When malware is killed, cmd.exe remains and consumes high CPU [Issue: 263]

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
1

Hi,

I noticed that when i run a malware (trojan) that is not recognized by the AV, it’s automatically sandboxed. Its normal ! great ! But when the malware process closes or is killed , the cmd is not killed by cis and stays in memory. Then the computer is incredibly slowing down because of that cmd process (see img below).

Cis should be able to free the memory from these malware cmd process :-TD.

the example below is after running 2 trojan sandboxed but not recognized by the av-> result : 2 cmd process using 67% of the processor…

[attachment deleted by admin]

2

Hi CVSA

Thanks for another interesting issue!

If you want devs to look at this bug I have to ask you to put it in the standard format, please. It’s here.

Then we’ll discuss and if validated it will go into the verified bug reports Child Board. Then devs will look at it :slight_smile:

Many thanks and best wishes

Mouse

3

CIS leaves cmd malware process : slowing down the pc

The bug/issue

  1. What you did: ran 2 fresh trojans from MDL
  2. What actually happened or you actually saw: Trojans were not caught by AV or cloud. They were sandboxed as expected. They started and created cmd process (one for each trojan) after 2 seconds, the parent trojan process stopped BUT the cmd REMAINED using 67% of the processor activity. The computer became sooooo slow I had to reboot.
  3. What you expected to happen or see: CIS should be able to kill cmd when the parent trojan process stopped
  4. How you tried to fix it & what happened: kill cmd processes or reboot : ok
  5. Details (exact version) of any software involved with download link: almost any fresh exe.exe from MDL ;D
  6. Bugzilla id (mods use only):

Files appended

  1. Screenshots illustrating the bug: cf first message of this thread
  2. Screenshots of related event logs or the active processes list:
  3. A CIS configuration report:
  4. Crash or freeze dump file:

Your set-up

  1. CIS version & configuration used: v5.0.162636.1135, proactive security
  2. Whether you imported a configuration, if so from what version: no, clean install
  3. Defense+ and Sandbox OR Firewall security level: D+ secure mode / Sandbox activated / FW secure mode
  4. OS version, service pack, no of bits, UAC setting, & account type: win xp SP3 32bits / uac disabled / administrator
  5. Other security and utility software running: MBAM free / Hitman pro
  6. CIS AV database version: 6099
4

I don’t have this report (no “M$ net passport”) :stuck_out_tongue:

and I don’t think there’s a report because the app didn’t crash at all… :-\

(Maybe I didn’t understand what you were meaning ? :-[)

rem : Maybe you could send me a MP in french :wink: ;D that would be easier for me to understand… (:KWL)

5

I’ve split brucine’s post out to the comment on the format topic, and replied to it here. Basically he’s wrong - CIS config report is not obligatory, just advised, & does not need MS passport!

6

Still a few bits of info in ‘My Setup’ missing. If you would be so kind as to supply them then I will foward this as a verified bug

(I have added some from a previous report so please check them)

Many thanks again

Mouse

7

You can see an example of this issue here : Norton Internet Security 2011 vs Comodo Internet Security (Part 4) - YouTube

at 6’40s…

@Mouse1 do you know if comodo staff took that issue into account ? O0

8

ok updated my settings

9

Thanks, forwarding now. TRied to find the problematic part in the video but there is lots of it! Is it relevant t this bug?

Languy from Comodo seems aware

10

BTW are you using CIS to kill/close the malware? What cIS function are you using?

Best wishes

Mike

11

no, i use process explorer. But i think cis could work also… i’ll try

in the video, all cmd process shown in process explorer are remaining instance of sandboxed malwares.

maybe there should be a cap of cpu resource that sandboxed applications should not go higher (sorry for my bad english :-[)

12

THanks if you could try it I would appreciate it. The devs are likely to argue that if CIS did not kill it, CIS cannot control the implications of killing it.

I too think there should be an option to control CPU % in autoosandboxed apps. I use process tamer to control this as an addition to CIS. Works OK with it.

Why not raise a wish list item?

Best wishes

Mouse

13

The tmp file can be terminated and blocked by cis

14

Thanks when you terminate the malware using CIS did the command process remain consuming high CPU?

Alternatively did the parent malware file close itself leaving the cmd.exe cosuming high CPU? In which case CIS should arguably handle this anyway

Many thanks

Mike

15

Any thoughts CVSA?

Best wishes

Mouse

16

I think the parent malware file close itself leaving the cmd.exe cosuming high CPU. Inded, i somtimes don’t even have time to close manually the parent process.

17

OK. I’ll transfer to verified issues then. An id for a file that definitely shows this problem would be appreciated. You cannot post links of course.

This is timely, as we have recently been discussing what to do about CPU usage.

Meanwhile try process tamer (just google it) making sure to exclude CFP and cmdagent and any other security software. Basically it retro engineers a form of pre-emptive multi-tasking into Windows, which as you probably know is really based on co-operative multi-tasking… :slight_smile:

Best wishes

Mouse