I have C.I.S. ver 3.8 (free) installed and fully up to date on 2 different home PCs, each running Win XP home (SP-3 and all critical updates installed). Neither PC is exhibiting abnormal behavior.\
USEC Radix Rootkit Detector ver. 1.0.0.6 reports multiple SDT hooks related to cmdguard.sys on one of the PCs (no other potential anomalies detected), but the other PC gets an entirely clean bill of health.
I’ve seen the 2008 forum entry (on the now closed CIS forum) indicating that cmdguard.sys is a benign component of C.I.S., but I’m concerned that those hooks are detected on one but not the other PC.
Should I ignore these hook detections or have Radix “heal” the problem by reassigning the addresses?
P.S. I have absolutely no idea what an SDT hook is.
As requested, I’m attaching the cmdguard.sys files that I find on my PC where multiple SDT hooks were detected. I’ve renamed both of them with a .txt suffix. To restore them, replace the .txt with the original .sys suffix.
The copy located in windows\system32\drivers has the file name is spelled in all lower case letters. However, the copy located in Program Files\COMODO\COMODO Internet Security\Repair is named cmdGuard.sys
Both files have the same Description, File Version, File Creation Date and Size in the pop-up balloon that opens when I hover the mouse over each file in the results of my computer search window.
It is normal that SDT hook by cmdguard.sys is detected,but the file you uploaded has been modified,not the original one.If that is the case, as we can’t guess the reason, we suggest you reinstall your cis.
Thanks for the information. I will re-install CIS. However, before I do, I have a few questions:
Which of the 2 files I attached was modified: cmdGuard.sys or cmdguard.sys? Could I solve the problem by just deleting the modified version and copying the unmodified version into the directory that contained the modified one?
If I export my current configuration, delete my CIS installation, re-install CIS, and import that configuration file, might that configuration file re-corrupt the cmdguard.sys file?
Thanks for the information. I will re-install CIS. However, before I do, I have a few questions:
Which of the 2 files I attached was modified: cmdGuard.sys or cmdguard.sys? Could I solve the problem by just deleting the modified version and copying the unmodified version into the directory that contained the modified one?
If I export my current configuration, delete my CIS installation, re-install CIS, and import that configuration file, might that configuration file re-corrupt the cmdguard.sys file?
It seems when you uploaded these files as .txt, their contents got changed may be due to uploaded as text stream being .txt file but it is non .txt data.
In general all binaries from Comodo are signed, if upon right click you see that file is signed by COMODO, please ignore warning from USEC Radix Rootkit Detector.
Both versions of cmdguard.sys on my PC are digitally signed by COMODO and have the same date stamp. Thanks for the reassurance. (I’m glad I waited a few days before going through the bother of uninstalling
and reinstalling CIS.
I’ve informed Radix of their false positive alarm and they’ve already modified the program to correct this.