Defense+ unrecognized files error

For the past 2 weeks in the Summery View window, Defense+ shows 3 unrecognized files.
When I open the unrecognized files window it is empty.
Even after Defense+ alerts for new unrecognized files in the summery, it will display these new files (today it showed a Secunia PSI dll) in the unrecognized files window and allow me to choose my actions like adding it to trusted files etc.
Then the Summery view will again show 3 unrecognized files while the folder is empty.
I don’t see any performance problems, all is running perfect, as it has for the past year.
Debug did not help, changing Firewall and Defense+ settings did not help. Defense+ and Firewall events windows did not indicate any unresolved issues.
My setup:
Comodo Firewall with Defense+, with Sandbox disabled. Version 5.4.
Microsoft Security Essentials.
Windows XP SP3 pro

I’d appreciate any help and suggestions.

Thank you,

Do you see the files listed in trusted files? Did you ever submit the files to Comodo?

Thank you for asking.
No I did not submit any files to Comodo.
Since those phantom files are not visible in the unrecognized files window, I can’t do anything.
All the options on the right edge of the empty unrecognized files window respond with;
“Please select file(s) before continuing” popup
Only the “Purge” button responds with a “All entries are valid” popup.
The little “all” box in the top left corner does not let me insert a check.
Today when the number of unrecognized files changed to 4 and the window showed the Secunia PSI dll, I intentionally chose the “all” option, hoping this would change the number in the Summery window to 0. No luck - it changed back to 3.
Initially I just assumed that this error on the Summery window would resolve itself after a restart or update. It’s about two weeks ago since that event occurred and there have not been any update between then and now.

I have a very long list of trusted files and I have no idea what the files were(are)which I probably moved to the Trusted folder on that day when the count 3 remained in the Summery window.
I’m sure it was after some update of a very common program like Java, Firefox, Foxit Reader or Silverlight etc.
Since the Trusted files window does not show dates, I can’t even guess as to what program update it might have been. Although I’m quite sure it was not an exotic program - I would have noticed that.

I’m guessing you’ve rebooted since the problem occured? What are your D+ settings (general & execution control)? Do you have cloud scanning enabled? Do you see any entries listed in ‘View Active Process List’ that are not ‘trusted’

My suspicion is that this may be a glitch related to you having sandboxing disabled. Furthermore, if cloud scanning isn’t enabled, your database of local safe files will never get updated. Try this: move all your trusted files to unrecognized. Those files that are in the local safe file list will automtically move back to trusted by themselves. Those that remain unrecognized should be looked up (the ones that checkout will move to trusted automatically). The remainder should be submitted to Comodo. Once submitted to Comodo you could move them to trusted files. Comodo servers will eventually update your local safe file listing a short while later. Once your local safe file listing gets updated from the Comodo servers, the unrecognized indication will go away.

I'm guessing you've rebooted since the problem occured? What are your D+ settings (general & execution control)? Do you have cloud scanning enabled? Do you see any entries listed in 'View Active Process List' that are not 'trusted'

Thank you again for your time and effort!

Yes, rebooted numerous times.
D+ settings:
Clean PC, Enable adaptive mode under low system resources = checked
Execution control: Enabled, all boxes checked, “partially limited”.
So, yes cloud based scanning checked in the execution control window.
Sandbox settings: Disabled (for the past 6 months) all boxes checked.
Monitoring settings: all checked.
All Active Processes are trusted.

Steps I tried without resolving the issue:
Completely disabled Defense+ - restarted.
Enabled Defense+ - restarted.
Changed Defense+ to all different settings Training to Paranoid.
Enabled and disabled the Sandbox.

This morning I followed all your great suggestions - moving trusted files to unrecognized files…
After all was done - still the same number 3 in the Unrecognized files count in the Summery window :frowning:
The Submitted files window changed from;
only one, an AVG update file from October 2010 - No, I don’t have AVG installed now, I switched to MSE back then because AVG was conflicting with CSI.
To: now showing a list of about 20 entries.

I attached a jpg of the current submitted files list. (I’m not sure how you can access and see it - I’m a newbie to the forum experience)

This morning, I looked through the Defense+ Events list and looked into all the events for the relevant time frame (last 4 weeks).
Most of the flags are: “Scanned Online and Found Safe”
Some are “Access Memory”
Most of them were already safe files but some allowed me to “Add to Trusted Files”. Now after going back over that Events list some of the ones I “Added to Trusted Files” still let me again choose “Add to Trusted Files” without giving me the popup stating that it is already a safe file?!
Attached jpg with list of Defense+ Events for the time frame in which that snafu appeared.
Thank you again for your support.

[attachment deleted by admin]

Update about the persistent Defense+ unrecognized files count in the summery view.
After last week’s Java update, the number of files still showing without showing in the unrecognized files window changed from 3 to 1!!! :slight_smile:
Making progress…
I had a vague suspicion that the original occurrence of that mystery happened after a Java update.
Since my CIS setup is functioning perfectly otherwise, I’ll just leave it as it is and hope for another “self correction”.
Nevertheless, I’d still greatly appreciate any information, input and suggestions to understand and resolve this and to avoid a re-occurrence in the future.

Mathias

Are ya runnin’ CIS AV? You say you used to use AVG, are you sure it was completely uninstalled? Check to see if the folder exists as shown in the very first entry of ‘submitted files’, if it does, and you’re not using AVG then search the threads for the recommended cleaning util. Its been posted several times in response to sandboxing issues.

Those C:\Windows\assembly folders are part of the .Net framework, where the common .net “assemblies” (to use MS’ terms) are stored; its parcel to the GAC, i.e., Global Assemblies Cache. I have no idea why any of that would need to be in ‘trusted files’. Based on the date, it would appear that’s at the time a major security patch was released by MS related to .NET After the update a MS app called MSCORSVW runs and invokes NGEN which pre-compiles the assemblies.

I’d ‘remove’ all of those C:\Windows\assemblies files from the ‘trusted files’ list.

That leaves 4 entries: two are related to your Macrium Reflect imaging software, one appears to be a skin for your Thunderbird eMail app (???) that would seem to be depend upon Java technology (I’m wondering if that may be a skin or theme), and finally Secunia PSI.

After ensuring that AVG has been compltely removed - CCLeaner is a decent cleanup util to use - then ‘purge’ the ‘trusted files’ list. It could be the unrecognized file is a mirage; it no longer exists on your system. After purging the ‘trusted files’ list, take a screenshot of them; you may need to take two if there are more than fit on one screen if ‘trusted files’ is in full-screen mode. Then move the entire gamut again to ‘unrecognized files’ and see what happens. All the truly safe files should move back to ‘trusted files’ autmatically. On my system there is no corresponding entry in ‘View D+ events’ listing. The one’s that stick would seem to be the truely problem childs.

If you’ve already submitted those files, then moving them to trusted will abrogate CIS’ sandboxing response to unrecognized files. However, until the Comodo servers return a verdict on those files: they inherently are unrecognized. You could leave them in ‘unrecognized files’ and depending on sandboxing settings there may be issues pertaining to operation of the app(s) at issue. IF sandboxing is disabled, then it doesn’t matter where the files live, right?

Thank you again for you efforts and suggestions:

– Still same result - One mysterious unrecognized file left :frowning: But no big deal to me at this point.

I had uninstalled AVG in Nov 2010 using a special AVG removal tool plus RevoUninstaller and Ccleaner. Then I installed Microsoft Security Essentials.
That combo has worked to perfection with very low system drain.
That Application data folder for AVG, which is shown in the image of my submitted files, does not even exist on my system anymore - I’m sure it got deleted in Nov 2010.
This unrecognized files issue only occurred over the past ~4 weeks.

I followed all your above mentioned suggestions.
I did remove those ‘C:\Windows\assembly’ files from the trusted list.
I did uninstall the Thunderbird theme (Walnut) which was a left over from an older version.

After purging and then moving my trusted files into the unrecognized folder and then waiting for CIS to repopulate the trusted files list, a long list of java and some silverlight files etc stayed in unrecognized files!

After a while, CIS popped up telling me that all the remaining files had already been submitted before.

CIS gave me one false malicious file designation for a Macrium Reflect PE builder entry, which about a year ago, I had scanned with several virus scanners and virus total, and which I then submitted to CIS.
Back then, I had received a CIS response confirming that indeed it was a false positive.
Why did it now show up again…? ???

After looking through all of the left over unrecognized files and not seeing any suspicious files, I moved them all to trusted files.

Thank you again :slight_smile:

  • I have at this point spent far too much time fiddling with this issue and I’ll leave it a peace, since there is no recognized and understood solution to it, and my system and setup are working to perfection otherwise.

I just encountered this issue just a while ago and probably figured it out. In the Comodo program files folder, there is a folder called ‘Database’ that contains a bunch of .h files, you need to delete the pending.h file there. First you need to temporarily disable D+, and unload the cmdagent.exe process using Task Manager, and then delete the file. You might need to restart your computer to get cmdagent.exe running again.

Hope this helps. :slight_smile: :-TU

Thank you!
I did as you suggested and my as of late two “phantom” unrecognized files are gone.
I just hope that my deleting those two “pending.h” files from the database folder does not interfere with any important functions for CIS.
So far everything looks perfect. :slight_smile:

Thanks again,
Pema

koimaxx’s suggestion worked like a charm. I had 6 ghost files floating around and I tried everything. Glad I found this post. ;D