My God! I think we've cracked it! I managed to reproduce the creation of the cardisabled entity. It wasn't due to the CCE scanner as I first thought, but was in fact down to the Autoruns tool.
So heres the gist of it. If you fire up autoruns with "hide safe entries"
already enabled > wait for it to finish analyzing > then go to view > un-check hide safe entries (making safe entries now visible) > then select an entry > then disable it > then re-enable it > then go to view again > click hide safe entries > then exit autoruns.
You will now have created your very own cardisabled file, in the same folder location as whatever entry you disabled then re-enabled in autoruns. The creation of this cardisabled file seems to be a byproduct of conducting the exact series of events outlined above. Why does this happen ? I have no idea. Whether the creation of a hidden duplicate file called cardisabled, of an entry you disabled then re-enabled in autoruns is intended by comodo, I don't know.
The fact is that although the CCE package is very powerful, considering it's free. It's one of those products that with one stray click, that you don't notice, you can easily mess up your system. A good example of this would be Autoruns itself.
Here's the scenario, you fire up autoruns with hide safe entries already enabled. This means that now as soon as the program opens, it begins the process of analyzing all the entires it finds and removing them from view if it determines them to be safe. However during this process of analyzing and hiding safe entires, you can actually still select any entry in the list before it has been analyzed fully. This means that you can quite easily, with a single accidental click, disable an entry in the list before it's analyzed, then when it's analyzed, if it's found to be safe, it's removed from view.. and bam! You've just disabled what could be a vital auto executed part of windows or your drivers. That you can now no longer see in the list, because it's been hidden from view, because it was determined to be safe.
Now if that doesn't sound like a big deal, consider how short a time frame all that can happen in. And also consider that the average user probably isn't going to notice that their single stray click has just disabled some random vital dll or exe, that the system actually
needs in order to run properly.
This however could be easily remedied by just adding a confirmation of disable entry prompt every on un-checking an entry, or better still, just make all the check boxes grayed out. So you can still see what entries are enabled, but if you want to disable one, you have to right-click and choose disable entry in a context menu.
Anyway, the thanks goes to you bobbye, on this one. Your comment: "So 'hidden entries is user invoked." is what gave me the spark of an idea that autoruns + hide safe entries, might be connected in some way to the cardisabled file creation.
p.s. Comodo - I charge $50 an hour for product quality testing... and I've spent the better part of over 4 hours on this one, so by that estimate, that'll be $200 please
I accept cash, direct wire or cheques
Oh yea, and bobbye gave up some of his time in order to do some valuable research. So I think he should be paid too
And one last thing, what the heck does cardisabled even mean ??
Dayus.