How to tell if CIS is crashing explorer.exe

So since installing 5.4 Antivirus and Defense+ and then disabling the antivirus I have been getting explorer.exe crashes. Mostly when opening folders in ‘My Computer’.

The first event generated for the explorer.exe crash is this:

Faulting application explorer.exe, version 6.0.2900.5512, faulting module cavshell.dll, version 5.4.57996.1354, fault address 0x000a9297.

then the following crashes (4 so far in about a couple of weeks):

Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version, fault address 0x03f89290.

So my question is how to tell if it’s Comodo or something else causing this particular crash?


oops: WinXP Home SP3 and Comodo screenshot

[attachment deleted by admin]

Its hard to say. You’re seeing these in the event viewer? Obviously something isn’t playing nicely with stuff in memory. It could be wacked Windows components, SFC /scannow might resolve that. It could be a horked CIS install. Or it could be misconfiguration of CIS.

I have the follwing D+ rules for explorer:

Allowed applications:

%PROGRAMFILES%\Comodo\COMODO Internet Security\cfp.exe
%PROGRAMFILES%\Internet Explorer\iexplore.exe
%PROGRAMFILES%\Common Files\Java\Java Update\jusched.exe

Interprocess Memory Accesses:

Windows / WinEvent Hooks:

Windows Messages:
%PROGRAMFILES%\COMODO\COMODO Internet Security\cfp.exe

Protected COM interface:

Protected registry keys:

*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Start Menu
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Startup
*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*
*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*
HKUS*\Control Panel\Desktop\SCRNSAVE.EXE

Protected files / folders:


I don’t know how much of that is stock, or accumulated through using my system for a year concurrently with CIS. But for the most part, that should resolve most issues w/respect to normal useage of explorer. Any alerts that you get will be a result of your system and how you’re using it

Thanks for the reply. I did the SFC /scannow and it didn’t come up with anything. I checked most of those rules and they seem mostly the same plus more and I wouldn’t really want to mess with the rules anyways.

So my plan is as follows:

Uninstall CIS
Use the removal tool from the forums here
install CIS with the Antivirus and Defense+
Disable the Antivirus (I like having on demand scanning)

And see how that goes for the next couple of weeks. Any suggestions or does that look like a good way to reinstall? Thanks again!

Looks good. I’d suggest to export your config though. That way you don’t start from scratch after re-installation of CIS.

Dunno what the deal against CIS AV though. When enabled it runs real-time as either stateful or on-demand. The former checks active processes against the AV defs after AV defs have been updated; after any arbitrary process has been validated its no longer checked until the next AV update. On-demand scanning checks evrey process each time its launched.

AS FAR AS on-demand scanning, that’s available in the AV tab ‘run a scan’.

Oh for “on-demand” I meant have the antivirus disabled and then when I need to as in a usb stick, right click → scan.


I understand that you dont trust CIS AV component. As such you’d prefer to have another AV active (or at the very least to be able to call into play when needed).

As far as that goes, I’ve read very good kudos concerning Ad-Aware’s latest; the free version is spoda sport the same mean ‘Ferrari’ styled AV engine of the paid version. Everybody in the know is gung-ho 'bout it. LavaSoft acquired the engine and its as far as I understand is spoda be very good.

Because I’m beholden to a defraggler that depends upon last access date attribute for foles, I detest any sort of AV or malware scan whatsoever. I do have MalewareBytes installed but it does NOTHING (its there to scan and fix when necessary). I have Spybot installed w/no active protection. I enjoy its immunization feature. I use it as adjunct to Blocking Unwanted Connections with a Hosts File; Spybot adds its URL to the restricted zone.

IF you configure CIS to its abolute maximum protection afforded by its putative design, and implement its features in accordance to prim and proper security principles: you won’t need additional resource and conflict arising adjuncts.

It’s not that I don’t trust CIS AV, actually far from! I just don’t want ANY AV active. I use virustotal uploader and other scanners like MBAM and HitmanPro etc for the occasional checkup.

As for the Ad-Aware suggestion, might look at it for clients pc’s if it ends up being a decent final product.

Now all re-installed CIS and seems fine, will post a bug report if still getting the explorer.exe crash.


Just a quick last note.

I did notice that on this current install that under Defense+ Rules, explorer.exe is listed as “Windows System Application”

The last install it was listed as “Trusted Application”

It bothers me personally that both SVCHost and Explorer would live in ‘Windows System Application’

Take a look at the permissions that that pre-defined policy has. Yikes!

However, for default neophyte users that would be gutenuff. If you’re interested in hardening your system, I’d look into pulling both of those apps out of the ‘Windows System Application’ file-group. Obviously Explorer.exe is MUCH easier to deal w/than SVCHost. For the latter, review my SVCHost hardening how-to I posted. You need to set that up before you pull SVCHost out of the ‘Windows System Application’ file-group (or its HELLO CIS ALERT CITY!!! OMG!!!)

The point to hardening SVCHost is that it very plausible that a drive-by download can trick SVCHost into executing a file that has been aueepiririoualy downloaded into one of the temp folders. If that happens, all bets are off concerning your system’s integrity. In theory CIS should hinder your system being compromised in that fashion, but with the sophistication of today’s malware I’d not hold my breath in that regard; its just another avenue for some vector to insinuate a rootkit. Yikes!

A great defense against drive-by downloads is to block any executabel and archive file in the Content_IE folder. I have a file-group having all exe listed in the ‘executables’ file-group, and all file-types listed in WinRAR - each prefixed with the following path:

C:\Documents and Settings*\Local Settings\Temporary Internet Files\Content.IE5**.[file-extension]

Just put that file-grup in the D+ ‘blocked-files’ tab. Remember when you’re manually downloading files to remove that (or the download will chug to a halt and abort). For normal surfing, that file-group should always be in place. That will stop fake-AV from downloading setup.exe into the Content_IE folder. It doesn’t matter what you answer to the pop-up there, by the time you see the pop-up, setup.exe is already downloaded into Content_IE