Author Topic: Firewall only - How to stop CIS scanning my system and files on all partitions?  (Read 808 times)

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

Having installed Firewall only I have noticed for some time that I get file entries in the "UNRECOGNIZED FILES" for files that were not started before and no matter on which partitions those files are located.

Since I have installed Firewall because I didn't want it to scan my system and files it seems it still does that.

How do I stop this unwanted CIS system / file crawling scanning behavior?
« Last Edit: May 07, 2021, 12:20:09 PM by CISfan »

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
In addition:

Currently I have 4 files listed as unrecognized which were added to the "UNRECOGNIZED FILES" list not earlier then today.
All 4 files have "First Observed" set to 7-apr-21.
All 4 files origin from the same company, 2 files have "Company" name set the 2 other files have a blank "Company" name.
All 4 files have rating unrecognized (of course, otherwise they won't be on the list).

I'm wondering how the files got on the list as I did not start them today or yesterday or days before.

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 231
I don't know what settings you have on FW but this is what CIS shows under file rating settings.
Windows 10 Pro 2004 x64 Build 19041.630
Comodo CIS 12.2.2.7098

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
These are the settings that I use.
I'm still puzzled how the files got on the list recently.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
In addition to: "All 4 files origin from the same company, 2 files have "Company" name set the 2 other files have a blank "Company" name."

The 2 files which have "Company" name set have one valid signature under file properties "Digital Signatures" with a sha1 Digest algorithm.
The 2 files which have "Company" name not set have two valid signatures under file properties "Digital Signatures" with a sha1 and sha256 Digest algorithm.

Since all files have a valid digital signature why are these files listed as unrecognized?
And why have only 2 files "Company" name set?

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
Some more information.

When tracing back into my saved log files I see the following:

"HIPS Events" (for all 4 files)

Date & Time: 07-apr-21 <time differs per file>
Application: <location of the file>
Action: Scanned and found safe
Target: <blank>
Alert: <blank>

"File List Changes" (for all 4 files)

Date & Time: 07-apr-21 <time differs per file>
Path: <location of the file>
Modifier: COMODO
Action: Added
Property: COMODO rating
Old rating: <blank>
New rating: Trusted

"Vendor List Changes" (for the "Company" name)

Date & Time: 07-apr-21 <time somewhere in between the 4 files>
Vendor: Nir Sofer
Modifier: COMODO
Action: Added
Property: COMODO rating
Old Rating: <blank>
New Rating: Unrecognized


The old saved log files tell me that all 4 files were rated Trusted when the files were executed for the very first time on 07-apr-21.
Almost at the same time (a time somewhere in the middle of the execution of the 4 files) the Vendor got added to the "Vendor List" with rating "Unrecognized"

When opening the current "File List" I see that all 4 files are rated as "Unrecognized" but when opening the current "View Logs" -> "File List Changes" the 4 files are not listed. I would expect to see a "Modifier" change with "Old Rating" Trusted (as they were on 07-apr-21) to "New Rating" Unrecognized.
Also, the older saved log files do not show any rating changes for the 4 files under "File List Changes" other than the one already listed above.

Now just recently all 4 files got rated "Unrecognized", how come?


Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 231
Well, since it's a file rating system, it is going to evaluate files on your system. I'm not sure at this time what the ramifications are if you disable that system. If the FW also has containment, then containment probably needs file rating which is part of file analysis. I just deal with unrecognized files as they come only occasionally. Same thing with HIPS, which can be a royal pain sometimes.
Windows 10 Pro 2004 x64 Build 19041.630
Comodo CIS 12.2.2.7098

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5197
Comodo firewall installation types does not scan files unless you run a file rating scan, otherwise files are added to file list when they are executed in some way. As for unrecognized files that all of sudden appear, they most likely lost their file rating status which seems to be 30 days cache limit.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
Thanks for the feedback futuretech.

Yep, files are added to the File List when executed, that's fine.

While doing the Websites Database update exercise by clicking on the Update button I did hit the Scan button above the Update button by accident a couple of times but I always did stop the scan immediately at a point when the scan was checking the auto-runs entries or some of the very first windows system files. I don't think that the scan did catch and scanned those 4 files too as the 4 files are located on another partition. Also I have never ran a full scan on my system, that I know for sure.

The 4 files are still on the "UNRECOGNIZED FILES" list. For a test I could remove them from the File List and also remove the Company from the Vendor List and then execute those 4 files again and then wait and see if the same thing happens again and the files reappear as "UNRECOGNIZED FILES" after the 30 days cache limit.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
Interesting facts (or bugs).

I removed the Company entry from the "Vendor List" and checked the files on the "UNRECOGNIZED FILES" again. All 4 files are still there (so still in unrecognized state) and all 4 files have now their Company name cleared (2 files had a Company name set the other 2 files had not).

Next, I removed 1 of the 4 files from the "UNRECOGNIZED FILES" and executed the removed file again. Then checked "UNRECOGNIZED FILES" again, now here comes the odd part, the number on the right side of "UNRECOGNIZED FILES" is still 4 but opening "UNRECOGNIZED FILES" only shows 3 unrecognized files. The file that I removed and executed again is on the File List and has Trusted state (like it had on 07-apr).

Now, when opening "View Logs" -> "File List Changes" there is no log entry about the file removal, neither a log entry about an Old/New Rating change and neither a log entry about the addition of the file after it got executed again.

When opening "View Logs" -> "Vendor List Changes" there is a log entry about the Company(Vendor) removal and a log entry about the addition of the same Company again as a result of the file execution, the rating of the Company is again Unrecognized.

So the above in short:
- Vendor removed from Vendor List.
- 1 file removed from File List.
- Executed the same file again.
- Executed file got rated Trusted.
- No logs about file File List Changes.
- Vendor got added to the Vendor List because of file execution.
- Vendor got rated unrecognized.
- Logs about Vendor List Changes.
- CIS window show 4 "UNRECOGNIZED FILES" but only 3 files are listed when clicking on it (the 4th file is rated Trusted).


Next I did remove the Vendor again from the Vendor List, now interestingly
- CIS window shows 3 "UNRECOGNIZED FILES" which is correct.

Next I executed the file again and interestingly
- CIS window still shows 3 "UNRECOGNIZED FILES" which is correct.
- However the Vendor isn't added to the Vendor List anymore, not even after executing the file multiple times.

In order to try to bring back the Vendor on the list I did
- Remove the file (application) from the HIPS rules list.
- Executed the file again.
- Result: no Vendor added to the Vendor list.
- And really weird too, there is no new application HIPS Rule either (remember that I have "Create rules for safe applications" set to on). The file now runs without a HIPS rule in place???
 
In order to try to let HIPS create a new file application rule I did
- Removed the file (with rating Trusted) from the File List.
- Executed the file again.
- Result: no new HIPS rule and still no Vendor added to the Vendor List

Something is going out of sync here.

Question: What do I have to do to bring back the Vendor on the Vendor List and to bring back the auto created HIPS application rule for the file?

EDIT:
The Vendor got added to the Vendor List again automatically after some very long delay.
However HIPS still doesn't create a new application rule for the file anymore, and a reboot also to no avail.
How to bring back the auto create HIPS rule for the file?

EDIT 2:
HIPS rule is back too.
Apparently just executing and closing the application (the removed file) isn't enough to trigger HIPS to create a new rule. After executing the application and doing some stuff with it HIPS created a new rule for it.

Anyhow, with the Vendor on the Vendor List again as Unrecognized and the removed file back on the File List as Trusted again I'll keep an eye on it if it becomes Unrecognized again after a while.
« Last Edit: May 09, 2021, 05:44:21 PM by CISfan »

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
OK, back again . . .

What I suspected is true and I'm at least not happy with this CIS behavior sneakingly scanning my files.

As I've explained in my previous posts I had 4 "UNRECOGNIZED FILES" on the list. I removed one of them leaving 3 "UNRECOGNIZED FILES" files on the list. I never ever executed the 4th removed file ever again in the time frame between removal and till now and yet the file returned back on the "UNRECOGNIZED FILES" list resulting again in having 4 "UNRECOGNIZED FILES" on the list.

This test proves to me that CIS for "FW only installations" does scan/read/execute files on the background without user permission or without the user performing any scan Task.

When I remove a file from the "UNRECOGNIZED FILES" list it should stay away and never return until executed again.

Disappointing this.

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 216
Hi CISfan,

We are checking this.


Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
Hi CISfan,

We are checking this.

Thank you kindly for checking this C.O.M.O.D.O RT.

This is really an issue.
Today another unrecognized application was added by CIS to my "UNRECOGNIZED FILES" list without that particular application being executed by me.
I have now 5 "UNRECOGNIZED FILES" on the list, one more since my last post.

CIS is doing some kind of "scanning files" for FW only installations, please solve.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5197
No its not an issue because it is not doing any scanning despite what you may think. If it was then you would have many unrecognized and safe files added to the file list that were never executed. Files do not get added to the file list unless they get run in some way.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1143
If it was then you would have many unrecognized and safe files added to the file list that were never executed. Files do not get added to the file list unless they get run in some way.

You have a point there, thus far I've only seen files reappearing on the file list that have been executed before. One time execution is enough for this odd reappearance to happen. I hope you agree that this reappearance of unrecognized files and maybe also the reappearance of trusted or safe files (I haven't checked that) should not happen automatically but only after another execution of an untrusted or trusted file, it is most confusing.
Reappearance looks like if files are being "executed" or "scanned" on the background.


For information, I've noticed that the time frame between removal and reappearance is exactly 30 days (might depend on the number of days in the one or two months that fall within this time frame).

Also, I've checked the CIS AV config settings in the registry (to which I have no access in the GUI) and there is an AV profile (there are three) which has some values set including "ScheduleTime" which divided yields 30 (could be a coincidence).
The other two AV profiles have all their values set to 0 and look disabled to me.

Whether an issue or not, I hope that this reappearance thing will be solved.


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek