that (Windows) Event Logs Viewer → Windows Logs → System shows that Comodo’s cmdagent.exe process is preventing this. Here are the 2 warning messages that are logged for each attempt to eject via various ways:
“The application \Device\HarddiskVolume2\Program Files\COMODO\COMODO Internet Security\cmdagent.exe with process id 1152 stopped the removal or ejection for the device USB\VID_1058&PID_07A8\575831…939.”
“The application System with process id 4 stopped the removal or ejection for the device USB\VID_1058&PID_07A8\57583131…939.”
I tried:
looking in CIS logs - nothing appears to be logged about this in Comodo own logs - I checked them all
disabling all CIS components (including Antivirus, Firewall, HIPS, AutoContainment, VirusScope) - issue continued to persist
shutting down Comodo (after disconnecting from internet) via right-click in its taskbar icon and clicking Exit - issue still continued to persist (cmdagent.exe is still a running background process)
killing cmdagent.exe - could not do it in any way via Task Manager or Process Explorer, so could not make it go away
Only thing that works fine is if I disable Comodo from starting up cmdagent.exe upon startup of computer and reboot but that’s too late since it requires a reboot.
Even during shutdown of computer, I can see the drive is working and shutdown eventually just cuts off the power. This led to my drive getting corrupted! I lost data as a result!!
Questions:
(1) Is this a known issue?
(2) Is there any workaround?
(3) Can I configure CIS to allow me to shutdown cmdagent.exe via Task Manager or Process Explorer or in some other way? I realize this opens up possibility of attacker doing so somehow but I need to have SOME workaround for this issue so I don’t corrupt my drive in future!
(4) Does the second Events Viewer warning message provide a clue? Maybe “System application” (whatever that is) is not configured right within CIS somehow? I tried to look for its HIPS Rules but only found a group called “System” under Windows System Applications which are “Treated As” the preset group of “Windows System Applications”. (Note: without cmdagent.exe running on the system after reboot, neither warning messages shows up and drive can be safely removed just fine.)
Yes when ever you open files on a usb drive, cmdagent starts to catalog these files in its database for file source tracking. What I do when I can’t use safely remove hardware, is use eject option on drive letter in my computer. Then you can safely remove the drive as windows shuts the drive off.
You can see which file(s) that cmdagent has an open handle of using process explorer view → show lower pane and lower pane view → handles. Note on Windows 10 you need to first use show details for all processes under the file menu. And sort by name column and look for usb drive letter in the path.
Thanks futuretech, I find there is no issue with USB sticks but the issue only occurs for Mass Storage external USB drives. For such a drive, I see no “Eject” option under Computer, when I right click on the drive icon corresponding to the USB drive. I do see such option for USB sticks, but not for the external drive.
Is there some (other) way to
(a) prevent Comodo from doing such cataloging for external drives
and
(b) once cataloging is running, stopping it (note: neither shutting down Comodo, nor disabling all its services from its UI help)
Do you have the AV installed? You can try adding the drive letter to the scan exclusions so the real-time av doesn’t try to scan files which would also trigger cmdagent. Also do you have VirusScope set to monitor all applications or only applications running in containment? I know you said you tried disabling all components but did you do that before or after plugging in the external drive?
Yes, AV is installed. I cannot add exception there because drive letter does not get added until after I insert the drive (but see below…)
I had disabled AV and VirusScope and rest of components after plugging in the external drive.
VirusScope checkbox to monitor only contained applications it NOT checked, so I assume it’s enabled for all. I don’t recall if I changed it. I may have unchecked it because it seemed more secure to check for suspect behavior everywhere. Do you recommend checking that box?
In general, I have auto-containment disabled because in the past comodo versions I had issues, where legitimate programs were trying to [auto-]update and auto-containment was making that impossible due to placing such update processes into a virtual environment instead of asking me whether to do so; and sometimes I am not even by the computer when such auto-updates happen. So, with auto-containment disabled, I might have figured viruscope would be only useful if it’s run for non-contained cases…
Based on your input, I tried following:
disconnect from internet
disable AV and VirusScope
plug in external drive
opened couple files on the drive
added external drive letter that now appeared to list of Exclusions for AV (not that it should matter with this approach)
attempted to eject - went through fine (note: still no “Eject” option under My Computer but regular eject icon in system tray worked)
unplug the drive
enable AV, VirusScope
connect to internet
I am hoping this is a workaround that will continue to work, so thank you! It’s still quite heavy handed. The exception folder path in AV stays after I unplug the drive. With that exception in place, I tried again with just VirusScope disabled (AV stayed on) and ejection also worked!
So, sounds like disabling AV after plugging in the drive is too late basically and file handles are never release then… ??
What’s the significance of VirusScope here? Are you thinking it might not be releasing file handles? (I am a little afraid to test this with VirusScope enabled if this causes further corruption to the drive)
Now, the issue I had described was intermittent. With these tests I just ran, I did not use my external drive for a long period of time. So, while I am hoping you came up with a good temporary workaround, time will have to tell if it’s working always.
It may be better just to wait awhile after using the external drive before attempting to remove it as that might be why you can safely remove the drive. When VirusScope is set to monitor all applications it allows you to use show activities under HIPS alerts and under active process task. The VirusScope recognizers are loaded within the cmdagnet process.
Unfortunately, waiting a while did not help me - I waited for hours before trying to shutdown the PC (which is what corrupted the drive even though it was just a standard Windows shutdown).
I did not quite get the benefit of “show activities” - is it same as ProcessExplorer / TaskManager?
If this is the only benefit, maybe I should only have VirusScope on “contained” apps. I was assuming VirusScope is looking for suspicious behavior of all programs when it’s not marked to only be for contained apps.
If I am not running any application myself, do you have some suspicions as to why VirusScope would want a handle on my external drive files?
If you think there is high likelihood VirusScope is involved, I will keep disabling it before plugging in external drive. But if you think it’s unlikely, I might try with VirusScope remaining to be turned on… I am just trying to avoid having another corruption but also want it to be easier to use external drives
I just read your post that you linked. In your case, does it happen for both, USB flash sticks AND USB external drives?
In my case, it appears to be a problem only for the USB external drives (like the 1TB or 2TB WesternDigital MyPassport ones). Never had the problem for the flash drives (and use those much more often than external drives)
Can you see if workaround from my earlier post (thanks to futuretech!) works for you? It seems to be working for me so far - I tried it on both computers.
E.g. disable CIS AntiVirus and VirusScope on both PCs prior to plugging in the drive (leave Firewall and HIPS on), add the drive letter to exclusion paths of AntiVirus before accessing any files. Then, open and close some files, use the drive, and finally, close every file usages and see if you can then eject it safely or not.
P.S. Yes, I did not expect to get corruption with PC shutdown, but that’s what happened. I saw the power go out while the drive was still “busy” (after hours of waiting with nothing going on on PC). Next time I plugged in the drive (on another PC) it detected that it was not shutdown properly and various index entries were ruined. About a 100 files were moved to found.000 folder that I cannot even access now and I don’t even know the full list of all those files that got lost
This problem is still alive for me.
There is one difference.
If external disk is already inserted in usb port when system boot then it’s impossible to eject
If is plugged in while system is on then it can be safely ejected.
Tried all workaround:
put disk offline, disable firewall, virusscope, antivirus, autocontainement
without luck.
