CCE - Scanner remains stucked in com1.exe files

Comodo Cleaning Essentials + KillSwitch & Auto Bug Reports - CCE
1

Hello!

I written this topic to report a bug in CCE: on analyzing files like com1.exe, com1.*.exe etc CCE doesn’t work and it remains stucked in these files. I waited for one-two minutes, but it didn’t continue the scan, but remained stucked in com1.exe, com1.example.exe, etc… So the scan is compromised because when CCE try to open these files, the ReadFile API function doesn’t finish and the thread remains in Wait:Executive state.
So if in a computer there are files called so by a virus or by abnormal programs, I can’t scan with CCE the computer.

Other details:

• Windows 7 32-bit Professional SP1
• Security products installed: Comodo Firewall Free 6.2.282872.2847, Avira Free Antivirus 13.0.0.3880.
• The experiment is reproducible? Yes, always.
• How experiment is reproducible?

[ol]- WinKey+R, type cmd.exe and then press Enter;

  • Create a directory in C HarkDisk to do this experiment in an apposite folder (better than one with other files, but this problem is applicable also in folders with normal files);
  • We will use copy command to put a copy of an executable file in our folder;
  • The first argument is an executable file, I used for example Task Manager;
  • The second argument is com1.exe file. It must be written as “\.\C:\Example-Directory\com1.exe”, not as “C:\Example-Directory\com1.exe”, else the copy should fail;
  • So we can type:
    copy “C:\WINDOWS\system32\taskmgr.exe” “\.\C:\Example-Directory\com1.exe”
    in the cmd.exe console    ;
  • Now press Enter to do the command. If all works well, now in the folder C:\Example-Directory there is a com1.exe file, that explorer.exe can’t delete, access, rename etc…;
  • Now close cmd.exe window typing exit or clicking X button;
  • Open Comodo Cleaning Essentials. Choose the custom scan, deselect options in the left and the devices selected and add folder in the scan. Add “C:\Example-Directory”;
  • Start scan with the selected settings;
  • After initializing, Comodo Cleaning Essentials will stay stucked on the file C:\Example-Directory\com1.exe.[/ol]

This is because CCE doesn’t try to open “\.\C:\Example-Directory\com1.exe”, but it tries to open “C:\Example-Directory\com1.exe”. Because com1.exe is a reserved name, Windows interprets the request as trying to use COM port, and the handle is “\Device\Serial0”.

A virus can call itself com1.exe and can run itself with “\.\c:\virus-dir\com1.exe” or “\.\c:\virus-dir\com1.virus.exe” paths, so this can create some problems with CCE. In a nutshell, CCE isn’t able to analyze files called com1.exe, com1.a.exe, com1.b.exe, etc… (com1.exe, com1.*.exe).

I want to report this bug also with Main format:

Main format (I don’t know if I did it well):

A. THE BUG ISSUE (Varies from issue to issue)
[ol]- Summary: Pls give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?: Always.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    a. Open cmd.exe console.
    b. Type what I underlinded and then press Enter:
    md “C:\Example-Directory”
    c. Type now this and then press Enter:
    copy “c:\windows\system32\taskmgr.exe” “\.\C:\Example-Directory\com1.exe”
    d. Type exit and press Enter.
    e. Launch Comodo Cleaning Essentials, and choose “Custom Scan”.
    f. Don’t check “Don’t scan for viruses” and the boxes at the left. If you check “Don’t scan for viruses” CCE should work because it don’t scan for viruses. The checkboxes at the left can be checked, but this is lost time, CCE will remain stucked however.
    g. Set as path the “C:\Example-Directory” folder. Deselect/remove all other pathes (including drives). Start the scan.
    h. The scanner will remain stucked. I canceled scan at the nineteenth minute, there isn’t a timeout.
    i. To delete folder and file “com1.exe” inside, open cmd.exe and type
    rd “\.\C:\Example-Directory” /s /q
    and press Enter. Then type exit and press Enter.
  • If not obvious, what U expected to happen: CCE should open “\.\C:\Example-Directory\com1.exe” instead of “C:\Example-Directory\com1.exe”.
  • If a software compatibility problem have U tried the conflict FAQ?: I don’t think is a software compatibility problem.
  • Any software except CIS/OS involved? If so - name, & exact version:
    CCE 6.2.282872.2847
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    I enabled archive scanning, max file size 10000 MB, CAMAS enabled, timeout 300 seconds.
  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not malware)
    [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration: Comodo Firewall 6.2.282872.2847, Proactive

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV: D+/HIPS enabled = Safe, Autosandbox/BBlocker enabled = Not safe (Non sicuro), Firewall enabled = Safe, File evaluation = Cloud, I believe Comodo Firewall (free version) haven’t got the AV but I’m not sure.
  • Have U made any other changes to the default config? (egs. here):
    Yes. In the firewall, I enable the filter for the IPv6 and loopback traffics, the filter for the frammented IP traffic, the analysis for the protocols but the anti ARP spoofing isn’t enabled.
    In the HIPS I didn’t check the textual popup advices and I didn’t enable the adaptive mode. The advanced protection mode is enabled (Modalità di protezione avanzata).
    In the HIPS rules I setted only Cheat Engine because it isn’t recognized by Comodo and else it show each time advices about it.
  • Have U updated (without uninstall) from CIS 5: Yes, but after I uninstalled it and installed the CIS 6.
    [li]if so, have U tried a a clean reinstall - if not please do?: Yes.
    [/li]- Have U imported a config from a previous version of CIS: No
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 7 Professional, SP1, 32bit, UAC=Max level (4), admin, VM not used
  • Other security/sandbox software a) currently installed b) installed since OS: a) Avira Free Antivirus 13.0.0.3640 b) None
    [/ol]

I hope this bug will be fixed soon.

P.S.: I left running CCE scan on this file hoping there is a timeout or something similar to resolve the problem, but in the nineteenth minute, I canceled the scan. In the attachment I arrived only at 9:36. (CAMAS timeout is 300 seconds = 5 minutes).

P.P.S.: Excuse me if my english isn’t perfect, but I want however help you because I think this is a very important product, but I think it’s improvable.

RickyDefended

[attachment deleted by admin]

2

yes, It is a bug, I can reproduce it on my machine, we will report bugs in our system. Thank you very much!