Prevent CIS from being terminated?

Under Task Manager you can easily terminate cmdagent.exe and cfp.exe. Why is that so?

Is there a way to block this from happening?

I believe this is a feature, it’s to give the user more freedom while at the same time it will not allow an unknown program to kill CIS, however I don’t know how it is with Trusted applications, I think those might be able to kill CIS.

I believe to prevent it, you need to do this:

  • Open CIS main GUI.
  • Click “Tasks” next to the green arrow in the top right.
  • Expand “Advanced Tasks”
  • Click “Open Advanced Settings”
  • Expand “Security Settings” in the left menu of the new screen.
  • Expand “Defense+”
  • Expand “HIPS”
  • Click “HIPS Rules”
  • Near the bottom (by default) you should see a group of files represented by the name “COMODO Internet Security”
  • Right-click it and click “Edit”
  • Click the “Protection Settings” tab in the new window.
  • Look to the right of where it says “Processes’ Termination” and make sure it is set to “Active” and then click “Modify (x)”
  • In the new window you can choose what applications are ALLOWED to terminate all the applications under the group “COMODO Internet Security”
    Personally I have it set to only “C:\Program Files\COMODO\COMODO Internet Security*” i.e I removed all the other things. You can set it to what you like but take caution with these settings!

CIS allows the user to do what they want but will block other programs from terminating its processes

SanyaIV, I tried your settings, but it had no effect - still everything can terminate anything related to CIS.

I wonder if CIS v6 has better self-defense? Since I’m currently using v5.12.

Also I do not understand, how CIS could possibly understand, when it’s a legit user or malware behind the termination?
Unless of course CIS is configured for ultimate paranoia, but that’s something that most computer users can’t allow themselves due to various reasons.

All unknown applications, meaning all undetected malware, will not be able to terminate CIS. It’s only applications which are known to be safe, such as Task Manager, which are able to terminate CIS.

This was added in for V6 so that advanced users could do this if they needed to. It is not a vulnerability.

Also I must apologize, the thingy I wrote above is for CIS V6, I shouldn’t have made such an assumption, sorry about that.

With CIS V6.2 the thing I wrote above works for me, Windows Task Manager claims access denied while KillSwitch can kill it (because KillSwitch is in the same folder that I allowed)

But Uxio439 is using CIS V5.12, not V6. Was such a thing available in V5.12 as well or could this be an issue?

I’m not sure. I had thought it was implemented for V6, but as it’s been so long since I’ve used V 5.12 I can’t say for sure.

Okay, I tried with latest v6.3, did everything SanyaIV said.

cavwp, cmdagent, CisTray and cis can be terminated without any problems.

I also tried deleting some CIS’s SYS and DLL files… There’s no protection against that either!

Why is COMODO #1? There’s an anti-anti module used in malware against some security products. All popular products were listed. I always thought, that lack of COMODO in that list was because it’s unbeatable. But comes out, you can just terminate and erase COMODO without need for anything special.

You can do that manually. However, any untrusted program (including malware) cannot.

Thus, Comodo does have very strong protection from being terminated. However, if the user wants, they can do what they like.

Make a batch file and let it try to delete CIS related files and you will see it will fail.

CIS is the nanny of program behaviour not the nanny of user behaviour. CIS allows users to do everything they want including, reckless, dangerous and plain stupid things like deleting Windows system files etc…

However an unknown program will not be allowed to do that.

I’d like to suggest making a batch file that tries to kill CIS processes instead… if for some reason the batch file would be allowed, be it an issue with CIS or the user permits it, then a delete could be somewhat problematic whereas killing a process won’t have such a big effect since you can start it again… Just Sanyain.