Windows Security Events "Explode" after upgrade to Comodo Firewall vs 5 [287]

TOPIC TITLE
Windows generates thousands of system log-on events after upgrade to Comodo Firewall (CFW) vs. 5.x

The bug/issue

  1. What you did: Upgraded from CFW vs. 4.x to 5.x

  2. What actually happened or you actually saw: Could not log in a short time later with a user account, due to the security event log being full. After logging-in as an administrator, discovered thousands of security log events relating to a system process (NT Authority, event IDs 528, 576, 538, log-on type 9, incrementing hex log-on ID). Saved and cleared log – filled again in a few days. Start of events coincide with upgrade of CFW from vs. 4.x to vs. 5.x. Events typically come in sets of 3ea: 528, 576, 538 events, 3-9 times per second (depending on machine).

  3. What you expected to happen or see: A few dozen events at start up, as before, with CFW v.s 4.x

  4. How you tried to fix it & what happened: Events end with uninstall of CFW; resume with reinstall. Problem confirmed/duplicated on 2nd Windows XP-sp3 box. Problem not present on Win 7 box running CFW vs. 4.x (not yet upgraded). Also not present on Win VIsta SP2 box running other FW/AV product.

  5. Details (exact version) of any software involved with download link: CFW vs 5.0.163652.1142

  6. Any other information you think may help us:

A) Events seem to be related to program/process initiation and use (lots of events at startup, when programs are run, and during browsing). Events eventually slow-down or stop if machine not being used.

B) My Windows security event log settings are derived from US NIST security configuration guidance - including logging for log-on success and failure, 20mb max event log size, overwrite after 182 days. Have used same settings for ~7 years without serious issues (occasional problem with buggy software). While I could increase event log size, I estimate ~2gb required for 6 months logging - RIDICULOUS!

C) Have used Comodo products for many years without problems. This upgrade is a major improvement - except for this issue.

Files appended

  1. Screenshots illustrating the bug: n/a
  2. Screenshots of related event logs or the active processes list: 2010_09_29_Comodo_Events.JPG
  3. A CIS config report or file. No config - your forum won’t allow this file type to be uploaded (and erased my first attempt to post report)
  4. Crash or freeze dump file: n/a - ,txt file of representative security event detail attached: Security_Events_After_Comodo_vs5.txt

Your set-up

  1. CIS version, AV database version & configuration used:CFW vs 5.0.163652.1142, Proactive and Firewall Security
  2. Whether you imported a configuration, if so from what version: Upgraded without import
  3. Defense+ and Sandbox OR Firewall security level: Safe Mode
  4. OS version, service pack, no of bits, UAC setting, & account type: Windows XP Professional SP3, 32bit, User and Administrator accounts
  5. Other security and utility software running: ESET NOD-32 Anti-Virus (vs. 4.2.58.3)
  6. Virtual machine used (Please do NOT use Virtual box): NONE

[attachment deleted by admin]

I have Windows 7 X64 and am experiencing similar issues with events 4624/4634/4672. Literally tens of thousands of events being generated.

Do you have any other security software?

No - the only security software is Comodo - AV, HIPS and FW.

Issue is caused by enabling “Audit account logon events” option in local security policy. There are two way to prevent “Explode” log:

  1. You can disable option “Audit account logon events” if this option isn’t necessary for you (Control panel->Administrative tools->Local security policy->Audit policy)
  2. You can limit maximum log size in Security log properties and overwrite events as needed.

Serg

No the issue is excessive logons, with a side effect of excessive entries in the event log.
Reducing the security of the system by either not recording the logons, or by recording less of them so that other entries that record key information are lost, is not a solution - it is a limited workaround that may mitigate some of the symptoms and is only suitable for some users.
When you are generating 25,000 events an hour it makes it extremely hard to spot the things in other events.

In my case I can’t turn the policy off - the group policy editor is not available in Windows 7 Home Pro - and reducing the size of the log ends up with the worst of both worlds as it only takes a few minutes to fill up and start loosing data, but it still spams thousands of events in any queries making it very hard to see anything at all in the event logs.

In my case the Audit account logon events does not seem to enabled (I hope I am looking in the right exact place). I am on Win 7 x86.

See attached image.

[attachment deleted by admin]

Thanks for the work-arounds Serg.

It seems there are two possibilities here:

  • this log-on log-off is absolutely required for CIS to work properly, and cannot be avoided in the next version. In which case we need a work around, particularly for XP users who cannot filter events as flexibly as on later Windows versions. Turning logging off decreases security, so it isn’t an ideal work-around. Neither is limiting log size, as the presence of multiple events you need to ignore will obscure those you need to notice.
  • it is not, in which case this is a valid issue, and needs a Bugzilla entry

Could you guide us on this Serg?

Best wishes

Mouse

I can’t find it on Windows 7 Home Premium, it seems related to secpol.msc.
Is there a registry key to change this settings?

During the night Microsoft installed some updates and it seems that since then Comodo has been signing on and off about 1000 times and hour. The event viewer shows a series of transactions 4624, 4672, 4634 [logon, special logon, logoff]. This appears to go on forever [the summary page shows 2373 events in the security audit success report.] There are no other security audit events being reported.

Nothing is visible from the Comodo reporting. The number of connections to the internet is reasonable, and everything seems to be operating properly. The event summary indicates that the previous 24 hours transaction level is equal to the previous week - I take this to mean that things have changed drastically today.

The system is Win7 Home [64 bit] with Comodo Internet Premium version 5.0163652.1142.

The message on the event viewer says for the logon entry:

[i]An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: WINDHAM$
Account Domain: FRED
Logon ID: 0x3e7

Logon Type: 9

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x715988
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x27c
Process Name: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
[/i]
[b]The logonID changes for each iteration.

The next entry is a special logon which reports:
[/b]
[i]Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x715988

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege[/i]

This is immediately followed by a Logoff which reports:

[i]An account was logged off.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x715988

Logon Type: 9

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.[/i]

I have no idea what all this means, but when I rebooted Comodo continues to logon and off as soon as the system comes up - before there is any internet connection.

I assume this has something to do with the new Windows update and Comodo disagreeing on something. If so is the Firewall functional? Am I protected? In short WTF?

None of this would be visible if I had not been up to the bathroom in the middle of the night and wondered why the PC lit up at 3AM.

Hope someone can shed some light on this and figure out how to make a simple logon work properly.

Thanks

Ross

almost looks like a network worm trying to get into your computer. Do you have any other computers connected to your network? http://forum.kaspersky.com/index.php?showtopic=101327 Seems like CIS is fighting to keep it out of your system.

The system is free standing and has no other systems connected. The old one died and this is one is only a week old.

I have no sign of either internal or external virus/malware.

Ross

how is the network setup? are you at home with your own connection, apartment with a wall ethernet connection, college?

Do you have a router, is the wireless turned on and if so, is it protected, how is it protected?

Many thanks for your report.

This issue is already known, so I will merge with that report in format verified issues

Best wishes

Mouse

Languy:

I have a lan connection to an ADSL modem, and no other connections. A very simple home system.

This morning the continuous logon-off process continues. I am watching the I/O levels in Task Manager and Comodo is not reporting any activity. Csrss is the only active process, and I believe that is normal.

Ross

Hi All

I have just discovered that if Comodo is running I cannot logon to my online banking. I get a screen asking for password, but the field will not accept input. Killing Comodo CIS solves the problem…

This is the first impact I have seen from the logon/off cycle.

FWIW

Ross

I’m also having this problem on Win7 x64. Any news about it?

The devs are aware and are working on it I think.

Menawhile there is a couple or work-arounds earlier in the topic.

Best wishes

Mouse

Is there a workaround for Windows 7 Home Premium?
Because Local Security Policy isn’t available in this version of Windows…

I think your best bet is to use the ability of Win7 to filter the logs. Think this is better than in XP, but afriad I don’t know for sure.