Need to make a firewall rule for Lexmark

I just discovered that my new Lexmark all in one starts up on it’s own and phones home once a month. I need to make a rule to block it but don’t know how.

I couldn’t find the executable that does this anywhere until I started sifting through the registry. It’s LX_CATS.exe.

Here is pertinent info on Lexmark’s Spyware:

In order to remove Lexmark’s spyware from your system, delete the file (probably in your c:program directory) called “lx_cats.exe”, and also search for and remove a file called “lx_cats.ini” (and, for that matter, any other file including the term “lx_cats”).”

I’m a bit leery about deleting things from the registry so I figure I can just make a rule to stop it.

A million years ago when I was using AtGuard, rules were easy to make … I can’t seem to figure out how to do it with Comodo.

If someone could direct me to a step by step help section I’d appreciate it.



Hi Xeolyte,

If you want to prevent LX_CATS.exe to run and do a single move in your computer go to Defense+ > Computer Security Policy > Blocked files and add it there.

If you just want to prevent it from phoning home go to Firewall > Network Security Policy > Applications Rules > add > select > browse to LX_CATS.exe and then check “use a predefined policy” > Blocked Application

Don’t forget to click on ok or apply in each window after making the rule.

Thanks for the reply … the thing is, LX_CATS.exe only shows up in the registry … I imagine on the date it is scheduled to phone home it then goes into processes - otherwise it’s not showing up so I can’t give Comodo a path.

I’m sorry, but reading the above in your post, I understood that you could in fact find it in the C:\Program Files directory.

Sorry, I should have made myself more clear … so I’m guessing there is no way to direct comodo to a registry entry with an executable in it. I was hoping that I could tell comodo to block LX_CATS.exe when it tried to phone home but the firewall apparently needs to know where it’s coming from.

I’ve started a log of when the printer turns on by itself … at the moment I’m only connecting it to the computer when I need to use it (gotta love USB front ports) and blocking internet access as well. I’ve also made all obvious logs about usage as read only so they can’t be written to.

I’ll ultimately need to figure out a way to block this as I bought it for the Fax part as well. Hopefully I start to notice a pattern with the log in a few months.

Thanks again for your reply … at least I know how to make a rule now.


If you go to the Folder Options in Control Panel > view > advanced settings and check “Show hidden files, folders and drives”, maybe you will finally see the file in your drive C:.

On the other hand, if you have found the file in the registry, are you sure the path is not mentioned there?

On reflection, if the file is connecting without triggering a reaction from CIS, it must be in the trusted files list of Defense+. You could check and if the file is there, move it to the blocked files

Checking trusted files was one of the first things I did … the thing is, I just happened to be sitting next to the printer the two times it came on by itself and immediately turned it back off so I’m thinking it may not have had a chance to phone home and trigger the firewall and that’s why I can’t find any trace of it in the firewall logs … the 2nd time it happened, today, I did a quick search about lexmark turning on by itself thinking it was a bug and that’s how I discovered the spyware thing.

I have all hidden files supposedly showing … know that there are some really REALLY hidden files you can’t see so I even checked both lexmark folders via DOSBOX - now there was a trip down memory lane - and couldn’t find any lx_cat.* files - exe’s or ini’s.

To what folder are the registry keys pointing to? Are they part of the Legacy keys?

The words cat and .ini seem to indicate drivers. Can you open Process Hacker and look under the Services tab. You will find all driver and services there. See if you can locate the Lexmark driver and stop it from starting; select the entry and right click.