Workaround for the 99% CPU Problem with the latest Virus DB Updates

egemen · October 7, 2009, 3:45pm

Hello Everyone,

Because of an issue with the latest virus database, some computers might observe significant CPU consumption problems caused by cmdagent.exe.

You might observe this issue if your virus database version is 2525 and later. We have reverted the problematic updates. However, because of the nature of this issue, already affected computers might not function properly to revert the updates back.

For those computers, the following instructions can remediate the issue:

1 - Reboot your computer in safe mode
To enter to the safe mode, you need to press F8 button before Windows starts booting until you see the boot menu. In the boot menu, select the safe mode.
2 - Delete the file in c:\program files\comodo\comodo internet security\scanners\bases.cav
3 - Copy c:\program files\comodo\comodo internet security\repair\bases.cav to c:\program files\comodo\comodo internet security\scanners folder(this action will replace the current bases.cav file with the original bases.cav file that comes with the installation).
4 - Restart your computer and Update your virus database again.

after these 4 steps, everything should go back to normal.

Alternatively, you can manually download the latest bases.cav file from http://download.comodo.com/av/updates311/sigs/bases/BASE_END_USER_v2456.cav and replace the problematic bases.cav with this version.

Directions for System Administrators who use COMODO ESM for managing the endpoints(These directions are NOT for end-users):

By using ESM console create a sequence with Set CIS config action that turns off realtime scanner (set it to disabled mode). You can use previously discovered configuration from one of your endpoint computers or try to discover a new one.
Create a task from the sequence that was created in the previous step and choose the target endpoint computers for it.
Run the task.
Go to Task results manager and make sure the task has successfully finished.
Create the task with sequence containing the reboot action and with endpoint computers from the previous task
Run the task. After target computers got rebooted cmdagent on that computers should not use 100% of CPU
Create task with sequence containing discovery getCISconfig action and run it on all endpoint computers from the previous task
Go to Task results manager and make sure the task has successfully finished.
Open the discovery data you have, choose one of your endpoint computers and make sure the realtime AV scanner is disabled.
Create and run AV DB update task for endpoint computers recovered in the previous steps.
Change Set CIS config action data from the step 1 to turn on realtime scanner (set it to “on access” or “stateful” mode). Save the sequence containing this action and run the task created on step 2.

We are sorry for the inconvenience this might have caused.

Regards,
Egemen

scanreg · October 7, 2009, 3:51pm

Will this eventually work through the normal updating process?

Should a new version of CIS be downloaded?

Thanks

crysisfan · October 7, 2009, 4:00pm

Hi Egemen and thanks for the info

Will a reinstall of CIS solve the problem?

egemen · October 7, 2009, 4:09pm

Sure reinstall wil also fix the issue if you can do that.

scanreg · October 7, 2009, 4:11pm

Reinstall didn’t work for me

Melih · October 7, 2009, 4:12pm

reinstall now will work…

reinstall before the reverting back to old db would not have worked.

thanks and sorry for that guys…

Melih

vsk · October 7, 2009, 4:20pm

You do not need to reinstall.
I ve done the workaround and now the computer boots up normal.

Updating the AV-Database failed so far, maybe to many people doing it right now…

So I am downloading base.av manual.

http://download.comodo.com/av/updates311/sigs/bases/BASE_END_USER_v2456.cav

Checksum MD5 / SHA1xxx would be very nice !!!

lallero · October 7, 2009, 4:30pm

The AV portion of CIS definetly needs more work if just a definition update can cause all this.
I had installed CIS for a few of my friends’ pc’s and have had them call today reporting that they can’t use their pc’s, and since they aren’t the most computer savvy people, I had to go and fix the problem (uninstall CIS in safe mode in this case, as there was no sureway fix at the time).

If this happened as a result of a version update of Comodo, then fine, no big deal, it’s just a bug and I’m on-site to fix it as I’m doing the update, but since it was caused by a mere definition update that gets pushed to your pc in the background, well, I’m not impressed. I hope Comodo will implement safeguards to prevent this from happening in the future.

I imagine today may have been a huge mess for people who manage multiple pc’s in multiple locations with CIS installed…

Now pondering if I should just install the firewall for now, hmm.

Edit: Also, it was quite funny when one of my friends called and said he thought he might have a virus and I had to explain “err… no, actually the problem is your anti-virus” 88)

DangerousDan · October 7, 2009, 4:37pm

This morning, I ran into this problem. After several hard resets and attempts to correct this problem without access to the net, I decided that in order to have enough cycles to access the internet and discover whether anyone had a solution to the problem, it would be necessary to temporarily disable cmdagent.exe by renaming it to cmdagent.ZZZ. Very shortly after logging onto forums.comodo.com, I found this thread and read about the work-around. After a reboot, I discovered that the work-around worked, and cmdagent has now been restored and the software has even replaced bases.cav, but I wasn’t terribly comfortable on the net with a dead command agent. The firewall and anti-virus appeared to be still working, according to CFP.EXE, but were they? What does cmdagent.exe do when it is doing its job?

rhgtyink · October 7, 2009, 4:46pm

Hi Dan,

It’s the engine of the product, cfp.exe is just the configuration and reporting tool so to speak…

Graham1 · October 7, 2009, 4:51pm

So glad I found this thread :). Have been fighting this one on/off all day at work and was about to give up :'(. Thanks for the reponse and advice :-TU. Hopefully, I’ll have a more productive day tommorow ;D.

boombaard · October 7, 2009, 4:53pm

I have to say I’m fairly shocked & appalled by the carelessness displayed here.

Do I really have to reboot again in safemode to delete the bases.cav, or will it be overwritten by later updates too, as long as I just wait?

Secondly, I don’t know how the core affinities work, but is it possible to only allow cmdagent access to 1 core, so that people with more than 1 have less of a problem with continued usability if this happens again?

rambo · October 7, 2009, 4:55pm

Do i avoid the problem if i don’t update my second computer for a few days?

rhgtyink · October 7, 2009, 5:00pm

Currently the AV will only update to version 2524 and not higher so at the moment you can’t cause trouble on a system that hasn’t been updated to 2526 and 2527…

rambo · October 7, 2009, 5:07pm

OK,thanks

nu852 · October 7, 2009, 5:23pm

In few hours ago, I re-installed the v3.12, but the problem exists.

At first, I use v3.11 and find cmdagent.exe problem. Then I uninstalled the v3.11 in SAFE MODE. And install the v3.12 in Normal Mode. After updating the Database, the cmdagent.exe problem appears again. And I need to Uninstalled the v3.12 again.

I have no antivirus software now, and using the WinXP default firewall only.

Is it possible that I install the v3.12 again, and place the v2456.cav into scanner directory directly without updating the Database?

rhgtyink · October 7, 2009, 5:26pm

Yes but you have to rename it to bases.cav otherwise it won’t work.

nu852 · October 7, 2009, 5:28pm

Thanks! I try again.

alec5439 · October 7, 2009, 6:21pm

Like most users of CIS.
I got the same problem when I was converting a flv file with Axx Vxxxo Converter.

At that time, I considered it was just a normal crash of converting the video or

there were some problems with the converter.

So, I reboot it!!

After the reboot to the desktop loading process, the God dang problem was still existing.

I thought that there were something seriously wrong.

Not a newbie of repairing the PC,

on the beginning, I thought the problem was that svchost.exe had been broken

because the CPU usage recover after I terminated one of the svchost.exe process which took the most

usage of memory.

After searching the svchost.exe data on the Internet, and reboot the computer many times.

The CPU usage had been still 100%, and I reexecute the process manager again(with very very slow speed).

Finally, I got that cmdagent.exe is the critical bug in the system.

I even don’t know that the process is originated from CIS.

Search again, and come to this forum with Google’s link.

Then,
I find that there are many users complaining the problem and said that uninstall the CIS is the
fastest way to fix it.

I think uninstallation is escaping the problem, and it won’t be the winning for me.

So, after reading many articles, complains, and text data, I fix it in the end with the official workaround announcement.

Last but not the least,

It took me almost 5 hours to fix it. What about other ordinary users ??

I hope that before a new update announces, staff of CIS have to reexamine the program again strictly.

THX for reading this long-winded diary.

Regards.

Citizen_K · October 7, 2009, 6:35pm

Hi alec. I merged your post with this topic as it is about the same phenomenon.

Cheers,

Eric