Comodo Firewall - Lsass - Preferred - Disk activity

I noticed that after installing Comodo Firewall on Windows 10 Home version 22H2, the process monitor constantly shows disk activity:
lsass.exe create/close file c:\windows\system32\Protect\S-1-5-18\Preferred

It doesn’t read anything from the file, just opens and closes it, but it does so at a rate of 4 attempts per second, continuously.
I have checked this on two different devices that have Comodo Firewall installed and the problem is identical.
Is this how it’s supposed to be?

Hi wertyg,

Thank you for reporting.
May i know your CFW version and make sure you do not have any other security software other than CFW.
Also install all the windows security patches & check.
kindly let us know your feedback.

Thanks
C.O.M.O.D.O RT

I don’t have any other security programs, I tested it on 3 devices , same problem:

  1. Laptop Win10 home 21h2 / CFW 12.2.2.8012
  2. Desktop Win10 home 22h2 / CFW 12.2.2.8012
  3. VirtualBox Win10 home 22h2 freshly installed / CFW 12.2.2.8012 and 12.2.4.8032

I downloaded an older version of CFW 11.0.0.6710 and it turned out that the problem does not occur there

Hi

Thank you for providing the requested information.
Are you running both CFW and Cis pro ? If so kindly refer the below link to download and install only Cis version and check.

FYI: Running both CFW and CIS PRO might cause compatible issue.

Thanks
C.O.M.O.D.O RT

No, no, of course I don’t use both versions at the same time;) I meant that I also tested another version CFW (by uninstalling the previous one)

I also downloaded the version from the link you provided me, and it behaves the same way.
As I mentioned earlier, the older version CFW 11.0.0.6710 does not cause such behavior with lsass. I tested the older version on two different devices with a different Windows build. I don’t know how confident the developers are that the newer version does not behave in the way I described, but maybe it would be worth checking?

If nothing helps I will probably stay with older version, thats a solution for now

Ps.
When I installed Comodo Antivirus from link (cav_installer.exe ver. without firewall) and killed one cmdagent.exe + cis.exe proccess, it was one attempt less per second by Lsass create/close file Preffered.

Hi wertyg,

Thank you for providing the requested information.
We are trying to reproduce the issue at our end. Unfortunately we couldn’t able to reproduce.
So could you please provide us steps to reproduce the issue along with the screenshot ? So that we will check and report this to the team and update you.

Thanks
C.O.M.O.D.O RT

The problem occurs immediately after installing Comodo Firewall, so there are no special conditions here, but since it only happens in my environment, it’s interesting. Perhaps there’s something I’m not noticing. In sysinternals process monitor looks like this:

Hi wertyg,

Thank you for providing the requested information.
Let me check and update you.

Thanks
C.O.M.O.D.O RT

Hey Comodo team in respects to this , I’ve been researching this for 3 months and it’s persistence is insane. It mods reg files , hasn’t been able to be detected by any cleaners including virus total, but the call too items in the individual files is heavy. It’s very similar to the old maleware calc.exe, with portions that are .DLL hijacking , leading to remote access as well as dns redirecting capabilities

Hi wertyg,

Thank you for reporting.
We have checked and couldn’t reproduce that lsass.exe create/close activity.
However we will take this to the team notice and update you.

Thanks
C.O.M.O.D.O RT

sorry… updates is very important!
check hardware hd, may be corrupted…