(please redirect me to the right topic group if needed)
I recently ran the app tv.exe which is supposed to stream TV over the net. I was suspicious of it though I couldn’t find corroboration for that on news groups even though it is not a new app. After CFP alerted me that it was accessing the net (csrss.exe) and my display (needed to write to it–but also allows snapshot which I assume would be necessary for what it was expected to do, I selected “allow”. It then began attempting to:
access program memory for taskmanager (?!)
put hooks in DLL’s
access program memory for each of the anti-mal/spywares I had installed (CFP, adaware, avg, spybot)
other seemingly unrelated apps–eg wordpad. (it seemed to be going down a running process list)
I believe I denied most of these (though I am wondering about #1 because that may where it got its list of things to try and access) and finally killed it. I reviewed the defense+ logs and it tells me what accessed what but not whether I denied or granted it.
I don’t recall ever seeing so much seemingly excessive access of my system by any other app yet. I am new to CFP have been running it for about a month now. I added tv.exe to my pending files list and submitted it to cfp for analysis. I also added it to my blocked list for now. Is this reasonable behavior for such an app? Does anyone else have experience with this or similar apps?
One thing you should do is go to Defence+/Advanced/Computer Security Policy and remove any entries for tv.exe in the main list.Also highlight things like explorer.exe click edit/access rights and then Modify next to “run an executable/interprocess memory access,etc”,you may find an entry in allowed applications,remove it.Do this for anything you think it tried to access.
Then switch Defence+ to paranoid mode till you know all is well.
I submitted TV.exe to virustotal.com. It came back clean but the reference is appreciated, Gibran. That’s more AV’s than I would ever have run on it otherwise. Even though it has passed AVG for quite a while now I also don’t assume that because it does not contain a virus it is not malware. This was also the first time I have run it since I got CFP and spybot.
Matty, I checked the Defense+ policy settings … this app’s were set to custom …
is it better to remove tv.exe from the list entirely than to set all access to blocked and all protections active?
I don’t want it to appear as if I have no policy and give it a clean slate.
Is a custom policy more permissive than the default one?
I checked a few of the apps it attempted to access (they are about 80% of the entire list) and so far no strange settings … but many more to check. Still a bit confused and getting familiar with what all the switches do though …
Protection refers to which system features (interprocess mem access, hooks, terminations) are protected from the app and access refers to conditions on the things (run exe 's, interprocess mem access, etc.) the app is allowed to do right?
Paranoid mode switch on for now / also block all requests if app is closed. BTW, in red at the bottom of my CFP window: “COMODO Application Agent is not running!” … thought I was using all the features …
If you add something to ‘My quarantined files’ that application will not run regardless oif existing rules.
A for %windir%\explorer.exe here it is set to custom (installer policy is grayed out there).
In access right the only list filled is ‘run an executable’ all access rights are set to allow.
Protection settings refers to what the app is protected from. You can prevent interprocess mem access, hooks, terminations and win messeges.
Access right refers to wht the app will be allowed to do and what not.
‘COMODO Application Agent is not running’ means CFP is not functioning properly this may have been triggered by that app an you can reproduce this and confirm I guess devs could be interested in a bugreport.