Defense+ vs Win XP

Hi,

I have installed CMD on my PC Win XP and everytime I launch a software, the system process is taking 60% of the ressource for minutes.
How to optimize COMODO for Win XP?

Exemple of its activity with procmon:
455,“19:21:11,0174513”,“System”,“4”,“RegCloseKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1989”,“SUCCESS”,“”
456,“19:21:11,0174638”,“System”,“4”,“RegOpenKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1990”,“SUCCESS”,“Desired Access: Read/Write, Delete”
458,“19:21:11,0174841”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1990\Flags”,“SUCCESS”,“Type: REG_DWORD, Length: 4, Data: 0”
459,“19:21:11,0174949”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1990\DeviceName”,“SUCCESS”,“Type: REG_SZ, Length: 68, Data: C:\WINDOWS\TEMP\0012028B-3B7BA992”
460,“19:21:11,0175070”,“System”,“4”,“CreateFile”,“C:”,“SUCCESS”,“Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
1699,“19:21:11,0440595”,“System”,“4”,“QueryNameInformationFile”,“C:”,“INVALID PARAMETER”,“”
1700,“19:21:11,0440782”,“System”,“4”,“CloseFile”,“C:”,“SUCCESS”,“”
1708,“19:21:11,0462044”,“System”,“4”,“RegCloseKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1990”,“SUCCESS”,“”
1709,“19:21:11,0462170”,“System”,“4”,“RegOpenKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1991”,“SUCCESS”,“Desired Access: Read/Write, Delete”
1710,“19:21:11,0462416”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1991\Flags”,“SUCCESS”,“Type: REG_DWORD, Length: 4, Data: 0”
1711,“19:21:11,0462541”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1991\DeviceName”,“SUCCESS”,“Type: REG_SZ, Length: 68, Data: C:\WINDOWS\TEMP\0012028B-EAC9367F”
1712,“19:21:11,0462677”,“System”,“4”,“CreateFile”,“C:”,“SUCCESS”,“Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
2330,“19:21:11,0589031”,“System”,“4”,“QueryNameInformationFile”,“C:”,“INVALID PARAMETER”,“”
2331,“19:21:11,0589244”,“System”,“4”,“CloseFile”,“C:”,“SUCCESS”,“”
2952,“19:21:11,0717939”,“System”,“4”,“RegCloseKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1991”,“SUCCESS”,“”
2953,“19:21:11,0718107”,“System”,“4”,“RegOpenKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1992”,“SUCCESS”,“Desired Access: Read/Write, Delete”
2954,“19:21:11,0718367”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1992\Flags”,“SUCCESS”,“Type: REG_DWORD, Length: 4, Data: 0”
2955,“19:21:11,0718506”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1992\DeviceName”,“SUCCESS”,“Type: REG_SZ, Length: 68, Data: C:\WINDOWS\TEMP\0012028C-5EDEC792”
2956,“19:21:11,0718689”,“System”,“4”,“CreateFile”,“C:”,“SUCCESS”,“Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
3598,“19:21:11,0844455”,“System”,“4”,“QueryNameInformationFile”,“C:”,“INVALID PARAMETER”,“”
3599,“19:21:11,0844713”,“System”,“4”,“CloseFile”,“C:”,“SUCCESS”,“”
3601,“19:21:11,0846128”,“System”,“4”,“RegCloseKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1992”,“SUCCESS”,“”
3602,“19:21:11,0846302”,“System”,“4”,“RegOpenKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1993”,“SUCCESS”,“Desired Access: Read/Write, Delete”
3603,“19:21:11,0846561”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1993\Flags”,“SUCCESS”,“Type: REG_DWORD, Length: 4, Data: 0”
3604,“19:21:11,0846704”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1993\DeviceName”,“SUCCESS”,“Type: REG_SZ, Length: 68, Data: C:\WINDOWS\TEMP\0012028C-61CCD494”
3605,“19:21:11,0846848”,“System”,“4”,“CreateFile”,“C:”,“SUCCESS”,“Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
4224,“19:21:11,0970337”,“System”,“4”,“QueryNameInformationFile”,“C:”,“INVALID PARAMETER”,“”
4225,“19:21:11,0970514”,“System”,“4”,“CloseFile”,“C:”,“SUCCESS”,“”
4844,“19:21:11,1095794”,“System”,“4”,“RegCloseKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1993”,“SUCCESS”,“”
4845,“19:21:11,1095960”,“System”,“4”,“RegOpenKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1994”,“SUCCESS”,“Desired Access: Read/Write, Delete”
4847,“19:21:11,1096235”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1994\Flags”,“SUCCESS”,“Type: REG_DWORD, Length: 4, Data: 0”
4848,“19:21:11,1096375”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1994\DeviceName”,“SUCCESS”,“Type: REG_SZ, Length: 68, Data: C:\WINDOWS\Temp\001202DE-F1C8C89B”
4849,“19:21:11,1096536”,“System”,“4”,“CreateFile”,“C:”,“SUCCESS”,“Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
5469,“19:21:11,1221141”,“System”,“4”,“QueryNameInformationFile”,“C:”,“INVALID PARAMETER”,“”
5470,“19:21:11,1221321”,“System”,“4”,“CloseFile”,“C:”,“SUCCESS”,“”
5477,“19:21:11,1222733”,“System”,“4”,“RegCloseKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1994”,“SUCCESS”,“”
5478,“19:21:11,1222856”,“System”,“4”,“RegOpenKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1995”,“SUCCESS”,“Desired Access: Read/Write, Delete”
5479,“19:21:11,1223061”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1995\Flags”,“SUCCESS”,“Type: REG_DWORD, Length: 4, Data: 0”
5480,“19:21:11,1223195”,“System”,“4”,“RegQueryValue”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1995\DeviceName”,“SUCCESS”,“Type: REG_SZ, Length: 68, Data: C:\WINDOWS\TEMP\00120316-574495E3”
5481,“19:21:11,1223335”,“System”,“4”,“CreateFile”,“C:”,“SUCCESS”,“Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
6102,“19:21:11,1348032”,“System”,“4”,“QueryNameInformationFile”,“C:”,“INVALID PARAMETER”,“”
6103,“19:21:11,1348215”,“System”,“4”,“CloseFile”,“C:”,“SUCCESS”,“”
6105,“19:21:11,1349263”,“System”,“4”,“RegCloseKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1995”,“SUCCESS”,“”
6106,“19:21:11,1349424”,“System”,“4”,“RegOpenKey”,“HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\2\HIPS\Policy\93\Rules\2\Allowed\1996”,“SUCCESS”,“Desired Access: Read/Write, Delete”

Thx
Rmanal

For performance I’d recommend Unchecking HIPS that does a ‘soft disable’, as then the behavior blocker will decide when to engage HIPS on programs, i.e unrecognized, while trusted applications are passed through faster.

Where is this option, I did not find it?

I don’t understand what the recommendation is here? What is this option to soft disable HIPS? I’m only aware of D+ Security Level = disabled; other options = paranoid, safe, clean PC, training mode.

are you running windows xp 64bit? if you are, the sandbox/defense + in CIS doesnt support xp 64bit so the options are not shown

32-bit WinXP SP3

I’m running Win XP also: so where is this option, if existing?

I have another issue: when i’m using autorun to modify an entry in the “RUN” register, I don’t get any alert message from Comodo instead the register path is well defined in the register key to be controlled: is it normal?

Assuming you’re referring to Sysinternals Autorun then it is expected because it’s a trusted application.

OK thank you

And for the configuration, what is going wrong between Comodo and XP?

Do you have a lot of D+ rules? That could be causing this. You could test that by importing and activating a factory default configuration. They can be found in the installation folder of CIS. When importing you are asked to give it a name. Please make sure to use a name that is different from your active configuration. Name it something like Proactive Configuration for test.

As always make sure there are no leftovers of security programs you had installed in the past. A possible left over can cause all sort of “strange effects”. Please run clean up tools for all security programs you had in the past. A list can be found here at the Eset website: ESET Knowledgebase .

What do you mean with a lot of D+ rules? Do you have a value?
I have something like 30 softwares with rules (mainly automatically created).

30 application rule for Firewall are respectable amount.

They should be sorted top to bottom in a first case scenario.

Remember, he evaluates all rules top-down first-match type scenario.

Windows Operating System
[DNS]
%SYSROOT32%\SVCHoist.exe
[BOINC]

are my top 4

How many rules do you have?

Did you try the clean configuration? If the performance problem goes with the clean configuration then that is a likely indication the problem is with having a lot of rules. It is a known issue with CIS since years that a lot of rules will create this type of performance issues. Hence why CIS will with default settings will not make rules but will apply default ‘good enough rules’.

Thx you Eric,
I did not understand you have answered me if the main post. I forget this one…

What should be the best solution for me? (I have resinstalled, no change).

We first need to know the following things to see if your problem is related to having a lot of rules. In what mode are you running HIPS (assuming you have it enabled) and Firewall?

Are you running using Training Mode for the HIPS or Firewall? How many rules do you have in HIPS + Rules and Application Rules?

Both HIPS and firewall are running in safe mode

In HIPS rule, I have something like 50 rules, at least 10 for windows (csrss, svchost, explorer, spoolsv, etc).

In firewall application rule, I have a little bit less, like 40 rules.

Thx for your help

To see if the profile is causing the performance problems I want you to do a little test. What I want you to do is to import and activate a factory default configuration and see how CIS performs.

If the performance issue is gone we know that your profile is causing the problem. It could mean two things. One is that the profile is damaged causing the performance issue. The other reason could be the amount of rules. To know if the amount of rules is causing the issue start making rules. But not all at once but let’s say five at a time and then see how the system performs for a couple of hours, etc.

First start with exporting your active configuration and saving it to a folder that is not part of the CIS installation folder.

Then import a factory default configuration. The configs can be found in the CIS installation folder. During importing you will be asked to give the config a name. Give it an appropriate name like f.e. CIS - My Clean Proactive Security. Then activate it an restart when required.

Now we’re set for testing.

Hi,

I have uploaded the default configuration and my PC went good.
But when I redo the rule, same behaviour as previously.

When you say redo do you mean you made the rules again one by one (not importing the old configuration)? If that is the case then we are looking at the well known performance issue that comes with having lot’s of rules. Each time you change a rule CIS will take minutes to reiterate. Not much we can do about it. :-\

I have drastically improve the situation by knowing it is due to change of a rule, thanks for that.
I have then remove in the option the “create new rule for safe application” both in HIPS and in firewall. Then as new rule is not systematically created, I don’t see too much CPU at 100% by Comodo reiterating rule database.

Thanks for your support