Definitions help + PC freezes at log-on, as CIS icon appears in tray.

Not much luck with any version 5 Defense. Version 4, ok. … PC eventually freezes at every log-on, within 10 sec of CIS icon appearing in tray. (Though, within that 10 sec, I can change CIS settings.) … My settings, below.

Temp fix: Think some safe file(s) were not getting all rights they needed. Eg. c:\windows\system32\imapi.exe needs to create/modify protected tmp file at log-on. Adding imapi.exe to my Computer Security Policy list works for a while. … I tried to just add it to my Trusted Files list, but could not; CIS warned me that it was already considered safe. (Adding other safe files, no problem. strange)

Little longer-term fix: Enable “create rules for safe apps”. Still, this does not always work. And I’d rather not do that. I don’t want anything to customize policies for firefox (limited), firefox plugin-container (limited), iexplorer (isolated).


Anyways, appreciate any help with any of the following questions.

Computer Security Policy list
If I’m in Safe Mode with “create rules for safe applications” enabled, and focusing on safe files that have been executed (I see them in my active process list).
Qu. Why does CIS automatically add some of these files, but not all, to the Computer Security policy list? Eg. bcmwltry.exe

Trusted Files list
Again, regarding safe files that have been executed.
Qu. Why does CIS automatically add some of these files, but not all, to the Trusted Files list?
Qu. Why can I manually add some of these files, but not all? Eg. bcmwltry.exe, imapi.exe.

Trusted Vendors list, Safe Files list, Trusted Files list
Qu. What policy do each of these 3 lists adopt? “Installer/Updater”, “Trusted Applications”, some unlisted policy?

“Safe” vs “Trusted” file
Qu. Not always the same thing?


My Comodo Defense Settings

  • Safe Mode (“create rules for safe apps” disabled, ideally)
  • Execution Control: enabled
    • Treated unrecognized files as Partially Limited
    • Do heuristic command-line analysis for certain applications.
    • Detect shellcode injections
  • Sandbox: disabled
  • Monitoring Settings: all enabled

Very few apps installed on my PC

  • CCleaner, Winpatrol, Firefox, Foxiit Reader, MS Office 2003, VLC, Reaper, Java, NetBeans
  • Only CCleaner & Winpatrol launch at startup

Thx, WinXP (security updates are current)

Also, it can take a couple of PC reboots for a setting change to take effect.

If I toggle from disabling → enabling “create rules for safe applications” & then shut-down my PC, sometimes I need to reboot twice for everything to work fine again. (ie. On the 1st reboot, the PC freezes. On the 2nd reboot, everything is ok.)

But … I can avoid the 2nd PC reboot if, instead of shutting down my PC after the setting change, I just log-out & immediately log-back in to the same user account. Now I can shut-down my PC with no problems on the next reboot.

… anyways, just some feedback.

Try disabling WinPatrol to see if that helps. WinPatrol also has HIPS like features. Having two tools of a similar kind can be a recipe for problems.

Temp fix: Think some [i]safe[/i] file(s) were not getting all rights they needed. Eg. c:\windows\system32\imapi.exe needs to create/modify protected tmp file at log-on. Adding imapi.exe to my Computer Security Policy list works for a while. ... I tried to just add it to my Trusted Files list, but could not; CIS warned me that it was already considered safe. (Adding other safe files, no problem. strange)

Little longer-term fix: Enable “create rules for safe apps”. Still, this does not always work. And I’d rather not do that. I don’t want anything to customize policies for firefox (limited), firefox plugin-container (limited), iexplorer (isolated).

Create rules does not change existing policies that you made for applications. Make sure that the rules you made are at a place somewhere above the All Applications rule.

---------- ---------- ---------- ---------- ---------- ---------- ----------

Anyways, appreciate any help with any of the following questions.

Computer Security Policy list
If I’m in Safe Mode with “create rules for safe applications” enabled, and focusing on safe files that have been executed (I see them in my active process list).
Qu. Why does CIS automatically add some of these files, but not all, to the Computer Security policy list? Eg. bcmwltry.exe

I am not sure why it is but it could be that those file start with Windows or early in the boot process.

[b]Trusted Files list[/b] Again, regarding [i]safe[/i] files that have been [i]executed[/i]. Qu. Why does CIS automatically add some of these files, [u][i]but not all[/i][/u], to the Trusted Files list?
With v5.4 digitally signed files that are in the Trusted Software Vendors list will end up in the Trusted Files because verification of signatures takes more time then looking up a file in Trusted Files: [quote="egemen post:149, topic:267625"] It is for optimization and faster operations guys. Embedded certificate verification takes too much time and once verification is done, the file is added to the trusted list for faster lookup in the future. It can handle millions of files with no problems. [/quote]
Qu. Why can I manually add some of these files, [u][i]but not all[/i][/u]? Eg. bcmwltry.exe, imapi.exe.
I don't know
[b]Trusted Vendors list, Safe Files list, Trusted Files list[/b] Qu. What policy do each of these 3 lists adopt? "Installer/Updater", "Trusted Applications", some unlisted policy?

“Safe” vs “Trusted” file
Qu. Not always the same thing?

Trusted files and applications - are these different? [v5]

---------- ---------- ---------- ---------- ---------- ---------- ----------

My Comodo Defense Settings

  • Safe Mode (“create rules for safe apps” disabled, ideally)
  • Execution Control: enabled
    • Treated unrecognized files as Partially Limited
    • Do heuristic command-line analysis for certain applications.
    • Detect shellcode injections
  • Sandbox: disabled
  • Monitoring Settings: all enabled

Very few apps installed on my PC

  • CCleaner, Winpatrol, Firefox, Foxiit Reader, MS Office 2003, VLC, Reaper, Java, NetBeans
  • Only CCleaner & Winpatrol launch at startup

Thx, WinXP (security updates are current)

Can you post the D+ logs of around the time the freeze happens? Do the Windows logs in Event Viewer tell us anything?

imapi.exe makes a new temporary file at each boot hence the alerts. If you want to avoid them go to computer security > defense+ rules > imapi.exe > right click > edit > protected files/folders > exclusions > allowed files/folders and add : C:\WINDOWS\TEMP*.TMP. The asterix (*) is used as wildcard characters and matches any sequence of characters.

What OS is this? WIN XP?

I am running WIN 7 x64 Comodo ver 5.x.x.1355 . I have Defense+ Proactive configured. I don’t see any specific Defense+ rules for imapi.exe?

Imapi.exe is used for CD reading, burning, etc. Might be part of the whole ASPI thing. I don’t know of any reason why Defense+ would have a specific rule for this. Nor do I know of any reason imapi.exe would be creating a temp file at boot time?

As the OP said in his 1st post, he is running win XP. I too run xp sp3 on 2 PC and I can tell you for sure that imapi.exe create a new tmp file at each boot. The only way to prevent it is to disable the related service if you don’t use the native burning tool of windows.

I just booted into my XP SP3 installation. Went into task manager and checked to see what is running - no imapi.exe running. Started SIW and checked my autorun entries - no imapi.exe enty.

I would say if imapi.exe is running at boot time, something is causing it to run. I use Nero 6 on this XP install. I do know Roxio does weird stuff. Or it may very well be malware that is known to infect imapi.exe.

This is probably the problem.

Check your IPMAPI CD ROM service and ensure that startup is set to manual which is the XP default. If it is set to automatic, of course it will start at boot time.

No need to see malwares everywhere. My PC are clean, imapi.exe creates tmp file at startup since the very first day of the OS install.

Even if setting the IMAPI CD-Burning COM Service on manuel (which by the way is it default setting) the tmp file is created on startup. Only way to get rid of it is disable the service. Confirmation here : IMAPI CD-Burning COM Service - imapi.exe - Program Information

Thanks, everyone, for the feedback. I will try the suggestions & get back by end of week. …

Regarding: impai.exe. I don’t think this file is the issue.

  • I tried setting ALL apps (including impai.exe) to Installer/Updater
    (Except for the CIS default list items, firefox (limited), & iexplorer (isolated).)
  • PC still froze at user log-on.

Also, CIS ver 4 (not 5) was able to identify/add a couple of more files to the Computer Security Policy list: (As mentioned, my problems with Defense started with ver 5.)

  • C:\program files\dell\nicconfigsvc\nicconfigsvc.exe
  • C:\windows\system32\pctspk.exe

In CIS 5:

  • Both are considered safe. (Had to do an “Unrecognized Files / Lookup” for nicconfigsvc.exe.)
  • Both show up in my Active Process List.
  • Neither shows up in my Computer Security Policy list.
  • nicconfigsvc.exe also does not show up in my Trusted Files list.
  • But pctspk.exe does show up in my Trusted Files list.

Other curiosities: bcmwltry.exe, wltray.exe, wltrysvc.exe

  • They are all safe files.
  • All show up in my Active Process List.
  • All show up in my Computer Security Policy List.
  • But, none show up in my Trusted Files List.
    (I tried to manually add them, unsuccessfully. Similarly, impai.exe. … Other safe files, no problem.)

I should say my initial goal was basically to try what the manual suggests … Don’t unnecessarily bloat the Computer Security Policy list. Initially, my Computer Security Policy list only contained:

  • CIS default list items.
  • firefox (Limited App policy)
  • firefox plugin-container (Limited App policy)
  • iexplorer (Isolated App policy)
    (also, “create rules for safe apps” is disabled)

Yesterday afternoon I tried a couple of suggestions that seemed to resolve the freezing on user log-on. BUT, this morning my laptop froze 3 times on one of my two user accounts; an admin account.

  • I scanned my computer yesterday; many scans before, too. No problems. (Comodo AV)

  • Also, the track pad has never frozen, but you can’t select anything.

  • And, if the freeze happens, it’s “usually” when CIS is last icon to load in tray.

  • Anyways, that seems to be the general pattern. I make some CIS setting changes, things work for a while, then not so much.

  • Currently, things are working. Though, I didn’t make any changes since the freeze.

This morning’s Defense Log Viewer list, below.

  • I blocked drive Q. It’s just a data archive.
  • Q never had any user accounts nor any installed apps. And, CIS 4 was fine with Q blocked.
  • Log Viewer, Alerts Displayed tab is empty.
  • Log Viewer, Tasks Launched tab is empty.
  • Some defense events repeat a few times, but are related to accessing Q:.

Apps Flags Target
C:\WINDOWS\system32\wbem\wmiprvse.exe Block File Q:
C:\WINDOWS\system32\explorer.exe Block File Q:
P:\ … firefox.exe DNS/RPC Client Access \RPC Control\DNSResolver
P:\ … firefox.exe Access COM Interface \RPC Control\spoolss
P:\ … CCleaner.exe Block File Q:
P:\ … COMODO…\cfplogvw.exe Block File Q:\

… Next PC freeze, I’ll unblock Q & see what happens.


Just to let you know what seemed to work, yesterday. It was the combination of suggestions:

  • Uninstall WinPatrol.
  • Move the new files in the Computer Security Policy list to the top, above the CIS default items.

Also, I was able to leave “create rules for safe apps” disabled.
And, I was able to clear out most of my Computer Security Policy list, leaving only:

  • C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (Custom Policy)
  • iexplorer (Limited App)
  • firefox (Limited App)
  • CIS default items.

Regarding: atiptaxx.exe:

  • I received an alert for this file. (Nothing new, it has always triggered an alert.)
  • atiptaxx.exe tries to execute C:\Program Files\ATI Technologies\ATI Control Panel\atiprbxx.exe.
  • atiprbxx.exe is a safe file, though you need to do an Unrecognized Files / Lookup to determine that.
  • CIS customizes the policy to allow execution of atiprbxx.exe, all other “access names” are set to Allow, except protected keys & folders are set to Ask.

… I’ll try repopulating the Computer Security Policy list & moving all new items to the top of the list. If that doesn’t work, I’ll just go back to CIS 4, & try 5 again, later.

Thx

I researched this imapi.exe running at startup issue a bit more.

Every reference I found stated that if it’s related CD Rom service is set to manual for the startup mode and imapi.exe is running after startup, the startup activity is malware related.

Most of the confusion on imapi comes from the fact that it has a related driver named imapi.sys that starts automatically at boot time.

Thanks, DonZ. Perhaps CIS AV wasn’t able to pick it up for some reason. … I will look further into that & other attempts later in the week.

if your sure your malware free then set d+ to training mode , reboot , and set back to safe mode. could possibly solve the boot issue.

Ok, took forever to figure this out but, I’m fairly certain the freezing I experience at login is simply due to adding a root directory to Defense’s block files list; adding folders is fine, just not a root directory. (… No, I didn’t block my system or program files.)

The problem is repeatable on a plain PC config.

  • WinXP Pro SP3
  • No drivers (from Dell CD)
  • No programs; other than CIS 5.5
  • CIS proactive security config + my edits
  • Internet never accessed
  • 2 accounts: Admin user & Limited user

HD has 5 partitions: C, D, E, F, G

  • C is system
  • D is program files
  • E is my documents
  • F & G simply store archive data; currently empty, but formatted.

If I include root drive F, or root drive G, in the block files list, my PC will eventually freeze at login. For some reason, login freezing occurs earlier with F. Also, freezing occurs earlier if I log in/off btw users accounts. Once I remove the drive from the block files list, no more freezing. It’s repeatable.

*** Just note, if you test this, it can take a handful of log ins/offs, start-ups/shut-downs before login freezing occurs. Let the tray icons finish loading, too. … Try it on your XP system; Vista or 7, for that matter, out of curiosity.


Note: My CIS config was proactive + “my edits”. Not sure if I tested it with just the proactive default config. But proactive default config was just tested with same result on my current PC config: which includes Dell supplied drivers, XP security updates, CCleaner, & Firefox.

Can you see if checking the file system integrity for drives F and G brings a change or not?

Is that a chkdsk? If so, everything is ok on F & G. … If it helps, it’s an IDE hd, system restore is disabled, & hd indexing is disabled.

That is chkdsk /f indeed. We can exclude file system integrity as a possible cause then.

Next wknd I’ll give it a try on a 2nd hd, different manufacturer.