What actually happened or you actually saw: Scan hangs at 99%, will not pause/stop/close, uses 100% of one CPU.
What you expected to happen or see: Scan complete and report issues or allow to close if none.
How you tried to fix it & what happened: Used COMODO AV scan from Windows Explorer to scan sections of my entire system to narrow down the file(s) causing the issue. Also use Process Explorer and Resource Manager to help identify the file(s). Through trial and error / narrowing scope I found the following single file consistently causes the scanner to crash: M:\iTunes\iTunes Media\Mobile Applications\Cut the Rope 1.3.ipa I coped the file to the desktop, scanned it, same result, scanner crashes and uses 100% of one CPU.
If a software compatibility problem have U tried the compatibility fixes (link in format)? N/A.
Details & exact version of any software (execpt CIS) involved (with download link unless malware): iTunes 11.0.0.163 Windows, Cut The Rope 1.3 iOS.
Whether you can make the problem happen again, and if so precise steps to make it happen: Yes. a) Locate the offending file in Windows Explorer. b) Right click on file and select Scan with COMODO Antivirus.
Any other information (eg your guess regarding the cause, with reasons): File is 25MB and have waited many minutes for the scan to complete, other files of this size or greate complete in seconds or less. Did not attach file to this report, but can send if required.
B. FILES APPENDED. (Please zip unless screenshots).
0. A diagnostics report file (Click ‘?’ in top right of main GUI) Required for all issues): No ‘?’ available in top right of CIS GUI, ran CIS diagnistics and attached screen shot.
Screenshots of the 6.0 Killswitch Process Tab (see Advanced tasks ~ Watch Activity) or 5.x Active Process List. If accessible, required for all issues: Attached.
Screenshots illustrating the bug: Attached.
Screenshots of related CIS event logs: Not attached. No events generated by AV scanner, FW, or D+.
A CIS config report or file: Not attached.
Crash or freeze dump file: Not attached.
Screenshot of More~About page. Can be used instead of typed product and AV database version: Attached.
C. YOUR SETUP
CIS version, AV database version & configuration: 5.12.256249.2599, 14605, Internet.
a) Have you updated (without uninstall) from a previous version of CIS: No.
b) if so, have you tried a clean reinstall (without losing settings - if not please do)? N/A.
a) Have you imported a config from a previous version of CIS: No.
b) if so, have U tried a standard config (without losing settings - if not please do)? Yes.
Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): No. AV Settings attached.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
No problem. Can you tell I work in the software industry? 8) I know this issue has been bugging a few folks for a long time now.
It may be worthwhile updating the “How to determine which file is causing AV to hang” post to include the technique I used. I found Process Explorer and Resource Monitor useless in this pursuit.
Here’s a quick write up of what I did:
If you find the automated scan appears to crash on a different file every time, please know that the file reported onscreen by the scanner may not be the one that is causing the issue. This is because the scanner attempts to scan many files at once and can only report some of the files its working on.
Try the following scope narrowing technique to figure out which file, or files, are causing the issue:
Open Windows Explorer and click on “Computer” / “My Computer” to see the list of drives in your system.
Right click on C: drive and select “Scan with COMODO Antivirus”.
3a. If the scan completes successfully, close the scanner and move to the next drive and repeat step 2.
3b. If the scan stalls at 95-99% and does not allow you to stop or close the scan window go to step 4.
3c. If you run out of drives to scan, run the full scan from COMODO AV to confirm that you still have a problem. Return to step 1 if you still have a problem.
Terminate the scan using Task Manager.
4a. Right click on the Windows taskbar and select “Start Task Manager” -or- Press and hold Ctrl-Shift-Esc, then release. Task Manager should appear.
4b. Select the “Processes” tab.
4c. In the list of processes locate “cavscan.exe”.
4d. Right click on this process and select End Process, then confirm this action, the scan window should disappear.
On the drive that crashed the scan, using the same techniques as above (Steps 2 and 3), individually scan each of the folders in the root of the drive. e.g. C:$Recycle.bin, then C:\Boot, then … C:\Windows
5a. One or more of these folders should hang the scan (as before).
5b. Terminate “cavscan.exe” as above and descend into that folder and repeat Steps 2 and 3.
You should end up narrowing the scope of your scan to a file list. Using the same technique, scan parts of the file list until you narrow down to one file.
Report the file to COMODO via a Bug Report and please use the appropriate submission format.
Add the file(s) found to hang the scanner to the AV exception list and rescan the folder containing the file(s). The scanner should no longer crash. If it does you may have more than one file causing a problem. Repeat until you have them all.
Run a full system scan to confirm you’ve found all the offending files.
*Remember you may have more than one file causing issue, so don’t stop without scanning all your drives.
Also, for those advanced users using NTFS Junctions, Hardlinks, Symbolic links, etc. be aware that AV will follow these links, so you may be scanning other drives inadvertently.
AV seems to put a copy of the offending file into %TEMP% and leaves it there, presumably because it crashes. It renames the temp file but I found it hung the scanner again, I compared the file hashes of the temp file and the “Cut the Rope 1.3.ipa” file, they were the same.
I fyou need it, the MD5 hash of “Cut the Rope 1.3.ipa” is E8F8ED6C596BCFF65998CE2EED71C19F
And another way to get around the problem if the scanner exclusions don’t work is to package the file up into a password encrypted zip/7zip file.
Resource Monitor displays all the files cmdagent and cavscan process during a scan, but the file that hangs the process is not very evident. Resource Monitor really only displays the disk IO being used by a process, not the open file handles.
Here’s what I think the crux of the problem is; I presume the scan code is multi-threaded (can see the threads in Process Explorer), and only one thread is hung by the offending file, but the other threads continue processing until there are no more files. So the offending file could have been picked up at any time during the scan, but the scan continues until all threads are done except the hung thread. The main code clearly waits for all threads to return before finishing the scan or allowing the window to close. This makes it hard to tell which file actually caused the thread to hang.
