Defense/Trusted Files takes a lot of time to render the list and display popup

Hi,

Defense/Trusted Files takes a lot of time to render the list and display the popup on my Windows XP SP3 system. During this time the process goes into a non responding state (as also corroborated by Task Manager)

However the display for other sections like Defense/Unrecognized Files or the Firewall/Network Security Policy or Defense/Computer Security Policy is way faster.

S/w :
CIS 5.4.189822.1355 (AV Disabled)
Avast 6.0.1125 AV Only
No running background security service hooks / process from any other s/w.

I figured this is in all probability because of the avast emulation engine (SF.bin) using Process Explorer but the query is Is there some handle / process file existence/ additional checking which happens for
Defense/Trusted Files (60 entries) as compared to Defense/Unrecognized Files (10 entries) which causes this ?

Regards

P.s. Apologies please could a mod move this topic under Help - CIS → Defense+ / Sandbox Help - CIS

I’ve got that happening - sometimes 30 - 40s before anything happens; occasionally over a minute. Sandbox is not enabled (it’s far worse if it is).

Cheers giraffe,

Odd take but a good test case definitely worth trying, Did the same by Disabling the Sandbox unfortunately it made response time only worse.

Probably something inherent to the display population for the list.

Regards

Do you have a long list in Trusted Files? Try purging it and see if there are duplicates that can be removed.

Hi EricJH,

No it only has 65 items, purged and no duplicates.

I’ve seen posts here where users mention they have 240+ not sure how it behaves for them, would be good to know.

Regards

There have been problems with Avast AV and CIS where the memory access attempts by Avast upset the self protection of CIS and had cmdagent.exe use lot’s of CPU cycles. What happens when you add the CIS installation folders to the exclusions of Avast?

I am running Avast 6 on WIN 7 x64 plus Comodo with Defense+ set to safe mode and sandboxing set to limited. No exclusions for Avast 6. Avast 6 settings set to max. on everything. Sandboxing is set off in Avast. My Defense+ alerts are almost instaneous. Have had zip conflicts between Avast 6 and latest 5 ver. of Comodo.

This might be due to hardware limitations perhaps? I have am AMD quad core 945 Phenom II processor, 8 gigs of ram, and a nVidia GTS450 graphics card w/ a gig of DDR3 memory.

Hi EricJH,

Tried that premise out too including excluding %INSTALL_FOLDER% and %APP_DATA%, then both. No luck, marginal improvement but that could be perception.

Any suggestions on s/w I could use to debug process intricacies ?

@DonZ -
Sandbox feature in Avast is disabled.
Indeed h/w is always a factor but one generally gets to know the feel of his/her system and can guage performance :slight_smile: In comparison to the other lists this one’s bad.

Regards

Have you tried to disable Avast via it’s toolbar icon and see if your Defense+ popup speeds increase? At least that will tell you if Avast is the issue?

@DonZ -
That will definitely work nd it does very quickly, but its not a valid integration case, Its like what EricJH requested to turn my CIS Sandbox off so that hook will not effect but that means my Sandox is off which is not something I would want.

I did mention at the start I figured this is in all probability because of the avast emulation engine (SF.bin) but the query is Is there some handle / process file existence/ additional checking which happens for Defense/Trusted Files (60 entries) as compared to Defense/Unrecognized Files (10 entries) which causes this ?

That’s what we need to identify and feed back too the Dev’s / community.

For instance in other cases CIS could probably be only picking up entries from the registry and cross verifying it against the MFT, But in the case of Defense/Trusted Files its also calculating the hash and checking it against the List of vendors. This of course would mean a file handle is being spawned and hence scans the file signature against its Db causing the slowdown. But the question again is what is different when CIS populates Defense/Trusted Files as opposed to other lists.

Regards

You mentioned SF.bin. See if these rules by Ragwing are of help for you here.

BTW - I have currently 216 files in my trusted list. No impact on Defense+ speed to date.

I’ve tried Ragwing’s post didn’t improve things by much.

@EricJH After trying suggestion to exclude CIS paths in Avast have noticed a new positive trend, the 1st time display of the list and dialog is still slow but subsequent view’s of the same are instantaneous - probably memory caching.

THis FAQ here describes general approaches to ensuring security programs don’t interfere. Following its suggestions may help resolve the problem by solving a difficulty you don’t know about.

Best wishes

Mouse

mouse1 mate,

Acknowledged and yes I should have done the exclusions prior to the topic start sorry about that But what I was and am trying to isolate is the what portion of the overlap that is occurring and why its only affecting the display of Trusted Files as opposed to the display of other sections.

Please note am not trying to establish a point or … just trying to do my best to identify what is the region of overlap to specifically identify what’s different in the case of trusted files then feed back.

I’ll try to see if I can manage something using what I know and post back if I do identify something.

At the end thanks @EricJH & @DonZ and @mouse1 for your assist’s on this post.