odd behavior in the active connections window

can anyone explain the happenings in the picture attached. my WTF-O-Meter is off the charts at the moment… might just be some sort off GUI update problem

firefox was completely closed according to task manager (also, when closing my viewable window, exited normally and disappeared from taskmanager normally), can only find one instance in a full drive search

one of the foreign “active” firefox processes seems to be volume1/program files/mozilla/firefox.exe (partially cut off in UI for active connections) which screams some sorta hidden jobby

my total connection up-time stood at 1 day 10 hours so the amount transfered seems wishful (im in rural England so best down speed is 3-3.5meg, when the wind is right ;D average 1.5 after aol’s port throttling :cry: )

also source and destination i.ps are unknown to me, not mine internally or externally. is there any thing special about ips starting with a 0??

my head hurts, any help appreciated :a0

[attachment deleted by admin]

Hi FFS, welcome to the forums.

The data displayed looks like it is shifted or possibly even corrupted (which amounts to the same thing really). Something is indeed very wrong here & your wtf-o-meter is serving you well. Tell us some more about your set-up; OS (bit flavour), CIS version, other security apps, etc… Thanks.

Also please check the Process List (part of Defense+), the data is managed & displayed in a similar manner, it might also be impacted.

edit: poor wording & even worse grammar.

shifted? is that covered in an faq :stuck_out_tongue:
winxpsp3 32bit, think im a version back on the CIS (its the freebee manually updated at start of session, just ran a check for updates from misc menu and found what seems to be a over-haul update, returning error 112: unable to copy file dosmz.cav twice in a row, will try again after a reboot- been cleaning and uninstalling a few small bits) no other sec. apps running, but use spybots&d (which just returned a clean scan for all spyware types), spywareblaster
i have the defence+ set to in-active, eats cpu (does defence+ suffer from a first run slow down normally) on a wardog of a computer, k8t800 3200+ with a measly 512 ram (plenty of tweaking and lots of love) treating it to 2 gigs o kingston soon so will try defence plus eventually. can features be used even with it set off??

Not currently, it usually needs to be frequently asked to reach an actual FAQ. :wink:

I’ve not seen this error before either… double check your Windows Event logs to ensure there is nothing nasty being logged.

I don’t know, I’ve never tried it. Although, there is no reason I can think of to block the Process List function because Defense+ is disabled (but, still installed). I recommend trying it.

CIS with D+ active runs quite well on one of my sisters old machines. I’m not sure how fast the processor is, but it only has 384MB of RAM and that is the max the mobo will hold, so I’m not thinking it’s a powerhouse CPU. Some users though have reported heavy CPU usage with even very quick processors, so it’s possible you just have an unlucky system configuration.

parts of d+ still work, nowt new in the process list same as taskmanager just grouped under parent processes, handy tool that for tracing future beasties.
think it may just be corrupted data, im constantly opening new windows and tabs and closing old ones with out “resting” firefox, bbc iplayer and lots of browsing inbetween… can see where it may get confused with all the data flying about :smiley:

me isp would be kicking me door down if i’d really sucked up 30 odd million gigs in a week-end, the ips struck me as odd though, no ports specified and all in the 0 range, are these just normal ips like any other, or are they a different class. like a loop back function or summit ??? ** UI still hasn’t removed these, usually refreshes when progs go dead

nothing interesting in event viewer, just a constant dcom error from nero indexing service (bloated piece of excrement) i just cant seem to find a fix for. but nothing for you to worry about !ot!
system is running smoothly enough-

is there any log files or bits ya want in case this goes pandemic?? before i reboot?

It is possible that it’s merely something to do with the screen display & nothing is wrong with the actual data. Actually, a display-only corruption is more likely. If the data itself was corrupted then that would probably have dire consequences for the rest of CIS’ operations & reveal itself in other ways. Which it doesn’t.

So, I’d say do a reboot & see if it clears the display problem.

the first thing that brought me to check active connections was when i moused over the CIS icon in notification area (next to clock) and the icon disapeared as though the process had exited/crashed and sys. tray hadn’t updated til i rolled over… that was brick one.

went to cis folder in start menu, clicked from there and CIS seemed to load and start protecting, hung for 3-4 seconds then started listing several firefox.exe’s in the bottom right corner (traffic window, with percent of connection used)
which prompted me to rootkit scan, spybot scan, antivirus scan-- all came clean except one or two huer.packed finds (which seem like false positive’s judging from the files they in --not used in last month, but have been installed/scanned for over a year-- heuristics seem to be getting more and more paranoid over the months) other than those every thing congratulated me on a clean system…

also rebooted and ran update from misc, went with-out a hitch and prompted for another reboot, and here i am, no problems continue - but i still cant get my head around how firewall could count up to 30000000gb several times for processes called “7602293” or “5505109” or “fox/firefox.exe on port 4D in/out (yep, a d)” to and from ip addresses which are not my comp. (ports aren’t displayed in hex are they?)
could a NAT’ed router connection confuse in this way?

The simple answer is that it didn’t, those numbers are not real. The display is some how becoming corrupted in a way that does not appear to impact CIS itself. Unless the recent loss of CIS from the systray is related. Please check the Windows Event logs for any entry relating to cfp.exe at around the time of CIS’ systray icon disappearance. CIS failures of this type are almost always recorded to the Windows Application Event log.

Please inspect CIS’ own event logs & rules for evidence of any similar corruptions.

Under CIS’ Miscellaneous tab please run the Diagnostics to check CIS installation.

Also, still a little confused on this, please confirm which version of CIS you actually have now (Miscellaneous - About), thanks.

windows event log shows comodo internet helper service crashed at 12:37 GMT saturday lunch time. i moused over at 12ish sunday night.
does this mean i was surfing unprotected all that time?
why did the thing that generated the event not pop up and tell me what had happened? or at least gesture that something had happened?
would this service have restarted itself automatically?

am running comodo 3.10.102194.530 as of this morning. ran the diagnostics at the time and after recent update, both found nothing wrong.

firewall events list nothing unusual, however the firewall rules were dodgy yesterday, rules in place for the ghost processes (with same incomplete names) allowing any ip to any ip where protocol matches 48, 72 or 4D (really freaked by these, what sort of protocol is 4D ???). the numbers under the listed processes in screen captured jpeg. sorry removed these soon as i found them, otherwise would make a pic o those too.

The helper service, cmdagent.exe? No, you will not be unprotected. In its default state CIS will usually allow everything that is authorised (ie. has rules) and block everything else. Failing that, being unable to authorise requests, I believe it is likely to block everything. This happens because CIS’ drivers (the business end) are still loaded and running, they just can’t talk to you or read the rules. And if they weren’t running? Well they don’t go quietly or nicely… they usually take the whole TCP/IP stack with them out of pure spite. Only kidding, I think it’s an intentional emergency measure thing, they’re heavily self-protected I suspect, for obvious reasons. Basically, you’re forced to reboot to get the Internet working again. So, I don’t think that happened.

But, what is clear, is that your Active Connections list was more than just visual display problem… it was an actual data corruption, extending to rule creation itself. And, unfortunately, I don’t think we can rule out the possible corruption of items we have not discovered yet. It is a risk.

Please check in C:\Windows\Minidump for a .DMP file (called a MiniDump… coz it’s a small dump) created around the time of the helper service crash. If you find one, please ZIP it up & post it here. It will help the developers a lot in trying to figure this one out.

Also, please take a cut ‘n’ paste copy of the Windows Event log entry & post that here as well please.

Go back in history in the Windows event logs to look for any other crashes, change the sort order to bring the crashes together. Also look for signs of other application crashes, not just Comodo’s. Ta.

At this point, I would recommend that you perform a fresh clean install to be safe. Or at minimum, if you don’t want to do the fresh install, perform a full visual inspection of all rules & settings looking for any corruption. Getting impossible, invalid, stuff in data fields can really ruin an applications day. :slight_smile:
[i]
The really freaky protocols: Sorry, that was the actual data corruption I talked about earlier. As I indicated, it seems that CIS’ map of memory and/or (gulp) the registry differed from that of the actual map. Which certainly counts as “really freaky” in my books as well. :slight_smile:

edit[/i]

this is the event
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 04/07/2009
Time: 12:27:14
User: N/A
Computer: HAL
Description:
The COMODO Internet Security Helper Service service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at ht**://go.microshat.coc/fwlink/events.asp.

no other mentions of comodo in event log. not even a service started note. there were a few other crashes but not even the same day as comodo failure.

data doesn’t just corrupt its self does it? is there any way to see when the rules were set? there are a few legit looking ones i dont remember setting (like google updater, i hate google).

sorry nothing in minidump folder, think ive deactivated this part of windows, like the debugger, which is more of a ■■■■■■ than a de-■■■■■■. soz.

on a little side note, what exactly does the diagnostics diagnose? could this be extended to look for dodgy rules and such?? (not right now, obviously, but for future reference)

I think the Windows Event you posted is from the System event log, is there a corresponding Application event log entry? It would have more details about the actual crash.

Data corruption: Unfortunately, based on what you’ve posted, that does seem to be the case. I refer to the rules that you spotted & deleted, these were corrupted as well. Correct? This implies that it was more than mere visual display corruption.

Understood on the MiniDump.

CIS Diagnostics: This is CIS’ own integrity checker. It scans the CIS installation, both file system & registry, to ensure all components are present & correct. In addition, it scans for & reports on the presence of any other software known to cause conflicts with CIS. Unfortunately, it doesn’t scan the integrity of existing rules (this would be a fairly complex task for an automated process).

sorry, no mention of Comodo in the application log, nothing matching the time of system event either. however there are a lot (several a minute, for 8 or 9 minutes) saying:

Event Type: Information
Event Source: HHCTRL
Event Category: None
Event ID: 1904
Date: 28/06/2009
Time: 12:10:20
User: N/A
Computer: HAL
Description:
The description for Event ID ( 1904 ) in Source ( HHCTRL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: about:blank, hppt 8)://go.microsoft.com/fwlink?LinkID=45840.

HHCTRL ******JUST GOOGLED, to do with help centre not displaying tables properly or summit, sec.update side effect. (MICROSOFT MOTTO, IF ITS BROKE, BREAK IT SOME MORE)
dont know what this belongs to… is it comodo?? (i dont think it is, but i dont know)

data corruption is a very ambiguous term, i understand your’e only working with small amounts of information about the event, why would the firewall ceate rules without asking me, i thought that’s what the pop-up “so-and-so is trying to do something-or-other, tick a box and ok it” was about. browsing and torrents were running ok the whole time.

even the processes that are just numbers were on the rules list.
does the comodo freebee allow known safe processes automatically, or would it still ask permission??

thanks for letting me pick your brain about this one. :-TU

No, I think HHCTRL is a Microsoft component. An HTML Help ActiveX thing, used by MS Office amongst other things & linked to your 1904 error (according to Google).

But, it does sound like your missing something… with the no description for Event ID. However, these types of things are often dropped, along with MiniDumps, as a performance measure.

Why would CIS create rules? It does that based on it’s setting. With the Firewall on Safe Mode, it would generate rules for applications certified as ‘Safe’ by Comodo, or as a result of user responses to pop-up Alerts.

Why would CIS create corrupt rules? Because the underlying data was indeed corrupt, although the extent of that corruption is not clear. CIS didn’t noticed and continued as if everything was fine. I suspect that “in theory” this situation cannot happen and that’s why there was no functionality to verify data on the fly to prevent it.

In therms of the application, to the best of my knowledge there is no difference between CIS free & CIS paid. CIS paid adds 24/7*365 technical support (a real human!) when you want it.