I am currently running Windows 7 Ultimate using Comodo security, and for some reason explorer.exe keeps on trying to terminate Comodo’s cfp.exe application. Although the Defense+ blocks the attempts, I was wondering if anyone here knew why this is happening, and if it could possibly be the result of an infection.
Many thanks.
By the way, I also noticed that the “X” icon in the corner that usually closes the application became greyed out after this happened. Correct me if I am wrong, but isn’t cfp.exe the actual IS interface itself? If so, then it actually might be possible that the system glitched when I tried to close that window, and Comodo might have thought it to be an intrusion attempt… that is, of course, just a hunch based on pure speculation.
No, I do not have any other security softwares installed.
And I have rebooted twice since it happened… so far it has not occurred again… however now it is telling me that osk.exe (I presume the built-in On-Screen Keyboard application I used for the PrntScrn key) tried to “access memory” from cfp.exe.
Interesting. cfp.exe’s default Process Termination exceptions for me appear to be different from yours.
Windows XP SP3
Comodo Firewall 5.0.163652.1142
Firewall Security config
I’ve done a full system scan with both Comodo on my Windows partition, and with Sophos on my Mac partition. Neither of them detected any problems, and since then I have received no further troubles with the Defense+. I suppose for now I can safely assume that this may not have been the result of an infection after all. Thanks for your help.
I do have one other question: What does it mean when the Defense+ blocks an application for attempting to “Create process, Block File”? I notice that this does seem to happen at some times, mostly when trying to install new software.
To Create a process means to start/extract a process/executable (Usually Installers/Archives Do this type of action even Browsers once you are downloading a installer/exe/msi
Create Process, Block File Means You have recieved an alert for to sandbox or allow to run with admin powers or when you are extracting a file and Defense+ Sees an executable and ask’s you if its ok… and Defense+ blocks the action until you have click’d allow or deny
Simpler detail:
Create Process, Block File; You should receive this type of event when Defense+ Alerts you that a Installer or a File is trying to extract a executable and has blocked the extraction until you have answered the alert;
OR
Create Process, Block File; Can typically take place when a installer starts to extract and you receive a sandbox alert whether to allow it or sandbox it or deny
Hum, well the Defense+ listed this action as an intrusion attempt by explorer when I tried to install “Halo” onto my computer.
The log says that explorer.exe attempted to “Create process, block file” on setup.exe (The Halo installer), and this apparently was not liked by the D+.
If i’m not mistaken This should be a sandbox alert; alerting you whether to sandbox it; run with admin privleges or deny.
I got this alert when trying to installing halo as well
Tip:
CIS > Defense+ > Defense+ Events > More
Here you can go through the events that happened with defense+, If you highlight a event when it has Related Alert in blue on the right side; you can click and it will tell you when you recieved an alert for that specific event; and then you can double click the autommatic highlighted alert and it will tell you more information about the alert
By the way, I think I found a small glitch in the log viewer… whenever I highlight a Defense+ event that does not have the “Related Alert” text, and then try and double click on the area where that normally would be, I get an error saying “Internal error! The logs database is probably corrupted.” Diagnostics don’t reveal any problems, so it may simply be a bug.