Sometimes I find Comodo Firewall disabled

Hello,

I’ve been using Comodo CIS for a while and I find it’s great. But I have a concern about the fact that it happened at least two of three times in a month that I find it disabled.

I usually have it set as “Safe Mode” and I seldom disable Defense+. I never (or almost) disable Firewall.

Is there some known issue that can bring Comodo Firewall to disable itself?

The bad thing that the tray icon doesn’t change when the firewall is disabled (feature request!) makes one think the firewall is working, when actually it’s not.

Windows XP SP3 here, maybe it’s relevant to note that I have Cisco VPN Client, CheckPoint Securemote and Virtualbox installed among the others.

Thanks,
Mario

Does this help you further: https://forums.comodo.com/firewall_help/what_does_this_comodo_tray_icon_mean-t37767.0.html ?

Thanks, but I have the opposite problem: the icon is fine, but right clicking on it I find that Firewall is “Disabled”, though I’m almost sure I never set it that way.

  • Mario

Could you run Diagnostics wizard under Miscellaneous and see if it reports any problems.

Just done, it reports no problem. And indeed when I find it disabled I can enable it flawlessly.

Thanks,
Mario

I have no idea to what might be causing this. The only thing I can think of is trying a clean install. When you are wiling to try that then I will give you the steps to get rid off all traces of CIS before installing it again.

I still don’t know what happened, but in the meanwhile, after reenabling Comodo FW, I discovered a hard rootkit attack bringing a stealth version of ertFor trojan to my PC.

Also Comodo antivirus didn’t detect anything, even the main offender file after it was isolated and brought out of the drivers folder (it was a sys file); I submitted to Comodo but no update so far…

BTW, whatever the reason for the firewall disabled, I think it’s crucial to have a visual indicator for the fact that firewall, defense+ or antivirus are disabled. I strongly suggest changing the tray icon for them when they’re disabled.

  • Mario

Congrats on finding the malware on your system Just out of sheer curiosity. How did you manage to find it?

I do agree with the idea of a visual indicator. :-TU

It wasn’t hard to find it; it was much harder to solve it :slight_smile:

I suddenly found my folder options changed (no more file extension, no more hidden files); then I couldn’t access regedit. Defense+ then started warning about strange registry and file access. This was enough to start serious investigation.

I made some research, and found it was an old trojan, but enhanced with rootkit capabilities. I couldn’t even see my hard drives in disk manager, and system restore was blocked.

Sysinternals rootkit revealer found some hidden items in services registry area.

Then I used a mix of Ultimate Boot CD for windows tools and SD-Fix to get rid of it.

Please raise the priority for a tray icon disabled visual indicator :slight_smile:

BTW, several antivirus apps out there still don’t detect properly this malware.

  • Mario

Full description and REMOVAL INSTRUCTIONS for “ertFor” (lots to do!) available at:

http://www.spywarevoid.com/remove-ertfor-trojanertfor-removal.html

I suggest you look there, since full removal sounds MORE complicated
than what you did to remove it. They list ~10 files and processes (both
“.exe” and “.dll”), and numerous REGISTRY entries to delete…

[Their description of this trojan sounds VERY nasty!]

-Prevention/Solution= BLOCK access to “virusalarm-scanvirus.net” site,
they say.
-QUESTION 1: So CAN we do this BLOCK in COMODO FIREWALL by entering
just that site NAME, at: “COMODO > Common > BlockedNetworkZone >
Add > NewAddress > A Host Name” … or do we actually need the
full NUMERICAL IP address?
-An independent way THEY say is to go to the “HOSTS” file–see:
http://www.spywarevoid.com/how-to-block-malicious-websites-using-hosts-file.
-QUESTION 2: Has anyone gone that route to block sites? Good or problems?

Thanks, but actually this didn’t seem the “original” ertFor, but rather a morph or variant - for example, the regedit and file name classes differ, so the executable names, and it seems to me that ertFor didn’t use rootkit technique by itself. Karspersky detected it under another name.

So, I had to do more than I mentioned, and in the last two days it seems (fingers crossed) that the system is back stable and safe. Also, I had often BSOD when shutting down the computer and they also vanished after clean up.

The host file wasn’t affected BTW.

  • Mario