Backup script file hangs unless Defense+ is disabled

[Guest]

[tjwhalen]

I use a tcsh script file to perform daily backups of files to a USB drive.  I'm running XP Media Center SP3 with all the latest updates, and the latest Comodo, 5.10.228257.2253.  I execute a DOS .bat file [manually clicking a desktop icon], which runs tcsh (from rktools--a unix shell toolkit for Windows) invoking my script.  The script creates a new directory on the USB drive, then performs xcopy commands in different directories in this fashion:

foreach i ( {directory list} )
command.com /C "xcopy /M/S/I/C/F/Y $i {dest}"

When the Defense+ level is anything but 'Disabled', the script hits the first xcopy, and hangs.  There are no alerts from Comodo, no files untrusted, nothing sandboxed.  I've identified the .bat and .tcsh files as trusted, as well as trying 'installer.'  command.com has been explicitly added to the trusted files, as well as all rktools files (as far as I know, the only one being used is the tcsh shell).

The 'Block All Unknown Requests' option is not checked, nor are any of the other checkboxes on the Defense+ Settings page.

The only thing I see in the log is a single entry for tcsh.exe, Flags=Create Process.

The Sandbox Security Level is set to Enabled.

[mouse1]

I use a tcsh script file to perform daily backups of files to a USB drive.  I'm running XP Media Center SP3 with all the latest updates, and the latest Comodo, 5.10.228257.2253.  I execute a DOS .bat file [manually clicking a desktop icon], which runs tcsh (from rktools--a unix shell toolkit for Windows) invoking my script.  The script creates a new directory on the USB drive, then performs xcopy commands in different directories in this fashion:

foreach i ( {directory list} )
command.com /C "xcopy /M/S/I/C/F/Y $i {dest}"

When the Defense+ level is anything but 'Disabled', the script hits the first xcopy, and hangs.  There are no alerts from Comodo, no files untrusted, nothing sandboxed.  I've identified the .bat and .tcsh files as trusted, as well as trying 'installer.'  command.com has been explicitly added to the trusted files, as well as all rktools files (as far as I know, the only one being used is the tcsh shell).

The 'Block All Unknown Requests' option is not checked, nor are any of the other checkboxes on the Defense+ Settings page.

The only thing I see in the log is a single entry for tcsh.exe, Flags=Create Process.

The Sandbox Security Level is set to Enabled.

Running command.com with the command to execute as a parameter is likely to be challenging for CIS. However lets see if we can help.

You could try adding command.com, your batch and script files and the entire tsch directory to Image Execution Control ~ Buffer Overflow Exclusions and applying the installer/updater policy to them all in the D+ Computer security policy D+ rules (making sure the rule is above any 'all applications rule' in the list). Obviously this does come with security risks - you need to know that you trust all these files and will never download files you do not trust into the directory.

You could also try turning off "do heuristic command line analysis for certain applications" in D+ settings ~ Image execution control, though this will loosen security more generally and may result in sandboxing messages for script files being  bit confusing.

If neither of the above work, could you append the text of the bat file please? And your D+ logs, and your active process list when the process is 'hung'.

Best wishes

Mouse

[mouse1]

I have split out your other problem as it seems distinct. The topic is here.

Hope this is OK

Mouse

[tjwhalen]

Thank you for the help. Problem is now fixed!

 I had the batch files and command.com defined as Installers, but the rules were at the bottom of the list, so weren't effective.

I first tried turning off the heuristic check, but this had no effect on the problem.  I then went into Computer Security Policy and discovered the misplaced definitions.  I moved them to the top.  Problem solved! I then took both batch file definitions out, and it still worked.  I took the entry for tcsh.exe out, and now I received Comodo warnings for ntvdm.exe.  I defined it as a Windows system app, and again all went well.  There was a new rule in CSP for tcsh.exe as a Windows system app.  I ran the backup again, and got an alert for tcsh.exe and another for ntvdm.exe.  I labeled them both as system apps. There was now a new rule for ntvdm.exe.  The next backup went off fine without any warnings.

I suspect when my wife first did her backup (after I installed Comodo), she received alerts but answered them incorrectly. 

Oh, I also noticed during the first few failed tests today, that the first command.com command resulted in a "command not found" error, and then it hung on the second command.com.  Don't know if this means anything.

[mouse1]

Glad it helped.

Best wishes

Mouse

[Tags:]