Defense+ is saying a Trusted Application is suspicious

Good morning,

I am running Win XP Home, SP#3 with IE7 and utilizing CFP v3.0.25.378.

Since I installed CFP a few days ago I notice that on the Summary page that it says Defense + has blocked 1 or 2 suspicious entries.

The entries are always related to SuperAntispyware (v4.21.1004) trying to access memory. I have set this program as ‘trusted’ everywhere I can think of but Defense + still lists it as a suspicious program.

I have my Firewall Security level set at ‘Safe Mode’ and my Defense + at ‘Clean PC Mode’.

Is this suspicious detection normal or is there a way I can stop CFP from saying SuperAntispyware is suspicious?

Thanks and regards,

2harts4ever

Hello, Could you run Defense+ in Safe mode for a little while and see if you get the same results?

Morning Kyle,

I have to do some running in a few minutes which will take most of the day.

I will give it a try when I get back.

To make sure I understand you, do you mean I should reboot and go into ‘Safe Mode’ and see how Defense + reacts then?

Any certain amount of time I should stay in ‘Safe Mode’?

Thanks and regards,

2harts4ever

Hello. Sorry, I mean put Defense+ in safe mode.

Comodo → Defence+ → Advanced → Defense+ Settings → Move the slider to safe mode

Hi Kyle,

My planned activities for the day were cancelled so as you can see I am back to the hunt for a solution.

Defense + has been in safe mode for about an hour and it still is blocking and lebeling SuperAntispyware as suspicious trying to ‘access memory’.

None of my other spyware programs are being labeled as suspicious that is why I wonder why SuperAntispyware is being singled out.

Thanks and regards,

2harts4ever

I will download Super Anti Spyware and try it out. Are you using the Pro version or free?

Hi Kyle,

Pro version.

Thanks and regards,

2harts4ever

I see, It’s accessing the memory. It’s not causing any problems is it? Those same things appear in my logs and still works fine.

Hi Kyle,

Yes, it is trying to access the memory.

But, I am having no problems.

Would it be okay to put Defense + setting back to ‘Clean PC Mode’?

Thanks and regards,

2harts4ever

What’s happening is that super anti spyware is trying to scan comodo, and comodo says… NO!
If you want Super anti spyware to stop scanning comodo you should put comodo into super anti spywares exclusion list. As for the modes… I personally think that it should be on safe mode for every computer.
from my point of view i see clean mode as every thing pre-existing on your computer is safe - But what happens in the maleware is dormant until the next reboot? it would be xonsidered safe.

I’ll give you a quick run down about the modes.

FIRE WALL:
Block All Mode: The firewall blocks all traffic in and out of your computer regardless of any user-defined configuration and rules. The firewall will not attempt to learn the behavior of any applications and will not automatically create traffic rules for any applications. Choosing this option will effectively prevent your computer from accessing any networks, including the internet.

Defence+
Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. The firewall will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity. Similarly, the firewall will not automatically create ‘Allow’ rules for any executables - although you still have the option to treat an application as ‘Trusted’ at the Defense+ alert. Choosing this option will generate the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.

Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing ‘Treat this application as a Trusted Application’ at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in ‘Clean PC Mode’ then Safe Mode’ is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled.

‘Installation Mode: Installer applications and updaters may need to execute other processes in order to run effectively. These are called ‘Child Processes’. In ‘Paranoid’, Safe’ and ‘Clean PC modes’, Defense+ would raise an alert every time these child processes attempted to execute because they have no access rights. Whilst in one of these 3 modes, Comodo Firewall Pro will make it easy to install new applications that you trust by offering you the opportunity to temporarily engage ‘Installation Mode’ - which will temporarily bestow these child processes with the same access rights as the parent process - so allowing the installation to proceed without the usual alerts.

Training Mode: The firewall will monitor and learn the activity of any and all executables and create automatic ‘Allow’ rules until the security level is adjusted. You will not receive any Defense+ alerts in ‘Training Mode’. If you choose the ‘Training Mode’ setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.

Tip: This mode can be used as the “Gaming Mode”. It is handy to use this setting temporarily when you are running an (unknown but trusted) application or Games for the first time. This will suppress all Defense+ alerts while the firewall learns the components of the application that need to run on your machine and automatically create ‘Allow’ rules for them. Afterwards, you can switch back to ‘Safe Mode’ mode).

Disabled: Disables Defense+ protection. All executables and applications are allowed to run irrespective of your configuration settings. Comodo strongly advise against this setting unless you are confident that you have an alternative intrusion defense system installed on your computer.

I hope I have been able to help you There is a timezone differnce from me to you, So i have to go to sleep now - if you need to know something else you’ll have to wait for anotheruser or for me to wake up. (:WAV)

Hi Kyle,

I have tried putting the Comodo Folder (C:\Program Files\COMODO\Firewall) in SuperAntispyware’s Scanning exclusions list but SAS still tries to access Comodo’s ‘cfpconfg.exe’ and ‘cfpupdat.exe’ files and as a result Comodo still considers it suspicious in Defense +.

I am probably missing some small setting in one of the two programs but I have taken up enough of your time so I guess I will learn to live with it.

I have decided to keep both the Firewall and Defense+ settings on ‘Safe Mode’. What you say makes sense.

If you ever get bored and think of a reason Comodo thinks SAS is suspicious send it my way.

UPDATE:

Hi again Kyle,

After I originally posted the above response I did some serious searching and came up with the fix I was looking for.

It is reply #6 by ‘Matty_R’ at this link: https://forums.comodo.com/empty-t27415.0.html

It worked like a charm! (:CLP)

I appreciate all your valuable input and patience in helping me get to the bottom of this situation. :■■■■

You will most likely see my name on this forum a few more times …lol

Thanks and regards,

2harts4ever

You’re very much welcome

EDIT:: I even posted on that thread! And I still didn’t get it. lol

Hi Kyle,

[b]I even posted on that thread! And I still didn't get it. lol[/b]

No problem … the end result is what is important. :SMLR

Time for me to call it a night and get some shut-eye too.

Thanks and regards,

2harts4ever