Proggies slipping through and disabling CIS

I followed the “how to…” and set comodo to proactive with all the suggested changes except increasing display of error messages–I don’t want to see these…
And yet I had to re-install yesterday ??? (thank you Norton ghost for saving me TIME) because “anti-malware doctor” somehow turned off CAV and infected my machine! >:(

I have XP PRo w/sp3 installed with the server service, microsoft networking, java, and flash all turned off(disabled or not installed) for extra security, and yet this program was able to somehow turn off CAV (4.1.150349.920-fresh install, not upgrade) and infect my machine.

Is there a way to further enhance comodo security so I don’t have to worry about little proggies slipping through and disabling my (what I thought was supposed to be a) firewall? I really hate re-installing.

Thanks in advance…please let me know if I need to submit any other info…
I don’t know where anti-malware doctor came from, I ran a couple google and amazon searches and logged into hotmail only…

How did you have the Firewall component and Defense+ configured?

I would configure CIS like this.

Moderator note: Post split & moved from here.

The configuration of cis has no importance whatsoever: following a “false link” on Google or wherever is enough, and always beats the firewall/defense+ mechanism.

Only if you let the malicious file through or configure CIS incorrectly could malware turn off CAV or infect the computer.

Please correct me if I’m wrong. I’m assuming that Defense+ and the Sandbox are both installed and active.

yes, sorry any ambiguity: I had followed chirons post~ when I said i followed the “how-to”, i was referring to “;msg406533#msg406533” - followed exactly except for previously mentioned changes~ and have both defense+ and the sandbox active.

I was searching for “carrano data structures java”, and opened a couple main links when the CIS icon disappeared completely, and the anti-malware doctor popped up running its scan. I had hotmail open…

Everything is fine now…I just hope it doesn’t happen again.

Is there a way to ensure non-execution, or to possibly harden CIS even “more” than Chiron’s post?
Thanks for the great product and all your time supporting us here!

oh yeah:
AV is on “stateful”

It really shouldn’t be necessary to increase security even more than that, although the next version allows it. Do you have any information about the type of infection that you say bypassed CIS? Did you receive any popups at all?

It’s possible that is was digitally signed in a way that V4 doesn’t protect you from, but the soon to be released V5 does.

I’ll be relasing an updated post after V5 comes out and I have a chance to evaluate the settings that will be included in the final release.

There were some malware that V4 didn’t account for but V5 will.


also are you sure that cmdagent crashed and not just the UI cfp.exe? as long as cmdagent is running you are still protected even if the UI is not available.

True. How did you know that you were infected?

well, first of all, anti-malware doctor is bona-fide malware.
When it popped up without my permission, I tried to kill its processes- to no avail: it re-started upon reboot.
Now I have read your forums and I can see that your first reaction is always to blame the user and deny their observations, but to me, a program which installs itself without warning, pops up and runs without being asked, and refuses to be removed without purchasing somebodies product is (as I said-to me) a virus. Be it malware, or any other technical term meant to skirt the facts.
read: Infection.
also, when I looked, there were neither comodo agents, nor cfp in the task manager.
right now, I am on-line and the comodo taskbar has a red crossed circle on it…disabled. Running a diagnostic results in “no errors being found”…
I know my ghost backup is perfect: I install XP sp3 off-line, update all my drivers and install the updates from my technet subscriptions. and then save the backup image to a secure folder.
Upon re-installation (…via ghost…) I install the latest cfp, and after a reboot connect to the internet and update the AV component… Which leads me off-topic to a complaint: why must I download the complete 80-100 mb definitions every time there is an update? can’t the package be appended? Especially since each new release never has the complete definitions and immediately needs updating every time. And it seems impossible to use your product in my back office, as being isolated from the internet effectively incapacitated updates, as there is no portable-separately downloadable- definition file. Anyway, sorry to digress.

I will now re-install Comodo(again), since I know that the disabled symbol disappear upon reboot, but in my experience it will pop up again at random every once in a while.

I hope you’re not talking about me personally. I was just trying to make sure you hadn’t accidently allowed it. If it actually bypassed CIS that is a major problem and the simplest solutions need to be explored first. I hope you understand.

Can you start the modules manually? What happens when you try?

Also, I have a question about this

Did you run any executables or do you think the malware was possibly a script?

If so then you may have been hit with a type of malware that V4 didn’t account for, but the soon to be released V5 does.

Anti malware doctor is a rogue.

It mainly occurs through search redirection: in such a circumstance, the user actively clinks a links he thinks to be valid, and thus infects himself.

Only visiting the said site can be enough without actually clicking anything if you are using older versions of softwares subject to some vulnerabilities.

Rogue threats are probably the worst ones and, under the said circumstances, the security software is not of much help, as it most often shall use a vulnerability in a trusted software.

Some counter-measures (of course added to the fact that one should be careful to where he clicks), could be monitoring javascript, redirection and ads from his browser, and set the security software to a custom level not trusting any software.