I still try to understand CFW. I use V3 the latest version.
On my system is also installed RegRunSuite from Greatis cause that helps me to control what processes autostart. Once I thought that Defence+ would check that also and give me control over autostarts but I did not manage to realise how. So I use Regrun too
Antivir is Avast.
Problem encountered:
After reboot or fresh start two system32 files are deleted in windows xp pro sp3.
aclui.dll and acledit !!
Then I canāt use certain tools like taskmanager etc!! CRUCIAL !
So, I keep an backup of those two files in a zip and have to copy them always back in order to keep working. That works!
But ofcourse I would be very happy why that happens. I checked the fresh PC (only naturally speaking installed otherwise) with blacklite F-secure for trojan, with Avast and with comodo and it seems to be CLEAN!
I then tried to put those two files into Defense+ protected file list but they are keeping disapearing!
Please help me and explain me how I can REALLY protect system files and others with CFW / Defense from manipulation or deletion! How can I trace the source?
Try to upload the 2 files to Virustotal and see if anything comes up.
Specially Avast, if itās recognized than have a look at Avast logfiles to see if you can find it there reported ?
I checked VirusTotal and Avast log there is no sign of a malware activity. So, well, am I wrong or can I
protect those two files with Comodo Defense and best 'd be if then a popup warning 'd come up and inform me which process / file is deleting acui.dll
I did a secure windows start ( F8 ) and aclui.dll did not disapear!
I then did a normal start and used the feature of Greatis RegRun to do a clean windows boot with a minimum of startup files and they didnt disapear either!
So, there must be sth that is responsible for this during windows boot. So I disabled all autostarts but had no succes
HijackThis, Avast and Comodo and F-Secure blacklight say my PC is clean. ā ā ā ā .
refering to my earlier question. Cant I protect this dll with Defense+?
If not, with any other software? Should be possible to run this problem down.
Iām not familiar with RegRun, but if booting in Safe Mode keeps the file then itās definitely a program cleaning this out.
Does RegRun also disable Services ? maybe you could take a look in there to see who could be doing this.
You can also go to, Local Security Policy, Security Settings, Local policies, Audit Policy.
And enable All Success, Failure (write down the defaults).
If all are enabled reboot ānormalā and after the files disappeared have a look at the event viewer, security log to see who did it.
I followed your instructions
but I am not able to find any traces of aclui.dll in my events. I am using now the alternative freeware tool myeventviewer from Nirsoft that allows me to browse faster all my eventsā¦
Anyway the files are gone now and I will carry on finding the source. I just installed Bitdefender free next to my Avast scanner and will see what that tells me. Than I have prepared an Avira boot USB Stick and see what that says. Afterwards I try some Malware scanners as Spybot, Superatnispy etc.
Donāt know what to do and perhaps I will have to reinstall though time is short since I am deeply into final exams.
Anyway, hwat is Comodos fileprotection for?
I setup an own group in Defense+ MyOwnSafeFiles and addes C:\windows\system32\aclui.dll and acledit.dll
as far as i know it will protect your files against āmaliciousā programās. so if a legit software changes it i guess it wonāt block thisā¦ but then again i could be wrongā¦
from the help file:
This section allows you to protect specific files and folders against unauthorized modification. Protecting files prevents modification by malicious programs such as virus, trojans and spyware. It is also useful for safeguarding very valuable files (spreadsheets, databases, documents) by denying anyone and any program the ability to modify the file - avoiding the possibility of accidental or deliberate sabotage. If a file is āProtectedā it can still be accessed and read by users, but not altered. A good example of a file that ought to be protected is the your āhostsā file. (c:\windows\system32\drivers\etc\hosts). Placing this in the āMy Protected Filesā area would allow web browsers to access and read from the file as per normal. However, should any process attempt to modify it then Comodo Firewall Pro will block this attempt and produce a āProtected File Accessā pop-up alert.
Iāv e done some testing, this wonāt work for applications you put in the ātrustedā policy because they are allowed to change protected files, if you wish to cover this you need to change the:
Defence+ Policy
All Applications, Access Rights, Protected Files/Folders, Blocked Files/Folders.
Put the previously created group in here. Apply all and test again.
Now it will give you a āAccess Deniedā message if you try to save the changes to this file(s).
Also log a entry in you Defence+ Logging.
thank you alot! Iād never guessed how to get that working. Btw., I did read the manual and the excerp you quoted but, well, I overlooked the term malicous and did not get the proper meaning. It is great to know now what I can do in Defense+.
Never thought that the key is in the rules allowed or not allowed for general *.exe files :BNC
PS:
None of the above anti virus scans did give a postive result. So my PC seems to be clean and it is a ācelanā files that does this deletingā¦better: DID
Now I will see which of my programms was the culprit. I have a strong eye on the webdav tool called ānetdriveā from solutionbox. I is named as novels tool that does exactly the same so I have not recognized that my tool is not from Novel and therefore I did not suspect it to cause possible havoc but I will have to check thisā¦
yes, indeed, it helped. For the reason I edited that ruled for all applications in the defence plus settings no executable,
explorer or total commander, e.g.,can delete the file any more. So long defence is running.
that is, for the reason I have given true transparency the status of a trusted application may be I should have altered only the settings for netdrive.exe cutable. Anywayy, it does work now.
