Author Topic: [Solved] Keeps blocking a Trusted manually ublocked file  (Read 278 times)

Offline Bucic

  • Comodo's Hero
  • *****
  • Posts: 223
[Solved] Keeps blocking a Trusted manually ublocked file
« on: June 05, 2019, 04:18:07 PM »
HIPS is the offender. I have finally cought it doing that and noted it down this time, with Arma's (a Bohemia Interactive game) exe. But the thing has been hapening for a long time on my system, at least since the beginning of 2019 (so CIS 11).
Here are some screenshots, for arma as well for RivaTuner statistics server (part of MSI Afterburner).
https://1drv.ms/f/s!AvyUQyNGJs9mkd0lqCbbUEk6ezkapg
« Last Edit: June 09, 2019, 12:58:36 PM by Bucic »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4289
Re: Keeps blocking a Trusted manually ublocked file
« Reply #1 on: June 05, 2019, 04:40:18 PM »
This has been explained to death if you search the forums you will find the answer. Also you can't rely on blocked applications list as it doesn't provide any useful information as to why something gets blocked. Besides using unblock application does not cover all cases to unblock an application from HIPS.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25476
Re: Keeps blocking a Trusted manually ublocked file
« Reply #2 on: June 06, 2019, 09:48:56 AM »
Blocked Applications is not s useful feature and as far as I am concerned Comodo removes it. It creates confusion as explained in another topic of yours: https://forums.comodo.com/defense-sandbox-help-cis/blocks-its-own-secure-shopping-csssrv64exe-t124368.0.html .

Only the HIPS Logs provide the complete and exact picture of what is being blocked. Is the functionality of the programs effected? Probably not because you are concerned with message they are being blocked. The most likely reason they show up blocked is that CIS is blocking interprocess memory access; it is CIS  protecting its self. Only in very rare cases programs get impaired when they can't access CIS processes in memory. Also Blocked Applications is not capable of allowing memory access for which I am happy coz it will lessen security.

Offline Bucic

  • Comodo's Hero
  • *****
  • Posts: 223
Re: Keeps blocking a Trusted manually ublocked file
« Reply #3 on: June 06, 2019, 07:14:40 PM »
Blocked Applications is not s useful feature and as far as I am concerned Comodo removes it. It creates confusion as explained in another topic of yours: https://forums.comodo.com/defense-sandbox-help-cis/blocks-its-own-secure-shopping-csssrv64exe-t124368.0.html .

Only the HIPS Logs provide the complete and exact picture of what is being blocked. Is the functionality of the programs effected? Probably not because you are concerned with message they are being blocked. The most likely reason they show up blocked is that CIS is blocking interprocess memory access; it is CIS  protecting its self. Only in very rare cases programs get impaired when they can't access CIS processes in memory. Also Blocked Applications is not capable of allowing memory access for which I am happy coz it will lessen security.
"Is the functionality of the programs effected?" I'm troubleshooting ArmA's BattleEye problems and I really wouldn't want to have CIS as a variable in this scenario. Especially with anti-cheat protection and an injection-based performance monitoring software running. I don't think I'll be able to tell hot their functionality is actually affected either.

I went ahead and created rules for RivaTuner components, MSI Afterburner and ArmA. After I restarted the system I got HIPS blocking RivaTuner right away.
Code: [Select]
Date & Time Application Action Target
2019-06-07 00:34:52  C:\Users\hg1\AppData\Local\Temp\VO4KlzQS.exe.part  Scanned online and found malicious 
2019-06-06 20:07:08  C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooksLoader64.exe  Access Memory  C:\Program Files\COMODO\COMODO Internet Security\cis.exe
2019-06-06 20:07:05  C:\Program Files (x86)\RivaTuner Statistics Server\RTSS.exe  Access Memory  C:\Program Files\COMODO\COMODO Internet Security\cis.exe 

Could you please share your take on that?

EDIT:
I forgot to add! I used "Allowed application" HIPS ruleset.
« Last Edit: June 07, 2019, 06:40:34 AM by Bucic »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25476
Re: Keeps blocking a Trusted manually ublocked file
« Reply #4 on: June 07, 2019, 11:35:07 AM »
"Is the functionality of the programs effected?" I'm troubleshooting ArmA's BattleEye problems and I really wouldn't want to have CIS as a variable in this scenario. Especially with anti-cheat protection and an injection-based performance monitoring software running. I don't think I'll be able to tell hot their functionality is actually affected either.
If you don't notice the programs are effected assume they aren't. Anti-cheat protection software can be very sensitive but will block you when it thinks you're cheating (as far as I understand this type of programs); it would be in your face.

In case or injection based performance monitoring you could try to allowing interprocess memory access and see if the benchmarks differs before and after allowing.

Quote
I went ahead and created rules for RivaTuner components, MSI Afterburner and ArmA. After I restarted the system I got HIPS blocking RivaTuner right away.
Code: [Select]
Date & Time Application Action Target
2019-06-07 00:34:52  C:\Users\hg1\AppData\Local\Temp\VO4KlzQS.exe.part  Scanned online and found malicious 
2019-06-06 20:07:08  C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooksLoader64.exe  Access Memory  C:\Program Files\COMODO\COMODO Internet Security\cis.exe
2019-06-06 20:07:05  C:\Program Files (x86)\RivaTuner Statistics Server\RTSS.exe  Access Memory  C:\Program Files\COMODO\COMODO Internet Security\cis.exe 

Could you please share your take on that?

EDIT:
I forgot to add! I used "Allowed application" HIPS ruleset.
Trusted application does not allow interprocess memory access.

On what Windows version are you? With Windows 10 1903 CIS will erroneously report memory access with 32 bits programs:
It is a bug with 1903 and 32-bit applications in which HIPS thinks those applications are trying to perform inter-process memory access for every running process which includes CIS own processes. Due to self-protection it will automatically block the inter-process memory access and thus you see the applications listed for blocked applications.

If you are not on Windows 10 1903. This tutorial describes how to allow interprocess memory access for an application: https://forums.comodo.com/defense-sandbox-faq-cis/access-memory-event-log-entries-how-can-i-suppress-these-v6-t92973.0.html .

Edit: A word of warning. Allowing interprocess memory access to CIS processes introduces an element of risk. It is something we only advice to do when a program is not working properly. Then it is worth exploring. If it turns out that memory access will make the program work like it should then keep it. In case it doesn't make a difference undo the memory access to CIS processes.
« Last Edit: June 07, 2019, 11:57:42 AM by EricJH »

Offline Bucic

  • Comodo's Hero
  • *****
  • Posts: 223
Re: Keeps blocking a Trusted manually ublocked file
« Reply #5 on: June 08, 2019, 01:22:35 PM »
Thank you for the explanation and tips!
I use Windows 7 x64

I hope this unfortunate part of UX gets replaced soon.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek