I noticed that after installing Comodo Firewall on Windows 10 Home version 22H2, the process monitor constantly shows disk activity:
lsass.exe create/close file c:\windows\system32\Protect\S-1-5-18\Preferred
It doesn’t read anything from the file, just opens and closes it, but it does so at a rate of 4 attempts per second, continuously.
I have checked this on two different devices that have Comodo Firewall installed and the problem is identical.
Is this how it’s supposed to be?
Thank you for reporting.
May i know your CFW version and make sure you do not have any other security software other than CFW.
Also install all the windows security patches & check.
kindly let us know your feedback.
No, no, of course I don’t use both versions at the same time;) I meant that I also tested another version CFW (by uninstalling the previous one)
I also downloaded the version from the link you provided me, and it behaves the same way.
As I mentioned earlier, the older version CFW 188.8.131.5210 does not cause such behavior with lsass. I tested the older version on two different devices with a different Windows build. I don’t know how confident the developers are that the newer version does not behave in the way I described, but maybe it would be worth checking?
If nothing helps I will probably stay with older version, thats a solution for now
When I installed Comodo Antivirus from link (cav_installer.exe ver. without firewall) and killed one cmdagent.exe + cis.exe proccess, it was one attempt less per second by Lsass create/close file Preffered.
Thank you for providing the requested information.
We are trying to reproduce the issue at our end. Unfortunately we couldn’t able to reproduce.
So could you please provide us steps to reproduce the issue along with the screenshot ? So that we will check and report this to the team and update you.
The problem occurs immediately after installing Comodo Firewall, so there are no special conditions here, but since it only happens in my environment, it’s interesting. Perhaps there’s something I’m not noticing. In sysinternals process monitor looks like this:
Hey Comodo team in respects to this , I’ve been researching this for 3 months and it’s persistence is insane. It mods reg files , hasn’t been able to be detected by any cleaners including virus total, but the call too items in the individual files is heavy. It’s very similar to the old maleware calc.exe, with portions that are .DLL hijacking , leading to remote access as well as dns redirecting capabilities