different ? what different if i download the Comodo from the Comodo website !
(this what i got when i'm installing it )
Unless Comodo something changed in the installer, which has happened once before, I would expect an alert in which I am asked to reboot now or postpone. The alert will suggest a 30 minute delay by default and not a count down counter of 30s.
this is the first places which should be protected from attacker !!!!
Did you check the digital signature if it is intact?
don't forget what happen to so many company ,which using symantec endpoint protection when cybercriminal complete remove the antivirus, and done what they like !
antivirus folder should always be protected !!
antivirus Services should always be protected !!
As stated in the above I share your concerns in case your scenario reproduces. But I also have to stay critical about your testing environment at the same time in the process.
Could you check the logs:
Normally CIS should sandbox an unknown executable and should protect its self. That has me wondering what is going on. Does the executable also contain an exploit to get this type of access? Can you also check the Defense + logs and the Alerts logs to see if CIS registered the executable getting executed?
In your pm you're offering a download link for your test file. Could you send me a download link by pm? We do not allow to post a download link at the forums but when a member asks for a download link you can send the link by pm. That way people can test the file while we protect inexperienced users.
We are not in the habit of publishing the content of pm's at the forums but I would like to ask you to share at the forum what you wrote me about how you made your test file and at what platforms it reproduces?