Why are Windows processes like services.exe and shell32.dll triggering Defense+?

Just had to remove and reinstall CIS 5 and am perplexed at why I get pop-ups warning me about programs modifying the registry like services.exe, shell32.exe, svchost.exe, etc.

I ran sfc and it says the files it scanned are all in the original versions compared to SP3 slipstreamed using nlite, and I assume that includes services.exe, shell32.exe, svchost.exe and so on.

Is there something I am missing? I would think CIS would just check the files and pass on them without all the flags and “You must be sure the program is safe” stuff.

Shouldn’t CIS have a way to check if the files are OK built-in? ??? Or check them online and pass on them like it seems to do for some other files?

Thanks for helping me understand what is going on (in advance)!
mr coffee

What configuration are you running? Did you make changes to the defaults of the configuration you are running?

Hi Eric,
Not sure what you mean by configuration… When I right click on the systray icon, the configuration selection menu shows “Comodo - Internet Security” checked and grayed out.

Defense+ security level is “Safe mode”, if that’s what you’re asking. Firewall is “safe mode” and Antivirus is “Stateful”. Sandbox is “enabled”.

I had installed Comodo CIS a good while ago and might have changed the various security levels back then, which the uninstall might have left behind and the intall might have picked up, but I don’t recall changing any defaults this install.

So this isn’t normal CIS Defense+ behavior? I ran a virus scan and it found nothing.

Bart

Maybe because some parent application is running as an unknown?

Regards, Alex.

In safe mode, Def+ will alert the user of every action of unknown executable.
So if a program is trying to modify a protected file & folder, registry key or Com interface you’ll get an alert. Then, either you make custom rules for the programs triggering the alerts you mentionned either you give them the predefined policy of trusted application if you want to avoid these alerts.
Note : for some programs “trusted application” isn’t enough to avoid alerts and must get the status “installer/updater”.

Hi Alex,

What does “some parent application is running as an unknown?” mean? I don’t mean to sound ignorant, but I don’t understand what “parent application” would be calling a Windows process like services.exe and shell32.dll. Is there some reference I can read to help me understand what I am looking for?

And if a “parent application” is “running as an unknown” and using a windows process, shouldn’t that “parent application” be what Defense+ asks the user about, instead of asking about whether the windows process is a safe application?

I don’t get it. Any help appreciated.

Hi Boris,

Why are windows processes like services.exe and shell32.dll “unknown executables” to Defense+?

Doesn’t Defense+ have a built-in database of the .exe and .dll files that make up windows? Does it just respond to everything that modifies the registry as if it’s a bogey? I thought that the way Windows works it is always writing to the registry as standard operating procedure?

Is there a clear description somewhere of what Defense+ does? Spybot S&D has a monitor that blocks writing to the registry by applications that haven’t be OK’ed by the user, but it has never asked about Windows processes in my experience.

Thanks for any and all help. I hope I don’t have some really nefarious virus, trojan or whatever that is setting Defense+ off.

Bart

Unfortunately I do not know where to read about it, I’ll try to explain be myself.

Some time ago I noticed that the rights inherited from parent to child processes. I installed the cis to my friend and noticed that all applications launched using xWidowDock (or something like this), were labeled Trusted, because the initiating program (some Icons Dock) was manually marked as Trusted. During normal running ( without Dock) the same program labeled on the basis of the white list.

I think with untrusted the same logic in matters of inheritance rights. The next time you need to check Active Process List, it will be seen initiates the process, as well as it is marked - Trusted or Untrusted. And it becomes clear I’m right or not in your situation.

Ps: I put my screen as example - can be seen clearly the process tree.

Alex

[attachment deleted by admin]

Why are windows processes like services.exe and shell32.dll "unknown executables" to Defense+?

Doesn't  Defense+ have a built-in database of the .exe and .dll files that make up windows? Does it just respond to everything that modifies the registry as if it's a bogey? I thought that the way Windows works it is always writing to the registry as standard operating procedure?

I’m not following you. Do you get an alert for programs trying to modify protected files & folders, registry keys and/or COM interface or do you get alerts when these protected files… run?

Have a look at what is in your protected files & folders, …

Check that you have a rule in Computer Security for Windows System Applications, Windows Updater Applications and Services.exe.

You could have a look a the user’s manual of CIS : Comodo Help

Hi Mr Coffee and welcome. You haven’t simply got a system file accidently sandboxed have you? Check Unrecognized files in Defense+ and in Defense+, Computer Security policy, Always Sandbox.
Kind regards.