Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New "System" application modifying win/system32 content


  • Please log in to reply
2 replies to this topic

#1 Eyedeetentee

Eyedeetentee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 12 October 2011 - 01:01 AM

I'd like to check if I should allow this activity newly being reported by my Comodo Internet Security install.

About a week ago, new warnings have been reported by the "Defense+" (the malware component) module of Comodo.

I don't know if this is a report to be concerned about or if it is a defect of the current build of Comodo.

Comodo Defense+ has been reporting, in the pop-up dialogue within which I can choose to allow or block, that an 'application' named "System" is trying to modify the contents of the following folders/files:

C:\Windows\system32\LogFiles\RtBackup\EtwRTMsMpPsSession7.etl
C:\Windows\system32\WDI\LogFiles\ShutdownCKCL.etl
c:\Windows\System32\LogFiles\HTTPERR\

The second one happens at shutdown while the others I believe have come up at different times between startup and shutdown.

Is this normal Windows 7 Home Premium behavior?

I've done google searches to try to find info to reference regarding those files/folder and haven't been able to see anything conclusive. Stuff I see about the LogFiles\HTTPERR\ folder indicate it is related to IIS which I don't have any use for on my laptop and have not enabled.

When the Comodo pop-up comes up, and I click on the "System" application name (as it allows you to do so you can see the path the application resides in), it shows it is in the c:\windows\system32 folder, but that folder does not contain a file named "System" only, not even "system.exe" so I'm not sure if Comodo is just naming the application "System" as a generalization of the Windows 'system' or else.

If logs are needed, I can continue this thread in the 'malware' section.

Any help appreciated.

Edited by Eyedeetentee, 12 October 2011 - 01:08 AM.


BC AdBot (Login to Remove)

 


#2 Eyedeetentee

Eyedeetentee
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 27 October 2011 - 07:10 PM

Just checking back in, anyone know if I have anything to worry about with these behaviors? Trying to figure out if I need to allow them in my Comodo Internet Security Suite.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,876 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:04 PM

Posted 28 October 2011 - 06:24 AM

My suggestion...uninstall the Comodo software :). Use something simpler and more direct to safeguard your system.

I suggest using Microsoft Security Essentials and the Windows firewall...they work just as well (if not better) than the Comodo software when it comes to protecting your system.

FWIW: I tried the Comodo software (again, I had tried it a few years ago) last week. I found it providing me with erroneous data and it seemed a bit flaky, so I concluded my test and returned to my regular choices (Avira Free and Windows firewall).

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users