Preventing files being BBlocked & handling BBlocker alerts [v6]

1. FIRST CHECK THIS:
If you have ‘Block all unknown requests’ ticked in Defense plus settings, and you have no reason to believe you are infected by malware, untick it. Then reboot. (It may seem strange to ask you to check this first, but if you have this ticked all the other solutions may fail).

2. THEN DO THE FOLLOWING:
If you are not sure the files is trustworthy please leave it Behavior Blocked (BB’d), submit it for analysis by Comodo using the Submit action in Advanced Settings ~ Security ~ File Rating ~ Unrecognsed files ~ Arrow, and wait until it is pronounced safe or otherwise. If you are getting repeated alerts during this period you can try the workarounds.

If you are sure the file is trustworthy use the removal techniques below.

REMOVAL TECHNIQUES
A. If a file is causing an ‘Application Isolation’ notification or a ‘Sandboxed As’ log entry or appears as Restriction=Partially limited, Rating=Unknown in the Advanced Tasks ~ Watch Activity process list.

  • Look in Advanced Settings ~ Security ~ File Rating ~ Unrecognised files, and choose ‘Move’ to move any files you trust to ‘Trusted Files’. (You can also make a single file trusted using the link in the notification, but using unrecognised files is surer and deals with all the files in one go). Then reboot.
  • If this does not work, or if this causes further files from the same directory to be Behavior Bocked, go to Trusted Files and add the entire program directory and sub-directories to Trusted Files. Then reboot.
  • If this does not work, this is likely because the program is being frequently updated. In this case add the file to Advanced Settings ~ Security ~ Defense + ~ Behavior Blocker ~ Exclusions.

B. If a file is causing ‘Unlimited Access’ alerts or ‘Open file, block process’ log entries or appears as Rating=Unknown (Installer) in the Advanced Tasks ~ Watch Activity process list.

  • Tell CIS to ‘always trust this file/package’ on the alert. Then reboot.
  • If this does not work, this is likely because the program is being frequently updated. Please try the solution in A.iii above.

C. If there are no Behavior-Blocker alerts or log entries etc but you think a file may be Behavior Blocked anyway Look in Defense Plus ~ Unrecognised Files choose ‘Move’ to move any files you trust to ‘Trusted Files’. Then reboot.

D. (Provisional guidance subject to confirmation) If multiple different files with similar names are causing any form of Behavior Blocker alert, log entry, or appear as Restriction=Partially limited, Rating=Unknown in the Advanced Tasks ~ Watch Activity process list, it probably means that a program is creating and running new executables as part of its function. The make facility in development tools (eg IDEs) do this. To resolve this determine the file that is creating or running the executables by observing the sequence in real time using the Advanced Tasks ~ Watch Activity process list. Then add the file to Advanced Settings ~ Security ~ Defense + ~ Behavior Blocker ~ Exclusions. Finally define a group for the file pattern that is getting Behavior Blocked (eg make*.??) using Advanced Settings ~ Security ~ Defense + ~ HIPS ~ File Protection ~ Arrow ~ Groups and add the group to Advanced Settings ~ Security ~ Defense + ~ Behavior Blocker ~ Exclusions.

If you cannot solve your problems using these techniques then you can try the workarounds here.

WORKAROUNDS

  • If you think the file might be a Windows program try creating a restore point, and running ‘sfc /scannow’ at the DOS prompt with Windows installation disk in your CD drive, then rebooting This ensures all Windows files are code signed and correct versions. You can also try using Microsoft Update to bring your system files right up to date. Re-installing your service packs can also help if installation may have been incomplete, but is not for the faint hearted!
  • If the file cannot be found anywhere on the disk (try a Windows Explorer search, explicitly including hidden and system files), you can try creating a dummy file using the guidance here , then adding the dummy file to Advanced Settings ~ Security ~ File Rating ~ Trusted Files and rebooting. (With thanks to Piet2468, Languy99 and Don Clarke who helped discover this)
  • Try manually virtualising the files using Advanced Settings ~ Security ~ Defense + ~ Sandbox ~ Add. This replaces Behavior Blocker restrictions by virtualisation which should allow the software to run better than it does manually sandboxed, whilst still protecting your system reasonably well.