Hiya,
Been having some problems with mirc lately (disconnects due to high cpu usage) which made me decide to have a close look at CIS to see if it was defense+. Anyway to cut a long story short this is what i found:
-
whenever i start a new program, which is not listed in known/trusted/policy, cfp.exe goes up to 50% cpu (cfp usually never goes 50% under any circumstances, dont know why but thats another story i think).
-
if i make any configuration changes (to either firewall or defense+) cpf.exe goes to 50% when i hit ok. If i hit cancel cpu stays at normal levels.
-
if a new alert pops up, cfp goes to 50% when i hit ok.
-
logs - lots of them, when i open them in the external viewer there is nothing at all in them. i have 234 log files at 25mb each… I opened one with another text editor and i get this sort of thing:
"< F i l e U I D = " { 2 9 1 A 6 0 C 0 - B B F D - 4 E 7 8 - 9 9 9 2 - 2 7 F 4 5 3 2 D F F 8 8 } " F l a g s = " 0 " F i l e n a m e = " C : \ W i n d o w s \ P r e f e t c h \ H Y D R A D M . E X E - 7 9 5 7 C B D 4 . p f " D e v i c e N a m e = " C : \ W i n d o w s \ P r e f e t c h \ H Y D R A D M . E X E - 7 9 5 7 C B D 4 . p f " / >
< F i l e U I D = " { D B D 2 1 A C 5 - 3 2 E D - 4 7 C D - 9 8 7 A - F 5 4 9 8 E 8 D 4 5 2 B } " F l a g s = " 0 " F i l e n a m e = " C : \ W i n d o w s \ S e r v i c e P r o f i l e s \ L o c a l S e r v i c e \ A p p D a t a \ R o a m i n g \ P e e r N e t w o r k i n g \ b 8 a 2 9 f 6 3 5 f b 3 c b e c a 3 e b 9 c 6 7 b 8 6 6 8 9 1 5 5 4 b 9 e 6 2 0 . H o m e G r o u p C l a s s i f i e r \ d f 1 9 5 a b e e b c b 0 8 c b d 4 8 3 c 8 5 d 6 6 a d 3 2 2 9 \ g r o u p i n g \ e d b 0 0 0 0 9 . l o g " D e v i c e N a m e = " C : \ W i n d o w s \ S e r v i c e P r o f i l e s \ L o c a l S e r v i c e \ A p p D a t a \ R o a m i n g \ P e e r N e t w o r k i n g \ b 8 a 2 9 f 6 3 5 f b 3 c b e c a 3 e b 9 c 6 7 b 8 6 6 8 9 1 5 5 4 b 9 e 6 2 0 . H o m e G r o u p C l a s s i f i e r \ d f 1 9 5 a b e e b c b 0 8 c b d 4 8 3 c 8 5 d 6 6 a d 3 2 2 9 \ g r o u p i n g \ e d b 0 0 0 0 9 . l o g " / >
< F i l e U I D = " { 9 8 9 A 4 A B 4 - 7 B 0 8 - 4 2 A 1 - 8 D 9 A - 2 9 9 5 C A 8 6 8 F B C } " F l a g s = " 0 " F i l e n a m e = " C : \ W i n d o w s \ T E M P \ T M P 0 0 0 0 0 0 0 9 5 A 6 1 C 7 D 9 1 9 7 0 2 1 A C " D e v i c e N a m e = " C : \ W i n d o w s \ T E M P \ T M P 0 0 0 0 0 0 0 9 5 A 6 1 C 7 D 9 1 9 7 0 2 1 A C " / > "
now to me, this sort of stuff just shouldn’t be in the log file…
I have switched to 1mb logs to see if that will make a difference with the log viewer(but i dont really care about that im more interested in why those files are being loged anyway…)
I have turned off avast, before replicating, doesnt make a difference at all. So i would think that its not to do with avast.
Any thoughts on what going on here?
Steve
Hi stevepaus,
Are you by any chance running Defense+ in paranoid mode?
How much applications do you have on your Defense+ Policy?
CIS is known for this spike if you have a large policy.
Thanks for replying,
Using “safe” mode on both.
My defense+ settings shows probably 100+ entries (guessing).
So i decided to reinstall comodo after trying the low cpu configuration (which reduced cpu usage back to normal levels). I figured that maybe the cis had a few corruptions or something. Things certainly got better, and now it only takes about 10 secs to save the configuration. On the first day of the reinstall i ended up with about 5x5mb log files, still too much, but i haven’t seen anymore since. The log viewer is now running smoothly when i open the configuration settings tab too.
When i open the 5x5mb log files in another text editor program i get a lot of "windows\temp_avast_" in the file. It appears to refer to a temporary file that avast creates…i can only assume the auto-learn in cis safe mode is picking up these files after/during a antivirus scan or some such.
I still don’t understand what the previous entries were in the old(25mb) log files, but i suspect it has something to do with auto-learn and avast scanning as above.
Mirc is still having occasional fits of 50% cpu. I reinstalled that too but i have no ideas what going on there, it may be unrelated to cis issue as above.
I will keep an eye on things and report back if i have further issues. It may just mean that i should do a full reinstall every 12months to get rid of the buildup in the defense+ settings.
Thanks for assist,
Steve
Can you post a screenshot of the log viewer showing those avast entries?
side by side screen captures as follows
[attachment deleted by admin]
Can you please post them from the CIS Logviewer cause I can’t see which module causes these entries and why based on these.
Sorry no can do, as per first post there are no entries listed at all in the CIS Logviewer under any of the tabs. I had to open an external text editor to get those screen saves.
I am attaching one of the logs for you.
Thanks,
Steve
[attachment deleted by admin]
It shows up here;
Can you check the Defense+ Security Policy setting for the Avastsvc.exe process?
If it’s not there can you check the Trusted files list to see if it’s in there?
[attachment deleted by admin]
Its strange how it shows up on yours but not in my cis logviewer. Im so silly, i forgot to click “entire period”…
It takes a long time for Configuration Changes to display, i assume this is because of the size of the file, i also find it strange that there only some 20+ entries and yet when opened in another text editor it shows considerably more entries. The file is 5mb so clearly the cis logviewer does not show the whole story.
Anyway, i have c:\program files\avast software*.* listed as an installer/updater
I assumed this would be sufficient to avoid any problems with incompatibilities all together. Should i change it?
Avast is already listed under trusted files as per attached
steve
[attachment deleted by admin]
Try adding this one with the full name/path please, and remove the one from trusted files and re-add it again.
There might be an issue when it’s updated that this one isn’t recognized because the file’s hash has changed over updates.