小红伞和v3的问题

coolrui

我装了个小红伞和v3，刚才在defense+ events里面发现了小红伞的avgnt.EXE被并block hook，到底怎么回事，我编写了“禁止在WINDOWS目录中新建任何文件”（参照从零开始，打造超强COMODO V3防护规则包（FD篇2）），然后小红伞是每两小时升级一次，如何排除，谢谢

2007-12-2 22:16:32	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:32	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:32	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:32	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:33	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:33	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:33	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:33	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:34	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:34	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:34	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:34	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:35	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:35	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:35	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:35	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:36	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:36	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:36	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:36	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:37	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll
2007-12-2 22:16:37	C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe	Block Hook	C:\WINDOWS\system32\MSCTF.dll

以下是防火墙日志

2007-12-2 22:16:32	System Idle Process	Blocked	222.68.160.142	26217	58.242.139.236	4068
2007-12-2 22:16:32	System Idle Process	Blocked	87.220.35.235	51417	58.242.139.236	14604
2007-12-2 22:16:33	System Idle Process	Blocked	222.129.46.213	45607	58.242.139.236	9493
2007-12-2 22:16:34	System Idle Process	Blocked	190.172.255.243	53448	58.242.139.236	8080
2007-12-2 22:16:34	System Idle Process	Blocked	87.220.35.235	51635	58.242.139.236	26606
2007-12-2 22:16:35	System Idle Process	Blocked	222.68.160.142	26217	58.242.139.236	29485
2007-12-2 22:16:36	System Idle Process	Blocked	62.165.228.64	60401	58.242.139.236	18355
2007-12-2 22:16:36	System Idle Process	Blocked	222.129.46.213	45644	58.242.139.236	31607
2007-12-2 22:16:37	E:\缁胯壊杞?欢\TuZiThunder-v5.7.4\Program\Thunder5.exe	Blocked	60.180.210.249	20669	58.242.139.236	80
2007-12-2 22:16:37	System Idle Process	Blocked	222.129.46.213	45659	58.242.139.236	7359
2007-12-2 22:16:38	System Idle Process	Blocked	116.227.25.162	60649	58.242.139.236	3813
2007-12-2 22:16:38	System Idle Process	Blocked	86.75.110.241	13112	58.242.139.236	8080
2007-12-2 22:16:39	System Idle Process	Blocked	60.217.177.194	16155	58.242.139.236	14170
2007-12-2 22:16:39	System Idle Process	Blocked	222.247.177.182	51523	58.242.139.236	16617
2007-12-2 22:16:40	System Idle Process	Blocked	59.172.108.63	3920	58.242.139.236	18355
2007-12-2 22:16:41	System Idle Process	Blocked	222.68.161.6	59451	58.242.139.236	3164
2007-12-2 22:16:41	System Idle Process	Blocked	58.246.12.114	19553	58.242.139.236	7359
2007-12-2 22:16:42	System Idle Process	Blocked	221.225.149.193	61255	58.242.139.236	7359
2007-12-2 22:16:42	System Idle Process	Blocked	211.161.4.136	60853	58.242.139.236	6838
2007-12-2 22:16:43	System Idle Process	Blocked	219.137.116.164	34784	58.242.139.236	7398
2007-12-2 22:16:44	System Idle Process	Blocked	222.68.161.6	59451	58.242.139.236	3164
2007-12-2 22:16:44	System Idle Process	Blocked	222.68.160.142	3536	58.242.139.236	7531

[ 本帖最后由 coolrui 于 2007-12-2 22:36 编辑 ]

豫孤鸟

我的没有这种情况！

ubuntu

用 C:\Program Files\COMODO\Firewall\cfplogvw.exe 导出日志到html文件。
然后用浏览器打开，将和红伞hook有关的日志复制，帖上来看看。

将 All Applications 拖到最下面。
FD，设置相应的小红伞规则，Protected files/folders  设置成Allow， 在more ... 里 Allowed Files/Folders  添加 *

adfy6554

在系统安全规则中找到小红伞UPDATE.EXE，双击，在弹出菜单access right中找到保护文件权限，设置为ALLOW.

remcn

楼主，你可以参考U版的建议，我个人的看法是：

在你自主设定的规则中，把小红伞加入排除，这样就解决了。另外我也不太喜欢将ALL app拖到下面，毕竟这是最优先的组别。

此外，关于我所写的那篇FD的自定义教程，我也正在等官方更详细的通配符说明，暂时停工。

ubuntu

你的日志表明，你设置了avgnt.exe 的hook保护，而没有排除msctf.dll

你需要设置 avgnt.exe 的 Protected Settings, 在Windows/WinEvent Hooks -> Modify... 排除 %windir%\system32\msctf.dll

闪电战

avgnt.exe只是任务栏图标驻留程序，不需要什么保护
只保护avguard.exe和shed.exe就够了

coolrui

谢谢U版的回答，请问到底是排除%windir%\system32\msctf.dll还是C:\WINDOWS\system32\MSCTF.dll，有何区别？

ubuntu

原帖由 coolrui 于 2007-12-3 19:43 发表
谢谢U版的回答，请问到底是排除%windir%\system32\msctf.dll还是C:\WINDOWS\system32\MSCTF.dll，有何区别？

%windir% 是系统环境变量，代表当前系统所在目录，通常是 C:\WINDOWS 。
用环境变量是为了规则的通用性。