Windows 7 - "System" application trying to write to windows/system32 files

I’d like to check if I should allow this activity newly being reported by my Comodo Internet Security install.

About a week ago, new warnings have been reported by Defense+ which I don’t know if I should be concerned about or if some how this behavior is missing from the current “known safe activity”.

Comodo Defense+ has been reporting, in the pop-up dialogue within which I can choose to allow or block, that an ‘application’ named “System” is trying to modify the contents of the following folders/files:

C:\Windows\system32\LogFiles\RtBackup\EtwRTMsMpPsSession7.etl
C:\Windows\system32\WDI\LogFiles\ShutdownCKCL.etl
c:\Windows\System32\LogFiles\HTTPERR\

The second one happens at shutdown while the others I believe have come up at different times between startup and shutdown.

Is this normal Windows 7 Home Premium behavior?

I’ve done google searches to try to find info to reference regarding those files/folder and haven’t been able to see anything conclusive. Stuff I see about the LogFiles\HTTPERR\ folder indicate it is related to IIS which I don’t have any use for on my laptop and have not enabled.

When the Comodo pop-up comes up, and I click on the “System” application name (as it allows you to do so you can see the path the application resides in), it shows it is in the c:\windows\system32 folder, but that folder does not contain a file named “System” only, not even “system.exe” so I’m not sure if Comodo is just naming the application “System” as a generalization of the Windows ‘system’ or else.

Any help appreciated.

System is a generalization of Windows.

Since Windows is doing this it should be safe unless in some way hijacked. Hijacking core Windows files should be difficult - svchost is more easily hijackable as I understand it, but is separately referenced by CIS. Maybe an update caused it to start happening.

To check for any software that might be hijacking Windows look in the active processes list to see if anything unrecognised by CIS is running. Or even better use Killswitch in CCE to do the same thing. (Note that CCE is serious cleaning software - you need some expertise to use it correctly.

Only able to be of partial help here. Maybe PM languy who one of the mod experts on malware.

Best wishes

Mouse

I have been getting the same message since 11/12/12. Comodo needs to explain, IMO.

In my case, was very obvious.
I added a new entry in “HIPS Rules” and selected in “Running Processes” the process named “System” and ruleset “Windows System Application”.

Alerts for system process disappeared.

I myself have had this issue for the last several days. I get an alert sound when Windows is shutting down, but don’t see the alert. However, when I next have the computer running, a look at the CIS events log shows the same nonsense occurring - the HIPS module giving an alert to the effect that System could not be recognized and is trying to create the file / folder C:\WINDOWS\system32\WDI\LogFiles\ShutdownCKCL.etl .

In HIPS Rules I tried entering System in the list, giving it the Windows System Application ruleset. The immediate result was no alert at the next shutdown, but then alerts resuming for subsequent shutdowns, indeed with a shutdown hang on one occasion, because CIS didn’t save that setting - presumably because it is confused about what System is, because it isn’t actually a specific process to start with.

I have to say, if Comodo can’t get this fixed very soon I shall disable the Comodo HIPS and use a HIPS from another source. Not ideal, but these alerts are getting to be a nuisance, and they’re so unnecessary!

Unless there’s reason to believe the system has been compromised, then alerts in and of themselves aren’t cause for alarm. This is especially true when the system is configured in paranoid mode security level.

By and large the alerts that are generated through normal system operation is essentially generation of normal security baseline. With each alert generated, the system is developing a rule-set for normal system function. Normal system function is defined by the user, i.e., the user initiates an action, the action requires a named resource access, such is not already in existence and so an alert is generated.

One either answers allow this, and ‘remember’ ticked - a specific rule for the application is created - or allow w/ out ‘remember’ ticked and the system goes off and does its thing. The next time the same named resource is requested access the same alert is generated.

In general I don’t appreciate the latency of ‘remember’ when allowing actions by any application. I let the application do tis thing, answer all the alerts to allow, and then create all the rules necessary in one fell swoop through glomming of event log entries for the arbitrary application in question. One of the huge benefits of doing it that way is discerning patterns in the named resource accesses. This allows utilization of wildcards, i.e., ‘*’ or ‘?’ in the named resource access rule.

I believe that ‘system’ is the kernal itself. So unless there’s any reason to believe the system is cmopromised, by all means ‘allow’ and ‘remember’ - or create the specific rules manually - so as to ensure proper system functionality.

There’s no real cause for alarm until after a period of relative quiescence an application begins clamoring for named resource access OR things start happening which the user did not request. Here’s a good example, albeit extreme, suddenly notepad.exe demands DNS client-service resource name access, including the ability to modify various registry entries. That’s just plain WRONG!

Other than that, when one is using the sytem and an alert is generated immediately after something was initiated by the user, well, gee, that alert is necessary to accomplish what the user just attempted to do. What would absolutely be alarming is alerts for things the user didn’t attempt to do, or alerts just out of the blue for applications unrecognized by the user, or even recognized applications requiring named resource access which the user didn’t initiate, e.g., AcroRd32.exe requests access to HKLM\SYSTEM\ControlSet001\Control\Network{4D36E972-E325-11CE-BFC1-08002BE10318}{719EA1E4-1EB8-4138-AD0C-08BBCF1C4B77}\Connection\PnpInstanceID or perhaps COM interface LocalSecurityAuthority.Restore.

Not only would it be alarming if I opened a PDF and the aforementioned resources were requested, but if it launched by itself and asked for that I’d be freaking totally out.

Hope that helps.

Actually, no, it doesn’t help really, because it is not referring to my actual situation. As I thought would have been clear from my post, I am not worried by the alerts - it’s clear that they are simply false alarms, an annoyance. My HIPS is set to Clean PC, not Paranoid mode. Because I don’t get any chance to see or respond to the alerts, I cannot ‘allow’ them or choose ‘Remember this response’ or ‘Add to Trusted’ or anything to prevent further alerts for the particular undoubtedly innocent event at each Windows shutdown. Particularly as this is an issue that has been a nuisance over the years for a fair number of people with CIS, I see it as an issue that Comodo needs to fix if CIS is to have a good reputation and become more widely used. Silly things like this just being accepted and not fixed just add a little more weight to the odds for changing from Comodo to another security suite at some future time - something I don’t really want to do.

the HIPS module giving an alert to the effect that System could not be recognized

That shouldn’t be happening. First off, in Clean PC mode, CIS will only alert for new things after setting the slider to that. All things existing at that point in time are ‘remeber this’ create rules automatically w/ out alert

Perhaps the Trusted Files listing is corrupted. You could try to delete it in Safe Mode, but that’ll reset all trusted files.

In fact, that specific prollem’s been seen before: https://forums.comodo.com/defense-sandbox-help-cis/system-could-not-be-recognized-t81044.0.html;msg580916#msg580916

Today I tried uninstalling CIS altogether and then reinstalling, and for the moment that seems to have cleared the issue - at least I’ve had two computer shutdowns so far since then, with no unwanted alerts, even though my settings are the same as before. Crossed fingers! :wink:

Oh bggr, at the 4th shutdown since my reinstalling CIS the issue returned - so in effect nothing’s been resolved.

Oh, man. >:(

First off, my suggestion about deleting trusted files has been deprecated; you can’t do that because the files are SQLlite DB’s and they’re linked en toto for that, trusted vendors and various event logging. Rumor has it that mucking around with them will corrupt CIS.

Anyways, you’re getting notification that system is unrecognized. Is it being sandboxed? Is it appearing in unrecognized files list? Can you move it to trusted files?

If it is unrecognized, then it should become sandboxed. That’ll be a prollem. /end-British-understatment-mode.

My experience shows that once an image is interdicted as untrusted - in the sandbox - because its unrecognized, the process must be terminated - exits sandbox - and relaunched.

Easy enough to restart w/out invoking restart to affect complete normal system shutdown and reboot cycle, i.e., terminate explorer.exe. Unfortunately you can’t terminate ‘system’ and relaunch it.

If CIS refuses to recognize system as legit, that there is cause for alarm. Because, if system is being manually recognized, and after a while it goes unrecognized: that’s evidence the file hash associated with system is changing. Only one thing does that and none of them are good.

I think you’re missing the point. I don’t see the alerts, apart from lines in the relevant log on next Windows startup, but the problem is that CIS simply doesn’t keep ‘System’ in any lists. All I could do was add the running process ‘System’ to Trusted, and then when I shut down Windows there is no alert - but System has disappeared from that list when I next start Windows, so that of course the alerts resume. I never see any signs of System getting sandboxed - and in any case if it were sandboxed presumably Windows, or some part of it, would fall over, so I’d know that something was wrong. The CIS unrecognised files list doesn’t include anything just called System - but a search for ‘system’ in that list is like looking for a needle in a haystack, seeing that the word ‘system’ is somewhere in many entries.

Honestly, I think the problem is NOT that CIS is picking up on a malware calling itself ‘System’, but that CIS is not identifying ‘System’ correctly or at all, and doesn’t know how to handle it in a list of trusted or untrusted files. After all, ‘System’ is simply trying to access a shutdown logfile at shutdown, when I get the alerts, so it’s unlikely in the extreme that we’re talking about anything other than a bug or programming lapse in CIS.

First off, what security configuration have you implemented? Try setting CIS to Clean PC mode.

Secondly, you shouldn’t have anything unrecognized in the Unrecognized Files list. If trying to find ‘system’ in that list and its akin to finding a needle in a haystack, that’s a problem; you have way more than the maximum allowable number, i.e. ZERO. That’s the whole point of CIS; to warn you unrecognized stuff is running, or what used to be recognized now isn’t anymore. The latter is a huge warning something happen.

If you don’t know what those unrecognized files are, then by all means submit them to CIS servers for assessment. Of course that’ll take awhile to turn around. I believe that anything O/S related, whether default or WAU related, should resolve quickly with ‘scanned online and determined safe’. Those should automatically go into Trusted Files.

Another issue may be that logging isn’t enabled, or you’re not seeing the full alerts either, or both. By default CIS blocks and if its not logged or alerted, how you gonna fix it?

The only things that could reasonably be unrecognized would be 3rd Party app related, e.g., JQS, Java, Deploy, Javacpl.cpl, Flash installer, etc., after doing updates for any of those, or anything executing for the first time.

No matter what, anything unrecognized will end up becoming sandboxed; unless you have that turned off. So it might not be whatever the ‘system’ process is that’s at issue, but something ‘system’ is trying to interface with.

On my Win2003 R2 system, Windows Operating System is PID 0, SYSTEM is PID 4 and are discrete process independent of each other. The latter spawns: SMSS which begets: CSRSS & WINLOGON which begets SERVICES which launches SVCHost which in turn begets a host of ■■■■, as does SERVICES launching other stuff in addition to SVCHost. Explorer.exe is an isolated process discrete from either Windows Operating System or SYSTEM.

But clearly SYSTEM is mission critical to the O/S.

Somebody replies to my posts without reading them properly! :slight_smile: I have already stated that I have the HIPS set to ‘Clean PC’. As for unrecognised files, many of them I do know exactly what they are, and there is nothing that looks obviously suspect to me, and many of them I submitted to Comodo, even though CIS is supposed to submit all such files automatically anyway - but Comodo doesn’t change anything for me that way. I suppose certain individuals would jump up and declare that my system is therefore full of malware - but, no, it isn’t. If it were, there would have been signs of that, and I monitor my system very thoroughly! :slight_smile: Still, I do agree that it’s not good to have a long list of unrecognised files, but as far as I’m concerned, that is a CIS issue, and an incentive for me presently to transfer to a more ‘with it’ security suite that doesn’t accumulate a huge long list of unrecognised files because of failure to check and clear the files that I’ve submitted (or to identify any of them as harmful and thus to warn me and quarantine them).

I’ve already (yesterday) switched from CIS to CAV, now using Windows Firewall Control to manage the so-maligned Windows firewall, and will no doubt presently switch to another AV / HIPS.

I don’t propose to go further with the discussion here, because I can see it’s getting nowhere - thanks all the same.

I updated to to last CIS version and have the same popups
I use HIPS in Clean mode too. “Remember” dosnt solve the problem since the next system start the remebered rule is gone ?!

I’ve now got a much more satisfactory solution. I’ve given up with CIS - have replaced it with just Comodo AV with HIPS disabled, and am using Windows Firewall (yes, do laugh!) :wink: with Windows Firewall Control as a very serviceable front end for it (much more immediately informative and helpful than the Comodo firewall, which keeps far too much ‘under the bonnet’ and not quickly accessible). For HIPS I have now reinstated SpyShelter Premium, which I’d been using before I originally came to CIS. I find SpyShelter’s prompts much more helpful, and they don’t time out on me, the way that Comodo’s prompts do when I’m trying to work out how to respond to the respective prompts.