RE: CIS Virus Database Will Not Update On Windows 10 PC

Why are you trying to import the database in the middle of an already in progress update? Of course it won’t work, and you also shouldn’t try deleting the databases either while it is attempting to update either. You are supposed to delete files then run the update to see if it completes while not using a proxy.

Good debugging involves doing as much as possible pre-emptively in order to help techs assess behaviour, eliminate possibilites and track bugs down. You’d expect it to come up with a message saying something like “Sorry, the update process is currently running. Please wait until it is finished before trying to import a virus database.” but it didn’t. I didn’t code the software so I don’t know if there is such a popup or not, nevertheless I did it and reported the result. Maybe it would have crashed. Maybe something else would have happened. No-one knows. Although a small thing, it may help in the debug.

It was someone else who tried to delete the database while it was being used. 88)

I am not a n00b (as you can clearly see from my detailed posts) so no need to assume I am one. Thank you.

No files in that folder. Will reboot soon and try updating again.

Rebooted and updated successfully. 9 hours later updated OK. Checked again a few minutes after that update. No new updates were available and reported as such and window closed normally. Will report back if there are any more issues. Did you do anything server-side?

Updated manually again after another 9 hours. Current DB was v29014, started updating to v29015 and got stuck after downloading not even one byte of data. This time progress reads 2%. Went to bed and looked at it after 10hrs had elapsed and it’s still stuck and hasn’t timed out. Pic attached. ‘Pause’ works. ‘Stop’ closed the window but only after the second press (as mentioned in a previous post). ‘Send to background’ works but, as usual, the thing is stuck and same window comes up whenever I try and update.

As I predicted, the deletion and subsequent re-download of the full .CAV file has failed to fix the issue. Subsequent updates all successful until after reboot. Not sure whether this failure (on the auto, not manual update) was at the first update after reboot or subsequent update. Pic is attached.

Look forward to another remote session, Sergey! :stuck_out_tongue:

OK, here we are basically a month later and no progress. After some remote sessions with Sergey where he/we analyzed the situation, deleted the sigs file and re-downloaded it, uninstalled CIS then cleaned it up with the cleanup tool then reinstalled it, used Fiddler to analyze traffic to & from the PC etc, he was unable to rectify or find the problem. As I have mentioned to him (and maybe in my posts here too), I have a laptop on the same internet connection that does not stick like this PC does. Sergey resigned himself to the presumption that it is packet loss, but this is not the reason.
To prove this I even updated both computers simultaneously from the same sig version on more than one occasion just to see what happened and what do you know, eventually the friggin thing stuck again whilst the laptop updated without issue. The laptop will come up with the correct error(s) when indeed the packet loss is too high or it cannot connect to the Comodo servers and times out but this PC does not do this on a consistent basis. This PC has now been stuck in its stupid update loop for 12 days now so there is something wrong with the code in CIS that’s not letting it display the correct error and close the bloody update window. I don’t care how much packet loss there is…your code is broken and there should be code in there that shuts the update process off if there is too much packet loss, bad connectivity or whatever the condition of the connection is. Plain and simple.
Edit: Oh yeah, and don’t forget the non-functioning ‘Stop’ & ‘Pause’ buttons. That can hardly be because of packet loss…

MedNZ. Do you have other security programs or programs installed that interfere with networking (Netlimiter for example)?

You probably had other security programs installed in the past and uninstalled them. Sometimes an uninstaller leaves behind a service or driver which could cause hard to track instabilities.

Can you make a list of security programs you had installed in the past and then run clean up tools for those products? You can find a list of uninstallers here: [KB146] Uninstallers (removal tools) for common Windows antivirus software .

Or if you are an advanced and experienced user you could use Autorun and see if you have autostarts of drivers or services of previously installed security programs.

Hi EricJH.

I have used Autoruns and saved the results to an .ARN file and attached it here.

There are currently no programs installed that interfere with networking.

There was an AV by Beijing Rising Information Technology Co., Ltd. which I uninstalled when I started to modify the setup of this PC. I think it was called 360 or something like that. I used Revo Uninstaller (Advanced Mode) to uninstall. There is no uninstall tool for that 360 AV on the Eset site so I think I’ll uncheck all of those then reboot and if everything is normal, delete the drivers themselves on a subsequent reboot…unless you have any objection and plan to do something else to experiment on this system. If that goes well I’ll do that for the other couple of Chinese apps’ residual files / drivers.

Note that some of the File Not Found (highlighted yellow) entries in the list of drivers / .EXEs are because I have put them into the Protected Objects section of HIPS (so they never run on this system).

That is how I work. I would uncheck the drivers and reboot but not deleting the drivers (when there is no autostart they won’t run and one never knows what we might want to do as part of the investigation).

If that goes well I'll do that for the other couple of Chinese apps' residual files / drivers.

Note that some of the File Not Found (highlighted yellow) entries in the list of drivers / .EXEs are because I have put them into the Protected Objects section of HIPS (so they never run on this system).

As my analysis will show you only disabled some drivers of manufacturer and left others to run.

I noticed other drivers as well. Let’s take things step by step.

Thank you for the Autoruns output. That makes it very convenient to help you.

Beijing Rising Information Technology Co., Ltd
I see four autostarts for drivers
kguard.sys (Lightweight Kernel Protection against Return-to-user Attacks)
rdsys
rsutils
sysmon
And a service called QPCore

Tencent Technologies
The following driver are running
QMInject
QMUdisk
QQFmMgr
QQProtect
TSSK.SYS
There are runs a service called QPCore .
They make up a PUP:

TSSK.SYS is reported and [url=https://greatis.com/blog/win32-pup-gen/remove-tssk-sys.htm]classified[/url] as a PUP (potentially unwanted program). TSSK.SYS installs as a plugin to your Web browser, intercepting your online activities, altering the content of Web pages and search results, and displaying an outstanding amount of highly invasive advertisements.

Baidu
It has the following drivers running:
bd0001
bd0002
bd0005
BDArkit
BDDefense (this is part of Baidu AV)
BDMWrench

Can you comment on all four programs and what function they have? I only briefly looked into them.

I would say disable drivers per manufacturer. First Tecent related because it is a PUP and reboot. Then I will wait or your comment on the others.

Hi and thanks for the quick reply.

Re: TSSK.SYS

TSSK.SYS is reported and classified as a PUP (potentially unwanted program). TSSK.SYS installs as a plugin to your Web browser, intercepting your online activities, altering the content of Web pages and search results, and displaying an outstanding amount of highly invasive advertisements.

That’s why I use browsers other than IE and iexplore.exe is not allowed to run on this PC. Or any of my PCs for that matter.

4? Do you mean 3? Or do you mean the 4 autostarts?

Tencent makes QQ, an IM client, among other ■■■■.
Rising is responsible for the AV as previously mentioned.
There was no Baidu AV installed (but the drivers were there anyway, no doubt bundled with the OS)

Will do so now.

Update: Received error “Error changing item state” while trying to disable 2 of the Tencent drivers

  1. QQFrmMgr QQFrmMgr: QQ Frame Manage Driver Tencent c:\windows\system32\drivers\qqfrmmgr.sys
  2. QQProtect QQProtect: QQProtect Application Tencent c:\windows\system32\drivers\qqprotect.sys

Even when you don’t use IE the PUP will more than likely connect to the web.

4? Do you mean 3? Or do you mean the 4 autostarts?

Tencent makes QQ, an IM client, among other ■■■■.

Do you use QQ IM client?Do you have QQ browser? What programs by QQ do you have installed? Does it install surprise programs? I don’t know the program but there is suspicion of spyware getting installed with it:Tencent QQ - Wikipedia .

There was no Baidu AV installed (but the drivers were there anyway, no doubt bundled with the OS)
May be Rising used Baidu AV and left behind traces uninstalling? I would disable everything Baidu because you don't seem to be using it.
Will do so now.

Update: Received error “Error changing item state” while trying to disable 2 of the Tencent drivers

  1. QQFrmMgr QQFrmMgr: QQ Frame Manage Driver Tencent c:\windows\system32\drivers\qqfrmmgr.sys
  2. QQProtect QQProtect: QQProtect Application Tencent c:\windows\system32\drivers\qqprotect.sys
Try running Autoruns as admin. When that doesn’t help boot to Safe Mode and run Autoruns and disable.

Eh? How would it get through the firewall since I have everything blocked except firefox.exe and a couple of other safe browsers. Does it inject itself as a dll into an instance of svchost.exe?

Yes, g/f used QQ. No way, no rubbish browsers allowed…that’d be worse than IE… :o Nothing else of QQ’s ■■■■ either.
And no surprise programs. You can choose what to install but you have to be careful.

Probably. There is nothing Baidu, only some search extension and homepage for IE but that’s a moot point.

Yeah, it’s weird cos it didn’t work even with admin in safe mode. I nuked it via the registry and adding permissions. Long winded but worked.

BTW, I also have Spybot installed and regularly apply immunization and keep it updated and do scans (as with CIS) but in 3+ years there’s never been an infection or any malware or the like…just the single QPCore BS as the PUP.
And I block everything non-essential for the basic functioning of the QQ IM client, i.e; install it then deny everything except qq.exe then see if the program functions. If it doesn’t then I let them have premissions one by one. I am completely ■■■■ about that, obviously because I am aware of just how ■■■■■■ it is and of all the garbage that it can install and the {insert pretend service name here}.exes it runs - or tries to run in the background, ha ha - for all the ads and other ■■■■.

These processes run as a driver and are therefor allowed anything. Disable them.

Yes, g/f used QQ. No way, no rubbish browsers allowed...that'd be worse than IE... :o Nothing else of QQ's ■■■■ either. And no surprise programs. You can choose what to install but you have to be careful.
Disable everything belonging to Tencent including QMInject and QMUdisk. These are the ones you blocked with CIS but you might as well disable them using Autoruns while being at it. Also disable the QPCore service.
Probably. There is nothing Baidu, only some search extension and homepage for IE but that's a moot point.
Uninstall the extension anyway. Then disable all drivers belonging to Baidu.
Yeah, it's weird cos it didn't work even with admin in safe mode. I nuked it via the registry and adding permissions. Long winded but worked.
That would have been the next thing I would have adviced but you beat me to it.
BTW, I also have Spybot installed and regularly apply immunization and keep it updated and do scans (as with CIS) but in 3+ years there's never been an infection or any malware or the like...just the single QPCore BS as the PUP. And I block everything non-essential for the basic functioning of the QQ IM client, i.e; install it then deny everything except qq.exe then see if the program functions. If it doesn't then I let them have premissions one by one. I am completely ■■■■ about that, obviously because I am aware of just how ■■■■■■ it is and of all the garbage that it can install and the [i]{insert pretend service name here}.exes[/i] it runs - or tries to run in the background, ha ha - for all the ads and other ■■■■.
I looked at the IE tab and noticed a BHO from Tencent called Account Protected BHO Class. Unless you need it you could consider to remove or disable it.

Then as to the entries Bejing Rising. You said you installed their AV. Assuming you use no other tools from Beijing Rising I would suggest to disable them also.

All in all it’s quite a list of drivers running under the surface which could cause the performance issues you’re witnessing with updating CIS.

Then as to the entries Bejing Rising. You said you installed their AV.

Actually it was installed already and I uninstalled it.

Anyway, everything, and I mean everything, has been nuked, deleted and shat on personally. ;D Sorry, I’ve already spent more time on this than allotted for and I’m going to have very little time in the next 2 weeks so I’m going to have to avoid a disable this today, wait a couple of days, disable this tomorrow, wait another couple of days and see what happens kind of scenario. Let’s see if Comodo now behaves itself…

I don’t think you need to wait for days after each change in this case. I am curious to know how the update process now goes.

Wrong there buddy. This time it was 3 days before it started to ■■■■■ up again. Thanks for the suggestions about drivers and all, but it isn’t to do with CIS’ update issues as this PC is now super squeaky clean after ridding it of those drivers, re-checking none had reappeared and after scanning for everything with both CIS and Spybot.

Latest pic is below. This time it didn’t even get to start displaying a percentage complete.

Thanks for reporting back. Could you post another Autoruns output for a last look in the drives and services corner?

As requested.

I see no third party drivers that interact with networking. Does your problem still happen or is it now intermittently?