int15.sys, in Acer's "Empowering Technology"

Hey guys. I’m a new Comodo IS user, and I have an issue that’s driving me nuts.

I have an Acer XP desktop, and it comes with their “Empowering Technology” application called “eRecovery” preinstalled. This seems to be a disk imaging and image-restore tool (it’s actually quite nice).

Problem: Whenever I login to Windows as the administrator, CIS puts the following file in my “waiting for your review” list:

C:\Acer\Empowering Technology\eRecovery\int15.sys

I keep doing a “Lookup” on this, which accesses the Internet and tells me the file is safe. I then move it into the “My Own Safe Files” list, where it stays. … but ONLY until I logout and then log back in as the adminstrator again.

At that point, int15.sys disappears out of the “My Own Safe Files” list, and reappears in my “waiting for your review” list.

This happens every single time I logon as adminstrator. CIS refuses to remember what I told it the last time about this file. It’s starting to drive me nuts. It doesn’t happen for limited user accounts, just adminstrator accounts.

My leading theory/guess is that eRecovery starts on administrator login, and at that point, actually CHANGES this file’s contents somehow (although the file’s size and timestamp don’t change). Comodo suddenly “un-trusting” the file at each login would make sense if it changes at each login. And, one time during an administrator login, I saw Defense+ pop up a notice saying it was learning that Monitor.exe (another eRecovery component) was CHANGING int15.sys, which strongly suggests my theory is right. It even automatically set up a rule saying that Monitor.exe can change int15.sys. But, int15.sys isn’t located in a “protected” folder anyway, so why would it have to set up such a rule at all?

I’m running CIS 3.8.65951.477 on Windows XP SP3, if that helps. Defense+ is in “Clean PC mode”, since this is a new PC I’m sure is clean.

I’ve only been using CIS a few days, and I love it, EXCEPT for this one, annoying problem. Can anyone help? How can I get CIS to stop flagging this file for my review at each admininstrator login? I realize executables shouldn’t change often, so CIS isn’t being unreasonable, but it’s driving me nuts. And are .SYS files even executables at all? I don’t know. Plus, I’m worried that if CIS is blocking this file from working while it’s waiting for my review, my eRecovery app may not work right.

Help, anyone? In Defense+'s “training mode” this doesn’t happen (the file never appears in the “waiting for your review” list), but I do NOT want to keep Defense+ in “training mode” since it offers very little protection going forward.

Thanks a lot for any help!

Hello if you can stand some more alerts then setting D+ to safe mode should solve your issue. :-TU :-TU

You could just leave it in “my pending files”. The only difference will be you will get a pop-up if it tries to do something monitored by defence+. If you say remember my answer it will only pop up once but most likely you will get no pop-ups at all. I have things like this and I just leave them. It has never caused me a problem.

You mention “I saw Defense+ pop up a notice saying it was learning that Monitor.exe (another eRecovery component) was CHANGING int15.sys,” Could it have been a message for accessing in memory?

Can you show us your D+ logs?