Files are being downloaded but Comodo says no connections.

I installed Comodo Firewall a couple of days ago, and pretty much everything has been fine, up until a couple of minutes ago. I set Avira updating and although it is downloading the files perfectly well, nothing is appearing on the Active Connections window.

In fact, it is now doing the same for this forum as I type. I’m loading various forum pages, but nothing is appearing in the active connections and the summary screen says “0 outbound connection(s)” and “0 inbound connection(s)”.

It seems that all connections are bypassing the firewall. I haven’t changed any settings prior to this.

Why is this happening?

Hello;

What version of CIS do you have installed?

Jake

May be it is just the Active Connections window not reporting properly.

Please check with Task Manager that cmdagent.exe is running (you need to have “View Processes from other users” enabled in Task Manager for that.

You can alternatively check network activity with Process Hacker for example.

I’m using verision 5.0.163652.1142 - I’ve only just downloaded and installed Comodo for the first time.

It has now done it again today with another 4 programs. None of these programs have any rules defined for them. Obviously these programs aren’t too much of a worry, because I’m running them and I can see that they are downloading files, but if it was something malicious, it would hardly be likely to announce itself.

The two Comodo processes I have running are cfp.exe and cmdagent.exe, should there be anything else?

In default settings all safe files get a standard rule. That is done to keep the rules list small. Big rule lists makes saving of a new rule slow. Unknown files will be automatically sandboxed. That will contain malware. When an unknown program wants to access the web you will be alerted

The two Comodo processes I have running are cfp.exe and cmdagent.exe, should there be anything else?

That's good. Can you run Diagnostics and see what that reports?

Does Active Connections (under Firewall) show any activity? Do you have other security programs running in the background? Try disabling them and see if that helps or not. Did you recently switch from another firewall? Try running a removal tool for that firewall to make sure there are no left overs from your previous firewall.

It is set to “Custom Policy” because I didn’t want my firewall software to be allowing anything it wants to access whatever it wants. To my mind, that’s not a firewall. When you say a “standard rule”, where can I see this? As I said, there are no rules for these programs under “Network Security Policy” as far as I can see. Also, this isn’t simply a case of a program being allowed access to the internet, the program is bypassing Comodo. Comodo has no idea that this connection and transmission of data is happening.

Unknown files will be automatically sandboxed. That will contain malware. When an unknown program wants to access the web you will be alerted

This is of course, only true as long as D+ is always running [i]and[/i] all unknown files are always run in the sandbox [i]and[/i] that everyone agrees on the same definition of "malicious". For any number of reasons, this isn't always the case. It could also be argued that this is a separate issue from the firewall.

Can you run Diagnostics and see what that reports?

No problems.

Does Active Connections (under Firewall) show any activity?

This seems to be an intermittent problem, sometimes everything seems fine, other times it's not. When the problem last occured, there was nothing apart from "System" (that isn't a file) listening on a certain port.

Do you have other security programs running in the background? Try disabling them and see if that helps or not.

Obviously, I have Avira, but if I disable the guard and then try to update, Comodo still fails to detect it.

Did you recently switch from another firewall? Try running a removal tool for that firewall to make sure there are no left overs from your previous firewall.

Yes. I have thoroughly uninstalled the previous firewall. I uninstalled in Safe Mode, the uninstallation completed without a hitch. I then followed the recommendations for search and removal of particular (potential leftover) files and registry entries, as well as a manual search and removal of all file and registry entries relating to the the company name, program name and filename of the old firewall. Installation of Comodo completed without issue.

The default rule is Outgoing only without logging.

As I said, there are no rules for these programs under “Network Security Policy” as far as I can see. Also, this isn’t simply a case of a program being allowed access to the internet, the program is bypassing Comodo. Comodo has no idea that this connection and transmission of data is happening.

Did you enable “Create rules for safe applications”? When it was not enabled can you let us know if that changed things or not?

This is of course, only true as long as D+ is always running [i]and[/i] all unknown files are always run in the sandbox [i]and[/i] that everyone agrees on the same definition of "malicious". For any number of reasons, this isn't always the case. It could also be argued that this is a separate issue from the firewall.

I mentioned the sandbox on a side note.

No problems.

This seems to be an intermittent problem, sometimes everything seems fine, other times it's not. When the problem last occured, there was nothing apart from "System" (that isn't a file) listening on a certain port.

Intermittent. Always tricky to nail down.....

Obviously, I have Avira, but if I disable the guard and then try to update, Comodo still fails to detect it.

Yes. I have thoroughly uninstalled the previous firewall. I uninstalled in Safe Mode, the uninstallation completed without a hitch. I then followed the recommendations for search and removal of particular (potential leftover) files and registry entries, as well as a manual search and removal of all file and registry entries relating to the the company name, program name and filename of the old firewall. Installation of Comodo completed without issue.

That's thorough. Consider running a clean up tool of the manufacturer just to be totally sure there is nothing left.

Do you mean this will be set for the applications under Network Security Policy>Application Rules? There are a handful of applications there which I have created rules for, but nothing for any of the problem apps.

Did you enable "Create rules for safe applications"? When it was not enabled can you let us know if that changed things or not?

This has never been enabled.

I mentioned the sandbox on a side note.

OK, fair enough.

Intermittent. Always tricky to nail down.....

Yes, for example, Avira updater has just run once and Comodo has detected it and requested permission to access the internet. Then again a couple of hours later and it updated without Comodo noticing. I could understand if it was still allowing access based on my previous answer, but the updater didn't show up in Active Connections.

That's thorough. Consider running a clean up tool of the manufacturer just to be totally sure there is nothing left.

Absolutely. Unfortunately, there isn't one. What kind of leftovers could be causing this? Also, if this was the problem, surely it would be a problem with Comodo because there should be no way to bypass a firewall either through accidental corruption or malicious action.

Thank you for trying to help.

On a side note. With v5.3 there is no All Applications rule for the Firewall when using the Internet Security configuration. There used to be somewhere down the line. There is an All Applications rule in D+ in the Internet Security configuration though.

This has never been enabled.

Please enable it.

Yes, for example, Avira updater has just run once and Comodo has detected it and requested permission to access the internet. Then again a couple of hours later and it updated without Comodo noticing. I could understand if it was still allowing access based on my previous answer, but the updater didn't show up in Active Connections.

Absolutely. Unfortunately, there isn't one. What kind of leftovers could be causing this? Also, if this was the problem, surely it would be a problem with Comodo because there should be no way to bypass a firewall either through accidental corruption or malicious action.

Read the following tutorial I made and see if that brings any solace to your situation.

We are gonna take a look to see if there are some old drivers of your previously uninstalled security programs are still around. First run "set devmgr_show_nonpresent_devices=1’ without the quotes from the command prompt. Then go to Device Manager → View → show hidden devices → now look under Non Plug and Play drivers → when you see a driver that belongs to your previous security programs click right → uninstall —> reboot your computer. You need to Google the driver’s names to see to what programs they belong to. You don’t want to uninstall Microsoft/Windows related drivers of course; even some Microsoft drivers may show up as non active please don’t uninstall them. It is best to make a system restore point before this of course.

When the problem persists make sure there are no auto starts from your previous security programs. Download Autoruns and run it.

This program finds about all auto starts in Windows. This tool can therefore seriously damage Windows when not handled properly. After starting push Escape and go to Options and choose to hide Windows and Microsoft entries, to include empty locations and then push F5 to refresh.

Now check all entries to see if there are references to your previous security program. When you find them untick them. After unticking reboot your computer and see what happens.

Thank you for trying to help.
[/quote]

I can’t find this, could you direct me? Although, D+ is currently disabled.

Please enable it.

I don't want this enabled, but I have done temporarily for troubleshooting purposes. Presumeably, now all programs will be allowed through the firewall (unless they are "unknown")?

Read the following tutorial I made and see if that brings any solace to your situation.

We are gonna take a look to see if there are some old drivers of your previously uninstalled security programs are still around. First run "set devmgr_show_nonpresent_devices=1’ without the quotes from the command prompt. Then go to Device Manager → View → show hidden devices → now look under Non Plug and Play drivers → when you see a driver that belongs to your previous security programs click right → uninstall —> reboot your computer. You need to Google the driver’s names to see to what programs they belong to. You don’t want to uninstall Microsoft/Windows related drivers of course; even some Microsoft drivers may show up as non active please don’t uninstall them. It is best to make a system restore point before this of course.

When the problem persists make sure there are no auto starts from your previous security programs. Download Autoruns and run it.

This program finds about all auto starts in Windows. This tool can therefore seriously damage Windows when not handled properly. After starting push Escape and go to Options and choose to hide Windows and Microsoft entries, to include empty locations and then push F5 to refresh.

Now check all entries to see if there are references to your previous security program. When you find them untick them. After unticking reboot your computer and see what happens.

I have already done this and I’m pretty sure there is nothing left. To research and identify everything listed under Non-Plug and Play Drivers will undoubtedly take a few days, so I’ll consider it and maybe look into it if I have time.

Thank you.

P.S: More programs have now done the same. It seems that the majority of programs are bypassing the firewall.

I was rereading this topic and my eye fell on this observation you made.

Can you see if this sequence of events results in CIS showing no more connections?

Eric, I’m not sure what you mean by that.

However, I have once again updated Avira with the same result. Comodo had no idea it was happening, but since then, it hasn’t stopped other active connections from showing. The couple of programs that are detected are still showing Active Connections.

Also, does anyone know of a list of the Non-Plug and Play Drivers anywhere? I know that there are numerous lists on the web identifying thousands of startup programs - is there anything like that for Non-Plug and Play Drivers? That way, at least I could rule out the obvious ones in one fell swoop and only have to research the more obscure entries.

Thank you.

What I meant was that may be a sequence of events results in CIS no more showing the active connections.

Can you see if the following sequence will trigger the problem:

• confirm that traffic is shown in Active Connections
• alert for program X trying to access the web
• web access is granted and not remembered
• now check Active Connections again

Can you test this with the Avira updater for starters? When it turns out things happen like this with Avira updater can you try a couple of your day to day programs, like your browser or email client, to see if they trigger the same behaviour?

OK, I’ve done what you said as best I could:

• Active Connections is showing traffic for web browser.
• Update Avira, no alert for the updater, but it does download and update. However, avnotify.exe did request internet access.
• Granted avnotify access, but not remembered.
• Checking Active Connections showed neither updater, nor avnotify. Loading another webpage confirmed browser making new connections and downloading data.

Updater hasn’t been detected accessing the net for a few days now, so I don’t have a screenshot or anything, but I’m pretty sure Comodo said it was an unknown file. Avnotify, on the other hand, was recognised as “safe”. If that’s the case, it seems that Comodo is alerting for a “safe” program, but letting an “unknown” and therefore, potentially “unsafe” application bypass it. If updater is ever detected again, I’ll make sure to check if it is seen as “safe” or “unknown” (I don’t know if it’s relevant).

Nevermind, I’ve given up. I don’t have any more time for trying to fix this, I need a working firewall.

EricJH, these “removal” and “clean up” tools that you suggested were a good idea when uninstalling a firewall, could you point me in the direction of Comodo’s?

Thank you.

We have this unofficial clean up tool.

Hmm, so although you expected other software firewall vendors to offer removal tools, Comodo doesn’t? I presume there is no official removal tool? If not I suppose I will have to use this unofficial one, which doesn’t fill me with confidence, considering it’s messing with the registry. I have a couple more questions about it, but I will keep them to the dedicated thread (unless you would like me to post them here).

Also, is there an official procedure for complete uninstallation of CIS? I found a post, but that was for version 3 (two major versions below what I have installed) and I think that was also unofficial.

Thank you.

There is no official tool. You could try the tips in Upgrading to the Newest Version of CIS - what to do if you have difficulties.

If you want to do it manually:

Start with exporting your configuration to a folder that is not part of the Comodo folder under Program Files. This way you can restore your configuration after the reinstall.

Uninstall CIS and reboot. Then run Comodo System Cleaner to get rid of registry keys.

Then delete the Comodo folders under Program Files, Program Files\Common Files, C:\Documents and Settings\All Users\Application Data\ .
For Vista/Win7
Users%username%\appdata\local, Users%username%\appdata\roaming\ and \Users%username%\appdata\local\virtual store

To remove the socalled Legacy Keys, which are otherwise hard to remove, open Device Manager from the command prompt using the following two commands:
set devmgr_show_nonpresent_devices=1
start devmgmt.msc

Then set Device Manager to show hidden devices under menu option View. Then see if there are Comodo Internet Security related drivers left in non Plug and Play drivers. If so select the driver → click right → uninstall. Do this for all present drivers. Do a reboot when it has been requested…

Now delete the following:
C:\boot.ini.comodofirewall (this file may not exist).
WARNING: Do not mistakenly remove the original “boot.ini”.
C:\WINDOWS\system32\drivers\cmdGuard.sys
C:\WINDOWS\system32\drivers\cmdhlp.sys
C:\WINDOWS\system32\drivers\inspect.sys
C:\WINDOWS\system32\drivers\cmderd.sys
C:\WINDOWS\system32\guard32.dl
C:\WINDOWS\system32\drivers\sfi.dat (this file belongs to stateful inspection of the AV )

a. HKEY_CURRENT_USER\Software\ComodoGroup\CFP and HKEY_CURRENT_USER\Software\ComodoGroup\Comodo Internet Security
b. HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\CDI\1 *
*(If you have other Comodo products installed, delete only the values
for CFP)
c. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdAgent
d. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdGuard
e. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdHlp
f. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Inspect
fi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmderd
g. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdAgent
h. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdGuard
i. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdHlp
j. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Inspect
ji. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmderd
k. KEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdAgent
l. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdGuard
m. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdHlp
n. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Inspect
ni. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmderd
o. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdAgent
p. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdGuard
q. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdHlp
r. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Inspect
ri. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\cmderd
s. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro
t. HKEY_USERS\S-1-5-21-1202660629-746137067-2145843811-1003\Software\ComodoGroup\CFP
u. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDAGENT *
v. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDGUARD *
w. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDHLP *
x. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INSPECT *
xi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDERD *
y. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDAGENT *
z. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDGUARD *
aa. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDHLP *
bb. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_INSPECT *
bbi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDERD *
cc. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDAGENT *
dd. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDGUARD *
ee. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDHLP *
ff. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_INSPECT *
ffi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDERD *
gg. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDAGENT *
hh. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDGUARD *
ii. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDHLP *
jj. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INSPECT *
jji. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDERD
kk. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x32
ll. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x64
mm. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFPLog
nn. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CPFFileSubmission
oo. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro

Sometimes it happens that you can’t connect to the internet after uninstalling, using the unofficial clean up tool or trying a manual deinstallation. Then the Inspect driver is still present and needs to be uninstalled.

How to uninstall the CIS firewall driver when it stays present? Look up the properties of the network connection, select the Comodo Firewall driver and uninstall it. See the attached image.

Now reboot back into Windows and CIS should be gone and you should be able to install it again.

Thank you for the help.

I’m not sure about that. I’ve never really trusted registry “cleaners”. Also, considering Comodo can’t seem to make a clean-up tool for their own software, it seems unlikely that they can make one for every other piece of software ever made. Is there an option to see what it is going to do, before it does it, then choose to proceed or cancel?

Sometimes it happens that you can't connect to the internet after uninstalling, using the unofficial [url=http://forums.Comodo.com/install_setup_configuration_help/cleanup_tool_for_Comodo_internet_security-t36499.0.html;msg259617#msg259617]clean up tool[/url] or trying a manual deinstallation. Then the Inspect driver is still present and needs to be uninstalled.

How to uninstall the CIS firewall driver when it stays present? Look up the properties of the network connection, select the Comodo Firewall driver and uninstall it. See the attached image.

Reading your description and looking at the image, I realise that Comodo has never installed anything into any of my connections. Maybe that was the problem…

I am not nearly as well versed in computer matters as you guys, but why
can’t you just run a system restore back to before you installed Comodo?

You obviously have a bad install.

Please forgive my noob take on this.