Sanity check on some recently observed app behavior per Defense+

(please redirect me to the right topic group if needed)

I recently ran the app tv.exe which is supposed to stream TV over the net. I was suspicious of it though I couldn’t find corroboration for that on news groups even though it is not a new app. After CFP alerted me that it was accessing the net (csrss.exe) and my display (needed to write to it–but also allows snapshot :slight_smile: which I assume would be necessary for what it was expected to do, I selected “allow”. It then began attempting to:

  1. access program memory for taskmanager (?!)
  2. put hooks in DLL’s
  3. access program memory for each of the anti-mal/spywares I had installed (CFP, adaware, avg, spybot)
  4. other seemingly unrelated apps–eg wordpad. (it seemed to be going down a running process list)

I believe I denied most of these (though I am wondering about #1 because that may where it got its list of things to try and access) and finally killed it. I reviewed the defense+ logs and it tells me what accessed what but not whether I denied or granted it.

I don’t recall ever seeing so much seemingly excessive access of my system by any other app yet. I am new to CFP have been running it for about a month now. I added tv.exe to my pending files list and submitted it to cfp for analysis. I also added it to my blocked list for now. Is this reasonable behavior for such an app? Does anyone else have experience with this or similar apps?


I have no experience with these apps so my comments may not be relevant.

IMHO those behaviours looks suspicious and I guess I would have mimicked your actions.

Did you try to submit that app to ?
Maybe a multi av scan could shed some light.

Hi zeelis,welcome to the forums.

One thing you should do is go to Defence+/Advanced/Computer Security Policy and remove any entries for tv.exe in the main list.Also highlight things like explorer.exe click edit/access rights and then Modify next to “run an executable/interprocess memory access,etc”,you may find an entry in allowed applications,remove it.Do this for anything you think it tried to access.
Then switch Defence+ to paranoid mode till you know all is well.


ps allways remember to APPLY to close windows.

Re suggestions so far …

I submitted TV.exe to It came back clean but the reference is appreciated, Gibran. That’s more AV’s than I would ever have run on it otherwise. Even though it has passed AVG for quite a while now I also don’t assume that because it does not contain a virus it is not malware. This was also the first time I have run it since I got CFP and spybot.

Matty, I checked the Defense+ policy settings … this app’s were set to custom …

is it better to remove tv.exe from the list entirely than to set all access to blocked and all protections active?

I don’t want it to appear as if I have no policy and give it a clean slate.

Is a custom policy more permissive than the default one?

I checked a few of the apps it attempted to access (they are about 80% of the entire list) and so far no strange settings … but many more to check. Still a bit confused and getting familiar with what all the switches do though …

Protection refers to which system features (interprocess mem access, hooks, terminations) are protected from the app and access refers to conditions on the things (run exe 's, interprocess mem access, etc.) the app is allowed to do right?

Paranoid mode switch on for now / also block all requests if app is closed. BTW, in red at the bottom of my CFP window: “COMODO Application Agent is not running!” … thought I was using all the features …

thanks and regards

… also %windir%\explorer.exe is set to a predefined policy as an “installer or updater” so “access rights” not in effect as such right now …

If you add something to ‘My quarantined files’ that application will not run regardless oif existing rules.

A for %windir%\explorer.exe here it is set to custom (installer policy is grayed out there).
In access right the only list filled is ‘run an executable’ all access rights are set to allow.

Protection settings refers to what the app is protected from. You can prevent interprocess mem access, hooks, terminations and win messeges.
Access right refers to wht the app will be allowed to do and what not.

‘COMODO Application Agent is not running’ means CFP is not functioning properly this may have been triggered by that app an you can reproduce this and confirm I guess devs could be interested in a bugreport.

Please run CFP diagnostic.