Event log Warning Event id 4 for filtermanager caused by CFRMD [V6][M267]

[ol]- I see error messages in system log, which are start from the words “File System Filter ‘CFRMD’ … failed to attach to volume ‘\Device\Harddisk0\DR0’…”. These messages concern all existing volumes

  • Can U reproduce the problem & if so how reliably?:
    This problem appears constantly
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    a: It appears at each start of system
  • If not obvious, what U expected to happen:
    Visible problems are absent
  • If a software compatibility problem have U tried the conflict FAQ?:
    Avast! Antivirus Free is installed, but as I know, it is compatible with Comodo Firewall
  • Any software except CIS/OS involved? If so - name, & exact version:
    There are not any problems with other software
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    I tried to fix it by increase of size of pagefile.sys without results (I thought that it was an OS problem)
    Also, this only appeared after updating CF on November 21.

If Geekbuddy is installed the errors appear. However, after Geekbuddy is uninstalled there are no errors…

[ol]- Exact CIS version & configuration:
Comodo Firewall 6.3.302093.2976

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    Firewall: safe mode, HIPS: safe mode, Autosandbox: disabled
  • Have U made any other changes to the default config? (egs here.):
  • Have U updated (without uninstall) from a CIS 5?:
    Yes, I have
    [li]if so, have U tried a a clean reinstall - if not please do?:
    The problem also reproduced after full uninstall and reinstall of current version
    [/li]- Have U imported a config from a previous version of CIS:
    A config was automatically imported from a previous version of CIS during update
    [li]if so, have U tried a standard config - if not please do:
    A standard config was set up after pure reinstall
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 7 Home Advanced SP1 64-bit (Russian), UAC by default (disabled?), account with administrative rights (single user), V.Machine is not used
  • Other security/s’box software a) currently installed b) installed since OS:
    a= Avast! Antivirus Free 2014.9.0.2006 b=None

Screenshots of the error messages are attached.

[attachment deleted by admin]

Thank you for putting this in the required format. I have now moved this back to the main bug reporting section for processing. However, there are a few more things which must be done before this can be forwarded to the devs.

Can you please also list all anti-malware software which used to be installed on that computer, but has been removed?

Also, did you make any changes to the way the OS is configured? For example, you mentioned that you tried to change the size of pagefile.sys.

In addition, please attach a list of the running processes to your post. You can create this by using Comodo KillSwitch and saving the current view. Also, attach the diagnostics report.

Let me know if you have any questions.

Thank you.

  1. McAfee Security Scan Plus is installed, but it is inactive. If I remember it correctly, it come together with the last version of Avast! Antivirus.
    Any other anti-malware software was not installed on this OS.
  2. All settings of OS were made long before the problem appeared. I changed size of pagefile today (when I thought that source of problem is incorrect setting of system).

Are those files you need?

[attachment deleted by admin]

Please remove it and ensure that the problem continues. This will rule out one possibility.

Thank you. In that case we should be able to rule these out.

However, when did the error message start appearing? Was anything changed, or updated, just before that?

Thank you. However, I still need the diagnostic report. This is created by running the diagnostics, which can be found by clicking on the question mark icon in the CIS window.

Thank you.

  1. McAfee Security Scan Plus is uninstalled, but the problem not gone.
  2. I have updated CF evening November 20. Morning November 21, first error messages appeared. No other settings nor installations were made that night, as I remember.
    (Meanwhile, version numbers in properties of distributive, in reference of program and in header of report are different.)

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time, availability, and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.


Dear Chiron,

Recently I have seen a new message concerning FilterManager. In English, it must be such:
“File System Filter ‘CFRMD’ (Version 6.1, ‎2012‎-‎07‎-‎17T09:05:37.000000000Z) failed to attach to volume ‘\Device\HarddiskVolumeShadowCopy7’. The filter returned a non-standard final status of 0xc01c0016. This filter and/or its supporting applications should handle this condition. If this condition persists, contact the vendor”.

Here is XML log:

  • 4 0 3 0 0 0x8000000000000000 220506 System User-PC
  • 0xc01c0016 6 1 5 CFRMD 2012-07-17T09:05:37.000000000Z 33 \Device\HarddiskVolumeShadowCopy7

Then I checked a state of ShadowCopy service. It was enabled, and start mode was manual.
I changed it for automatic and rebooted my PC.
Messages concerning CFRMD disappeared.
Moreover, they not more appear even after I returned the start mode of ShadowCory service to manual.
I write this in hope that it can help somebody else.

Best regards

Update 2

Such approach works only if GeekBuddy is uninstalled.

I have restored my system twice using full backup.
First time, I removed GeekBuddy and then changed the start mode of ShadowCopy, and messages about CFRMD dissapeared.

Second time, I have initially changed the start mode of ShadowCopy, and I had not a positive result.
But after uninstall of GeekBuddy I obtained the required effect.

Thank you. I updated the first post with a briefer summary of your findings. Hopefully this will be helpful for the devs.


Update 3
It is appeared that start mode of ShadowCopy does not concern this issue (it was my mistake: after the first restoration I didn’t done reboot between uninstallation of GeekBuddy and setup of the ShadowCopy service).
Only uninstallation of GeekBuddy is needed.

Thank you for clarifying this. I updated the first post.

So for GeekBuddy, do you mean that if it is installed you do not see any errors. However, after it is uninstalled the errors start to appear. Is this correct or do I have this backwards?


Yes, it’s correct.
By the way, I haven’t intended to install GeekBuddy (as well as Privdog), but I didn’t pay the due attention to details of setup.
These options are not clearly evident at the install screen, and I missed this hidden option.
When I restored my system at the third time using the same backup, I only uninstalled GeekBuddy, and that was sufficient.

Thank you.

Excuse me, I do not understand your question correctly.
Really, if GeekBudy is installed, I see event messages about CFRMD in the system log.
If GeekBudy is NOT installed (as it was in my system, when I had Comodo Firewall version 5), such messages are absent.

Sorry for the confusion. I’ve now updated the first post. Please look it over and ensure that I haven’t made another mistake.

Thank you.

If Geekbuddy is installed the errors appear. However, after Geekbuddy is uninstalled there are no errors.

Yes, that is just I want to say.

Can you please check and see if this is fixed with the newest version (7.0.313494.4115)? Please respond to this topic letting us know whether it is fixed or if you are still experiencing the problem.

Thank you.

PM sent.

oul2009 has informed me via PM that this is fixed for CIS version 7.0.313494.4115. I have therefore closed this entry in the tracker and will move this report to Resolved.

Thank you.