Explorer.exe tries to terminate cfp.exe

Hey Comodo,

I am currently running Windows 7 Ultimate using Comodo security, and for some reason explorer.exe keeps on trying to terminate Comodo’s cfp.exe application. Although the Defense+ blocks the attempts, I was wondering if anyone here knew why this is happening, and if it could possibly be the result of an infection.
Many thanks.

Hello Shadow;

Can you post a screen shot of your defense+ alerts to verify your statement;
CIS > Defense+ > View Defense+ Events

Jake

Certainly

http://img337.imageshack.us/img337/2213/93050773.png

By the way, I also noticed that the “X” icon in the corner that usually closes the application became greyed out after this happened. Correct me if I am wrong, but isn’t cfp.exe the actual IS interface itself? If so, then it actually might be possible that the system glitched when I tried to close that window, and Comodo might have thought it to be an intrusion attempt… that is, of course, just a hunch based on pure speculation.

cfp.exe the actual IS interface itself?
Yes, Its the GUI of CIS

Do you have any other security software installed?

Also; Does this happen constantly or only at shutdown/start up etc etc?

Jake

No, I do not have any other security softwares installed.
And I have rebooted twice since it happened… so far it has not occurred again… however now it is telling me that osk.exe (I presume the built-in On-Screen Keyboard application I used for the PrntScrn key) tried to “access memory” from cfp.exe.

Sorry for the hour wait for a reply;

If you restart once more, what happens then?

Jake

If of any use to you Jacob the one and only alert you should have for explore.exe/cfp.exe in Paranoid mode screenshot.

Dennis

[attachment deleted by admin]

Thanks for the feedback :slight_smile:

my question would be why would explorer want to terminate cfp.exe? unless of course its shutting down etc?

I understand your post; but the user is in safe mode? so you would regularly get this type of event happening correct?

Jake

Screenshot of allowed Terminations.

Anything out of the usual my computer I would say infected.

Unless he has change/modifyed explorer.exe in any way this should not be happening.

At risk yes I would say.

Dennis

Edit The only application on Shutdown would be a Windows System Application not recently removed this preset group so cannot remember which.

[attachment deleted by admin]

Thats the reason why i request’d for him to restart; to see if the events will keep continuing to show, to confirm that it is a infection;
:slight_smile:

Jake

Interesting. cfp.exe’s default Process Termination exceptions for me appear to be different from yours.
Windows XP SP3
Comodo Firewall 5.0.163652.1142
Firewall Security config

[attachment deleted by admin]

I haven’t gotten the notices anymore even after I have rebooted a few times more.

Here’s a hijack this log, if it might help:

Edit: transfered your hijackthis log to a text file attached

[attachment deleted by admin]

Your Log Seems Fine;
Please Do a Complete Scan and make sure your AV is up to date
Also, Post a result here

Jake

I’ve done a full system scan with both Comodo on my Windows partition, and with Sophos on my Mac partition. Neither of them detected any problems, and since then I have received no further troubles with the Defense+. I suppose for now I can safely assume that this may not have been the result of an infection after all. Thanks for your help.

That is correct, and your welcome -Shadow-!

Anything else i can help you with?

Jake

I do have one other question: What does it mean when the Defense+ blocks an application for attempting to “Create process, Block File”? I notice that this does seem to happen at some times, mostly when trying to install new software.

To Create a process means to start/extract a process/executable (Usually Installers/Archives Do this type of action even Browsers once you are downloading a installer/exe/msi

Create Process, Block File Means You have recieved an alert for to sandbox or allow to run with admin powers or when you are extracting a file and Defense+ Sees an executable and ask’s you if its ok… and Defense+ blocks the action until you have click’d allow or deny

Simpler detail:
Create Process, Block File; You should receive this type of event when Defense+ Alerts you that a Installer or a File is trying to extract a executable and has blocked the extraction until you have answered the alert;
OR
Create Process, Block File; Can typically take place when a installer starts to extract and you receive a sandbox alert whether to allow it or sandbox it or deny

Jake

Hum, well the Defense+ listed this action as an intrusion attempt by explorer when I tried to install “Halo” onto my computer.

The log says that explorer.exe attempted to “Create process, block file” on setup.exe (The Halo installer), and this apparently was not liked by the D+.

If i’m not mistaken This should be a sandbox alert; alerting you whether to sandbox it; run with admin privleges or deny.

I got this alert when trying to installing halo as well

Tip:
CIS > Defense+ > Defense+ Events > More

Here you can go through the events that happened with defense+, If you highlight a event when it has Related Alert in blue on the right side; you can click and it will tell you when you recieved an alert for that specific event; and then you can double click the autommatic highlighted alert and it will tell you more information about the alert

Jake

Ah, interesting. Thanks for that.

By the way, I think I found a small glitch in the log viewer… whenever I highlight a Defense+ event that does not have the “Related Alert” text, and then try and double click on the area where that normally would be, I get an error saying “Internal error! The logs database is probably corrupted.” Diagnostics don’t reveal any problems, so it may simply be a bug.