PrevXCSI

When doing a PrevXCSI (common trojan search app) scan after installing ComodoFW&D+

I end up with lots (150+) of zero byte or small sized .sys files in windows\system32\drivers

PrevXCSI is set as Trusted app and after about 8 runs and each time setting the *.sys files as Safe files, I now no longer get messages in PrevXCSI. It’s as if D+ is too slow to notice all the changes PrevXCSI is making.

I delete all the bogus files then next time I run PervXCSI, D+ brings them all up as “waiting for your review” again.

PrevXCSI is actually sometimes able to delete a .sys file without D+ noticing.

So how do I fix this? I don’t want to remove PrevXCSI as it’s the best trojan searcher I’ve come across.

First off, Make sure Defense+ is in Safe Mode

When scanning, With that particular scanner, as a temp solution, put D+ in Training Mode Afterwards, Switch D+ back to Safe Mode.

Josh

Oh I just read some more and already tried what you said (but cheers still). I shutdown PrevXCSI, put FW&D+ in training mode, and re-ran PrevXCSI and scanned. I still had to manually delete the small drivers*.sys files once. But now it’s good and works in safe mode. I just hope no other PrevX temp files are linguring somewhere now, which is quite possible.

So how do I see what FW&D+ have learnt during training mode?

And what if a trojan/virus does something whilst in training mode?

I imagine there’s a thread or faq that explains those two questions somethere.

Just look through the help file mate :slight_smile:

I suggest, While scanning leave your computer alone and only have PervX open. A virus/malware won’t get through that way :slight_smile:

Training Mode (Help File in CFP 3): Training Mode: The firewall will monitor and learn the activity of any and all executables and create automatic ‘Allow’ rules until the security level is adjusted. You will not receive any Defense+ alerts in ‘Training Mode’. If you choose the ‘Training Mode’ setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.

Tip: This mode can be used as the “Gaming Mode”. It is handy to use this setting temporarily when you are running an (unknown but trusted) application or Games for the first time. This will suppress all Defense+ alerts while the firewall learns the components of the application that need to run on your machine and automatically create ‘Allow’ rules for them. Afterwards, you can switch back to ‘Safe Mode’ mode).

Josh

Hmm I had to delete the PrevXCSI.exe entry in Computer Security Policy. Then rerun PrevXCSI during training mode. Now the Computer Security Policy shows the new rules for PrevXCSI.exe

Shame I can’t temporarily put a single app in training mode.

Maybe a feature request for the future :slight_smile:

Anyway, How is it running?

Josh

Yeah good, cheers for the quick responses.

If PrevXCSI was to ever find a trojan, what should I set D+ to?

I imagine PrevXCSI’s clean process will require new allow rules, but I wouldn’t want to enter training mode if a trojan is present. I guess the only option is to disable D+ :frowning: yikes.

I feel a whole lot less secure now that I allowed a whole bunch of stuff so I could run Configuration Reporting script v0.722

If you find a trojan, & you have probs post back pls.

Aslong after you use the scanner, You put D+ in Safe Mode.

Josh

CFP Configuration Reporting script
https://forums.comodo.com/help_for_v3/comodo_firewall_pro_configuration_reporting_script_latest_version_is_0722-t20950.0.html

Does it help?

Josh

It’s fine, except I feel a whole lot less secure now that I allowed a whole bunch of stuff so I could run it.
Maybe I shouldn’t have left the “remember my answer” ticked.

You NEED to make sure “remember my answer” is ticked so you don’t have to allow it everytime.

Josh

OMG! arrg.

I just set FW&D+ to training mode then ran a game, but the game crashed, and computer booted up with Comodo in training mode. :frowning: :frowning: I recommend Comodo on boot up should reset itself back to safe mode if it is in training mode.

Strange I set D+ to installation mode then try to install nvidia drivers 169.21 and it still asks me for authorisation. Had to set it as an Install&Update trust.

PrevxCSI creates 0 bytes .sys files as part of the rootkit scan. There was a problem in an old build where the files were not deleted if CFP’s file monitoring was enabled but was fixed in a later version IIRC.
Are you using the latest version of CFP and PrevxCSI?

CFP v3.0.22.349 and PrevXCSI v1.9.108.232. Both up to date.

Good.

How are things running? Make sure you always check “remember my answer”.

Please post back if you have any other problems or concerns.

Josh