possible bug in Comodo logging

I’ve noticed a strange thing in Comodo PF logging.
I used an application (procexp.exe), which had been tested by many
people and no strange things were reported. There were some
alerts from Comodo which looked fine.

After that many other log events mention the same procexp.exe
in details, although the event itself is totally unrelated and I
don’t even have the exe in my computer anymore.

For me it looks like some fields in the events are not cleaned
and continue to be shown in other events. After examining my
logs more carefully I found some other signs of this behaviour.
E.g. some memory modification events continue to mention IP
address and port from older events.

I hope this can be fixed in the future releases.

Welcome to the forums, Piglet.

Pooh, Tigger, and I were talking, and we’re not very clear on exactly what you’re experiencing. :smiley:

Would you be so kind as to post the log entries you’re referring to? You can Export to HTML, then Copy the relevant sections and Paste as text into your post. If your personal external IP address shows, you may edit it for privacy.

Also, explain in more detail (if not included with the logs) about these “unrelated” alerts/events.

TNX,

LM

Well, I hope you don’t have any Heffalumps here. :slight_smile:

Below are several records from my Comodo’s log.

These two are the most strange for me. The antivirus probably
did something bad, but I have no idea how it can be related to
C:\Tools\ProcessExplorer\procexp.exe which had been removed from
the computer a couple of days before?

Date/Time :2007-03-14 04:04:39
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (FrameworkService.exe:0.0.0.0: :ftp(21))
Application: C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
Parent: C:\WINNT\system32\SERVICES.EXE
Protocol: TCP Out
Destination: 0.0.0.0::ftp(21)

Date/Time :2007-03-14 04:00:39
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (FrameworkService.exe)
Application: C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
Parent: C:\WINNT\system32\SERVICES.EXE
Protocol: TCP Out
Destination: 0.0.0.0::ftp(21)
Details: C:\Tools\ProcessExplorer\procexp.exe modified the memory of C:\Program Files\Network Associates\Common Framework\FrameworkService.exe in memory.

BTW, what’s the difference between these two entries?
The events look exactly the same except their severity.

Date/Time :2007-03-14 04:00:19
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (SERVICES.EXE:192.168.0.1: :dns(53))
Application: C:\WINNT\system32\SERVICES.EXE
Parent: C:\WINNT\system32\WINLOGON.EXE
Protocol: UDP Out
Destination: 192.168.0.1::dns(53)

Date/Time :2007-03-14 04:00:11
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (SERVICES.EXE:192.168.0.1: :dns(53))
Application: C:\WINNT\system32\SERVICES.EXE
Parent: C:\WINNT\system32\WINLOGON.EXE
Protocol: UDP Out
Destination: 192.168.0.1::dns(53)

Thanks everybody.

I don’t mean to alarm you, Piglet, but are you sure all remnants of procexp.exe is gone? There’s also a potential malware version of the same executable name: http://forum.sysinternals.com/forum_posts.asp?TID=4512&PN=1

Edit: the link is last year, so it could be a false positive.

Yes, I’m sure there’s no such file. I’ve scaned both registry and disk for this name
and found nothing. Several anti-spyware programs do not report it (SpyBotSD,
AdAware, McAfee VirusScan). Of cause I’ll double check everything, but it
looks like false alarm from Comodo.

BTW, as a feature request, is it possible to enable cursor keys in the events list?
It’s very hard to read events by clicking every item with mouse.

Hopefully there are no rookkits because they’re undetected by the conventional Windows search.

Cursor keys? I think almost everyone has thought about that since they looked at the logs and rules (:LGH). It should be in the wishlist already.

As to the first, since it’s related to Application Behavior Analysis, here’s what I’m betting happened (aside from the possibilities of “nasties,” that is) ~ after uninstalling, PE didn’t require a reboot, and you didn’t reboot; in addition, you may have had it running prior to uninstalling. Without a reboot, the computer holds a “memory” of the processes being active for a time; sometimes several hours. Even tho’ they’re not running (or in your case, installed), because of something about the way these things communicate(d), CFP will show an alert that an application is interacting in such a way. Apparently it is theoretically possible that a malware can enter a command to occur at a future time, after associated applications have closed, for something to be carried out, so CFP is designed to spot these sorts of things, as it relates to outbound communication.

As to the second, I don’t know why they’re different Severity levels. My guess is that the second one (time-wise) is “High” because of multiple events. In other words, it happens the first time, CFP says, “Okay, this isn’t supposed to happen; Medium.” It happens a second time in short order, and CFP says, “Whoa, you’re serious about this; so are we! High.” I do not know that for a fact; it’s a just my thought of a possibility.

LM

If mac’s insightful (:NRD) solutions don’t work, try a clean re-install of CFP with other software off.

(BTW, welcome to 2001, mac)

TNX, but it’s 2007, bub. (:TNG)

Let’s not play the counting game, but help fix piglet’s log bug. That’s what programmers do 8).

Go to C/Windows/Prefetch, and delete the procexp.exe prefetch if its there. It might be causing this?