Recently (though I don’t know when it started), I noticed in COMODO Network Intrusion logs a series of blocked intrusions from processes which either don’t have any name/identifier, or they have a description in ideograms (Chinese?). Source and destination are always the same, 0.0.0.0, and COMODO claims that the “action taken” is “Asked” (see the attached image). However, I never got any dialogue pop-up for these processes. Furthermore, I can’t locate them by name anywhere else in COMODO, either in other logs, or in filtered lists or wherever.
I’ve checked the services and running programs on my system (Win 10 with the latest patches), and haven’t noticed anything unusual. Full system scan with both Avira Antivirus and Malwarebytes didn’t return a single issue, and I generally try to run my system as clean as possible.
Does anybody have any idea what these processes are, and how to access/remove them?
Thanks for getting back to us,the error message may be caused due to administrative privileges. Can you try to run the tool with administrative rights.
Nope.
Well actually, I have tried out CAMEdit and XMLPad from sourceforge for some xml/xsd modelling I had to do … but other than those no.
Do you know where comodo keeps its lists? Local file? Registry? sqlite? I bet I can extract that filenames and give them a proper encoding, reverse the encoding somehow.
Ideas? I mean I could try and run procmon on comodo to figure it out but I also figure that it wont let me, right off the bat.
You see that after the logdate in julian? thats supposed to be “PATH” … read as binary it comes up as 0000 02, but its supposed to be “text” according to the DB layout.
Also, i presume that the Pid is process id (thats the 2544456 number), while no evidence of anything I have no process id higher than 23000 running right now… Source address is a mess too “02000000000000000000000000000000” (blob).
I am not comfy about whats going on here, id much rather I hit a snag in comodo or something :).
Now I’ve been decoding it from any known chinese codepage in existence and come up short.
I have nothing for BOM on ~e6b9++
Its not html encoded or anything like that…
I am drawing short here.
bugging me is that e6 b9 … ae has a maximum span of 90 characters (if you imagine them to be ascii encoded is some fashion), what obfuscates a little bit is that the trailing “.exe” in no way matches the pattern of the trailing byte stream.