Hi!
The question concerning possibility to kill processes of Comodo. I have the latest version of CIS installed and KillSwitch utility from latest CCE. It is very simple to terminate both cfp.exe and cmdagent.exe, and CIS does not reload them. So, now we have no CIS, no protection, am I right?
Hey and warm welcome to comodo forums Alex! 
CIS has selfprotection. Keep in mind that CIS is not the nanny of the users decisions so if you decide to delete some file from CIS folder CIS won’t stop you. BUT if a malware tires to do the same as you do, it won’t succeed but fail.
Regards,
Valentin N
OK, I understand that termination using Killswitch is some artificial task. But let’s imagine a malware having legitimate digital signature, so it is treated as trusted app by Comodo, and CIS won’t stop such termination. I mean that if there exists some possibility of such killing, Comodo should increase its protection. There are some other products that give no chance to terminate them by Killswitch. Well it is only my apprehension and you say CIS is strong enough just “out of the box”.
Thank you.
Which products? And are you sure they were not restarted (= new PID)? Are you sure that KillSwitch’s driver was loaded?
If an application successfully loads a well written kernel mode driver (such as the one KillSwitch/Process Hacker uses), it can terminate any process.
Trusted applications are not allowed to terminate cfp and cmdagent. There are exceptions though, as you can see in Protection settings.
Bitdefender:
http://s15.radikal.ru/i188/1103/fb/d185af66594b.jpg
,
http://s008.radikal.ru/i304/1103/08/db50dc10b099.jpg
.
This is from discussion here: kadets.info, sorry it is in Russian. You are right, there is e.g. Ikarus, that restarts just killed process.
Please do not use an old version of Process Hacker (like KillSwitch). Upgrade to the latest version and retest.
Well, I downloaded latest Process Hacker 2.12, installed just Comodo Firewall with maximal proactive security and tested again on XP SP3. Nothing changed.
First I terminated cmdagent.exe at TP1 (!!!), then cfp.exe was successfully terminated at TT2. I made find in Process Hacker and it shows no “comodo” in Handless or DLLs.
In addition. After termination all Comodo processes I can’t start any program from shortcut on the Desktop. System reboot fixes normal behavior of Comodo and XP.
I meant with BitDefender… (Why would a newer version of PH remove the ability to terminate Comodo processes?)
BitDefender 2011 Win 7 32 bit real
I cannot terminate cmdagent using killswitch at all.
EDIT: I just tested PH on Windows 7 64-bit, and it terminates BitDefender processes just fine.
windows xp sp3 / process hacker 2.12 ( killswitch are same results)
The original topic has been discussed at length a few times before. You cannot protect against kernel-mode termination.
Win 7 64 bit real PH 2.12
KProcessHacker is not loaded. You must load it, as I already explained.
Please, see my reports and pictures from military1 here. What operating system do you use? I suppose the results obtained strongly depend on what OS we are using: XP or Win7, 32 or 64 bit.
Do you mean any protection software, not only Comodo? And again: is there a dependence on OS?
http://s010.radikal.ru/i313/1103/5e/0ef8d5b54964t.jpg
I resolved driver loading, or again not so?
Yes, in any software of any kind, in any OS (except for esoteric ones). Please read this:
You can clearly see “(Not available)” next to TP3 and TT3, which indicates the driver isn’t loaded or can’t be connected to.
Thank you for explanation in that topic, very clear.
