HIPS & Mozilla thunderbird problems

yggdrasill · August 27, 2007, 10:56am

Hello!

I recently updated Mozilla Thunderbird from version 2.0.0.5 up to 2.0.0.6.
After that update, few weeks ago, Thunderbird doesn’t want to start. I did a lot of tests and in the end I found that HIPS blocked Thunderbird.
If I disable HIPS control, Thunderbird starts. if I turn HIPS control on, Thunderbird doesn’t start. and after that, the whole system starts to be instable ( some applications takes long to respond).

In the HIPS list of authorized applications there is the entry for Thunderbird with “allow” but there no way to run.
If I add the executable of Thunderbird in the exception list, the program starts to run perfectly.
I’m very happy about comodo products and I’m wondering why this happen since on other two pc (configured similarly) everything works perfectly. Other applications seem to run without any problem. (IE7, Firefox, etc…)

The last, when I turn on the pc, I have HIPS disabled. I manually turn it on and it stays on for the whole session. When I restart the pc it is disabled again.

Thank you for your help

==========================================
The info about the system are the following:

Product Information
Build Version: 2.0.12.47
DataBase Version: 2.0.0.266
AllowDB Version: 2.0.15.51
Program Updates Version: 2.0.15.51
Program Files Information
CMain.exe: 2.0.12.42
CavApp.exe: 2.0.11.39
CavSn.exe: 2.0.11.41
CavAud.exe: 2.0.9.26
CavMud.exe: 2.0.9.26
Cavasm.exe: 2.0.1.8
CavEmSrv.exe: 2.0.11.40
CAVSubmit.exe: 2.0.11.49
cavengine.dll: 2.0.0.5
System Information
Operating System: Windows XP
Operating System Version: 05.01.2600
Service Pack: Service Pack 2
Internet Explorer Version: 7.0.5730.11

Hardware Information
Central Processing Unit (CPU): Intel(R) Pentium(R) 4 CPU 3.20GHz
Total Memory: 2047MB

anderow · August 27, 2007, 12:44pm

CFP will not have recognized your new Thunderbird installation as the updated version will have a different signature. I would have thought CAVS would have asked you about the new version the first time you opened it after installing. You may be better removing any current entries for Thunderbird in your allow/block list and then hopefully CAVS will ask you next time you run Thunderbird.

With regard to your HIPS being disabled on restart: did you click on ‘apply’ when you changed the setting to turn it on?

:SMLR

yggdrasill · August 27, 2007, 1:44pm

Thank you for your reply. (:CLP)

As you suggested me, I supposed something like you explained to me. So, I removed from CPF and CAVS everything about Thunderbird. In fact I’m not sure who’s the first between the two programs who handle the program, but I guess CAVS for this reason:

If I remove any item from all the lists about thunderbird and I set ON HIPS, the program doesn’t run.
If I turn Off HIPS control, CPF after launching it, ask me to allow/deny the application for local loopback (127.0.0.1) and for IP for reaching the DNS. I allow permanently Thunderbird on the CPF but then again, if I turn ON HIPS it doesn’t want to start because CAVS blocks it.

It’s quite complicated, I’m wondering which is the file who keeps the table of allowed/blocked programs. Maybe the file is for some reasons corrupted and this creates a problem.
(:NRD)

I really don’t want to remove and reinstall CAVS and CPF, since I already did twice with same results: It works for few time and after again problems.
:THNK

Just the last question… Could be some update from microsoft who’s removing some components from CAVS/CPF with their Malicious software removal packets? (:TNG)

Any help or suggestions are welcome!
Andrea

anderow · August 27, 2007, 2:37pm

Make sure HIPS is enabled on Medium setting (and the Apply button has been clicked so it is greyed out) & open the manage allow/block list section in CAVS settings, tick the box for all entries for Thunderbird and click remove.

Then close the manage allow/block list. Next time you try to open Thunderbird CAVS should ask you if you want to allow this - if you tick the box to remember and allow it then CAVS should remember to allow TB next time you open it.

:SMLR

yggdrasill · August 27, 2007, 4:52pm

No way…
I did a lot of tests in the past few days and one of them was exactly that.

I removed from the list TB, and I was expecting for a new request from CAVS to allow or block the .exe
Not at all, CAVS doesn’t ask me for it. And the funny is that I tried to install a silly freeware and least popular program in order to proof the capability of HIPS to pop me up a request, and as I expected it pops up the window. I tried to allow and to deny, and the program was running or not depending from what I set for it.

If I’m not wrong, there should be a list supplied from comodo of known program and allowed to run on the machine.
Does anybody know where this list is? I would like to remove and download a fresh one from comodo. This is the last tries, after this, all my ideas are over… :THNK

Besides, I thought about an hardware problem, so I tested for several time the hardware, (memories, cpu, motherboard, video adapter…) but all tests were OK.

I really don’t know…

Thank you for your cooperation!

andrea

Little_Mac · August 27, 2007, 5:20pm

Comodo’s safelist is encrypted away from prying eyes and manipulating malware… that way it remains a “safe” list. At any rate, I do not think that at present FF or TB are on it.

You can, however, re-profile your machine. Navigate to c:\program files\comodo\antivirus\ and run UPSDbMaker.exe. I believe the current profile will be stored at c:\documents & settings\all users\application data\comodo\comodo antivirus\safedb. Feel free to poke that with a sharp stick if you like…

Hope that helps,

LM

yggdrasill · August 28, 2007, 6:30pm

Latest news. (:NRD)

BTW, I went few steps backward.

Luckily I have Ghost images of my pc that I usually take from time to time.
I went back to july, 31st when there was a previous version of Mozilla TB, and of course before the latest (and massive) pack of updates from microsoft.

Well, I reloaded the system, I disabled automatic updates from microsoft in order to prevent any new update from 07/31, I updated CAVS and CPF and …
… the system works perfectly.

I upgraded from TB 2.0.0.5 up to 2.0.0.6 and as I (and everybody) was expecting CAVS asked me to allow or block the new version of TB. :BNC

I tried the pc all the afternoon and it works like a razor blade.

The conlusion is that one (or more) MS upgrades collides in some way with some Comodo components or whole system and this hang up somewhere.

now I’m inspecting the updates from microsoft which are responsible of this system malfunctioning. in order to understand exactly which one is the one.
I’ll install one by one and I’ll log all the disk activity in order to dig what’s happening.

I guess that this, let me call, “incompatibility” of MS updates with comodo AV could be interesting for comodo. I’ll post my future discoveries about this problem as soon as I’ll understand (with evidence on hand) the problem.

I feel relaxed now. at least I localized the problem.
I can live without ms Updates, but not without Comodo antivirus! (L)

keep in touch!

andrea

Little_Mac · August 28, 2007, 7:28pm

Tnx for that info, Andrea. I know that those updates seemed to completely rewrite some system files/processes in ways that cause countless continuing alerts from CFP; glad to know that they’ve been pinpointed for CAVS problems as well. (well, not glad per se, but just that you tracked it down).

Keep us posted as you work back through those.

LM