Thousands of registry entries from Comodo, with Defense+

Hi all…

I used Defense+ for about six months, until spring of this year, when my system began to experience pegged CPU and was useless for about 15  to 25 seconds or so every time Defense+ popped up a message requiring a decision and action about a new program.  Might have even been a longer period, like 60 seconds, I don't quite remember now, but I just got tired of having to stop doing what I was doing and having to wait until my system was usable again.  I uninstalled Comodo, and unfortunately don't remember if I was running CIS 3.0 or 3.5, tho I *think* it was 3.5.

I’m considering installing it again at this point, to see if that issue has been cleared up, but I’m curious about something, figured I’d ask here. In the course of uninstalling, I was poking around the registry a bit, and discovered that when I did a registry search for keys with “comodo” mentioned in them, there were about 26,000 data matches, and about 19,000 key matches, with the term “comodo” in them (most in the comodo registry key - various rules, etc). That just seems like an awful lot of entries.

I’m wondering A) if this seemingly massive amount of registry entries is typical, and B) if just marking a program as a “Trusted program” creates less entries in the registry than when I decide to set up custom rules for a program (ie, “Trusted Program” might just set ONE flag(registry entry) like “Allow all the standard “Trusted Program” interactions”, rather than individually creating a bunch of individual rules for each of the Trusted Programs), or are all the rules created for every program individually, whether they are created via categorizing the program as a Trusted Program or alternatively setting up custom rules for the program.

Can anyone enlighten me a bit on either of these questions??  I don't think the jillions of registry entries slowed up my system any (other than, as I mentioned, the 15-25 second system freeze that eventually began happening when I had to respond to a Defense+ alert by classifying some program as Trusted or Installer or whatever, or creating custom rules for it, which eventually drove me to uninstall CIS), but it seems like an awful lot of registry clutter.  Maybe no other way to manage what Defense+ is doing other than having all those registry entries, I dunno...

   Thanks for any insight into this....

Hi ralc177,

This is/was a well known problem with large Defense+ rules, specially if you used to set all to custom.
There has been a change regarding this issue from the top of my head in version 3.9 or 3.10 and it was advised to not import previous version configurations because this would kill the registry performance improvement. So if you came from 3.5 I’d advise to start clean with a fresh 3.11

Ronny…

Thanks so much for that information.  I'm pleased to hear that that issue was addressed.  As I said, it really did seem excessive to me, tho I'm by no means all that knowledgeable about this stuff. I could see how separate entries for every interaction that every program/process could have with every OTHER program or process could amount to a tremendous number of entries, which was perhaps the way Defense + was keeping track of things.

If you (or anyone else) has any information on exactly what was done to change this situation (ie, how it was restructured or whatever), I'd be very interested to know, just out of curiousity.  Anyone???

I think it was mostly internal changes, don’t know the exact details cause they where not disclosed :wink:

That had me curious as well… I always wondered how they did that… 88)

I think that in the previous version all key’s where first deleted and after that recreated, now they are overwritten as needed as far as i can see, and previous all key’s where updated, now only “ask” rules are fully written and allow rules no longer verify if there are still key’s present if they are not used. (You can have had this on ask first, then it saves rules and if you change that to allow it will keep these rules but won’t update them during policy apply, but that’s an assumption, i did not verify this).