Defense: SYSTEM application always want to do something

win7 x86. Avira antivirus, Comodo Firewall

I’ve been called, since one application (nested one - one exe calls another) cannot start.

It seemed that Comodo was very slow. Attempt to add rule for those applications freezed it and the computer.

So i opened it and cleaned non-existing files from firefall, defense+ and unknown files lists. There was a lot including some on removable drives paths - mostly temporary installers/updaters.
It went okay and faster, yet now it seems it deleted somethign predefined.

I shutdown Windows and popup came saying SYSTEM tries to write into c:\windows\logs\shutdown…
i do something unrelated and popup came saying SYSTEM tries to write into c:\windows\logs\httpsrv…

I mark “remember my choice” and click yes, but soon this comes again, probably log files are with timestamps in names…

i cannot mark this ‘application’ as trusted or Windows Core - the only option is “installer/updater” which it is not.
Funny thing, checkbox “upload to COMODO” is active and i checked it - wonder what ■■■ uploaded…

but still - it seems liek a bug and very annoying one

Are you running Defense + in Paranoid Mode? Please set it so Safe Mode and see if the alerts go away

Can you show a screenshot of the Defense + Rules?

Installer/Updater is a very powerful policy and could be used for Windows system functions when for whatever reason the Windows System Application is not present.

Modes are - Firewall: Safe and Defense: Clean PC

Installer/Updater for me seems too powerfull policies to apply to everything without selecting.
In the end, it is always OS that copies/runs all the programs, and marking Windows components Installers might end with any program being installed w/o user prompt.

The System process should be under the Windows System Applications group in D+/Computer Security Policy and this group, by default, has the Windows System Application policy. If, for some reason, System is not under this group, you should still be able to assign the Windows System Application policy, which is the most appropriate policy for this process.

[attachment deleted by admin]

oh, my…

not only there’s no such group - there’s no predefined policies at all
guess Comodo somehow damaged its database, during clean-up, or during upgrade, or just when it frozen with 100% CPU usage.

i wonder if i’d be able to repair it without deinstalling nd loosing all the rules.
old installer, the one in Control Panel, can’t do repairs. Maybe fresh installer would…

Not sure you’re going to be able to save your rules, but if these items are missing, it may be worth sacrificing a little time to make sure everything is right.

The first thing I’d do is make a backup of your current configuration. Go to:

CIS/More/Manage My Configurations

Select the ‘Active’ configuration and then select export. Choose a location you’ll remember and give the file a name you can associate with what it is.

Now you’ve done that, you can import a clean configuration by selecting Import and then navigating to;

C:\Program Files\COMODO\COMODO Internet Security

And selecting the configuration file you wish to use. I’d suggest Proactive.cfgx. Once imported make sure it’s activated.

The aforementioned process should set things back to defaults, so you will have to go through the rule creation process again. The alternative is to reinstall.

too late…

the new installer also did not recover the things but just installed all over

okay, couple of weeks in Learning Mode might make most of things.

I wonder if it will come to the same one day again…

Probably for the best, even though it’s a bit of a pain. Just one thing. it’s really not advisable to keep the system in training mode for more than a few days, at most. Also, please be certain that your PC is clean of all malware, before using this mode.

the problem is that in two days you do not use much of software

there is a kind u use everyday, true
but there is a kind u only use time by time…

that is a tradeoff, of course :slight_smile:

That’s true but I would not sacrifice security over this kind of convenience. I would suggest to switch to Clean PC or rather Safe Mode after two days. That is more secure.

Clean PC mode has a similar level of convenience while keeping you protected; that is all on the assumption you did not catch a malware in the two days of Training Mode.