Avira Free Antivirus, Malwarebytes, Clamwin (On demand only)
Attach screenshots to your posts to clarify the issue further
CIS beta 3.8 installed fine on my machine (win7 x64 b7000), using compatibility mode (vista) & w/ administrator options configured on the installer. The screen shot attachments will say it all:
No problems on installation or conflicts with other applications
Also tried to it w/o UAC & unchecked the “detect shellcode injections” on image control execution settings & still no luck in updating & running the cavs engine. Uninstalled other security software & re-installed CIS beta 3.8, turn out is still the same.
One thing more to add, this 3.8beta keeps on disconnecting my net connection, randomly. troubleshooted my NIC driver (Realtek; update & downgrade). Unchecked the power-saver options of this NIC hardware but to no avail. I also disabled the threatcast option but no go for me. Still causes random disconnection every now & then.
Reverted back to CIS beta 3.5.61373.458, now works flawlessly (including my imported rules for firewall & d+).
Gonna try it (CIS beta 3.8 ) on my vista x64 machine later on, to see if it does produce the same results.
:THNK
add’l:
ran multiple reg cleaners & manually deleted comodo entries from install-uninstall procedure, using regedit.
Inspect.sys is CIS’ main packet inspection driver for the firewall. Things look OK without it, since inspecting packets is really all that it does. All the visible stuff doesn’t rely on inspect.sys directly. It’s also one of those components that just should not stop, ever (unless CIS is uninstalled).
I’m not sure about the timings… but, unfortunately, the Inspect referred to here is CIS’ inspect.sys & it is an active (primary) component of all recent versions of CIS, including the recent BETAs. You’re basically seeing what I have seen. Interestingly enough, I also had the same trouble with SAS initially myself, but I removed all of SAS & that did not seem to have any positive or negative impact on CIS. Not sure of the relevance of SAS at this point.
When it doesn’t run what does that mean with regards to protection? :o
I have the same thing logged for Inspect service as well and traced it back to both CIS beta 1 and 2 in Event viewer here on Vista. How can I determine that the driver is not working other than in Event viewer?
When for example I tell the client program to block traffic for a browser it will block traffic. Does that mean the Inspect service is running or not (or is this not a valid way of testing that the Inspect service runs or not?)
Obviously, this doesn’t happen in non-BETA’s & usually this is not a problem, since without inspect.sys running then nothing is going to happen anyway. AFAIK your Net connection will be non-operational in this situation. However, I’ve not tested either of these BETA’s in this specific situation.
Under Vista or XP, use the Device Manager & set the View to “Show hidden devices”. This should show a section called “Non-Plug and Play Drivers”. You should be able to find inspect.sys in there & find it current status (Properties).
Sort of answered above… with inspect.sys not actually running, although installed, everything is usually blocked.
I looked under Non Plug and Play drivers and only found the Comodo Internet Security Helper Driver that was up and running. No sign of Inspect or inspect.sys.
You also said “with inspect.sys not actually running, although installed, everything is usually blocked.”. Event viewer says it is not running so logically speaking I should not be able to connect to the internet or my local network; which I can.
Then it looks like we may have a bug here. It looks like it is running but Windows reports differently. May be there is an error in how it registers with Windows and therefore gets reported to not have started and not being shown under Non Plug and Play drivers.
Can one of the devs comment on this? Now I am curious… (:NRD) (:KWL)
I’ve already PM’ed Egemen about this. I know from Egemen’s posts that there is something new about CIS’ driver deployment under Vista, so it’s possible that we can’t see it in the same way. But, to confirm… the Device Manager is telling you that inspect.sys is not running & that everything else says all systems are functioning correctly. Is that correct? Also have you checked your Windows Event logs?
I have checked the event logs and it says: “The following boot-start or system-start driver(s) failed to load:
inspect”. The event id is 7026. The same thing also happens on Win 7 beta build 7000 (I know Win 7 is not considered yet in the process but since it is Vista +…)
Inspect or inspect.sys does not show up under Non Plug and Play devices. The only Comodo related driver that shows up under Non Plug and Play drivers is Comodo Internet Security Helper Driver.
I have the same above in Vista SP1 64 bit. Will check Win7 later out of curiosity.
Also have CIS (D+ firewall and antivirus running), BOClean, Windows Defender and Safe Surf)
Kevin
AV Scanner does not log/report inaccessible files, like system files and/or password protected archives.
This way you can never be sure there is not something nasty preventing the scanner from accessing it.
I really like to see a list of inaccessible files after a manual scan.
Vista, SP1, Enterprise, x32, Normal User, Fully Patched
AV scan profile - Critical Areas, does not scan %UserProfile% - C:\Users<loggedonuser> where it does scan %AllUsersProfile% - C:\ProgramData. I think %UserProfile% should also be scanned during Critical Areas.
Vista, SP1, Enterprise, x32, Normal User, Fully Patched
While being in Safe/Paranoid Mode putting *.dll on the Protected Files group will cause non remembering prompts for accessing .dll files, causing multiple duplicate entries on the policy !
Default install, Switch Internet Security to Safe Mode.
Untick “Trust the applications digitally signed by Trusted software vendors”.
Put *.dll on the My Protected Files group.
Make sure that Firefox has all policies set to “Ask”.
Now start Firefox, it will ask you for global hook on c:\windows\system32\wdmapi.dll [Remember]
Now it will ask for c:\windows\system32\cscui.dll [Remember]
Close Firefox.
Start Firefox it will ask again for c:\windows\system32\cscui.dll
Check the policy you will see 2 duplicate entries on it for Protected Files.
Vista, SP1, Enterprise, x32, Normal User, Fully Patched
Windows Defender, VMWare 6.5.1 Workstation.
See above
Yes, Change the : in the Path to ? and it will fix the problem, see also screenshot.
Ok, now I’ve uninstalled it, reinstalled it, rebooted every time it asked. I had DB 2, after an update it told me to restart. I did. Now I get the same errors as before and apparently it downgraded from DB 2 to 0.
Having db 0 tells us that it’s currently in the “update” process, did you by any chance import old config settings ?
Because this beta won’t go any higher than 2 at the moment, the reboot after av db update was for the 3.5.x line.
Are you behind a proxy server to access internet ?
Can you run a manual AV db update ?
Yes, I’ve imported my config from 3.5. No proxy. When I try an update I get “Antivirus engine not initialized”. I’ll try selecting one of the default configs, restart and see if that works. Fingers crossed.
That has caused the problem, the av db update url is different for this beta, please do not import old settings to prevent this. The beta has a new db layout and it therefore using a different download path.
The alert for some app. is trying to access the keyboard is not always related to keyloggers. It is shown if any application is trying to receive user input data. Key logges are doing so, but also many other application does it too (usually ones with text box).
So that’s the meaning of the alert - if you are sure the application is not keylogger you allow keyboard access, if not - you block it.
