Today i’ve seen something weird in comodo Defense+ (on safe and/or paranoid mode)
When “execution control level = enabled” and “treat unrecognized files checked as BLOCKED”
Defense+ rule “run an executable” got ignored and the execution of a program if safe (trusted vendor) it gets allowed automatically if unrecognized it gets blocked Automatically without any alerts in both cases.
Now all the above applies to sandbox as will, if unrecognized it gets blocked Automatically and sandboxed, if safe (trusted vendor) it gets allowed automatically without being sandboxed. (normal)
Example:
When I have a rule for winrar in defense+ rules under “run an executable” and comodo dragon listed in the “blocked*” list or “not listed**”.
When using winrar’s built-in virus scan button and choosing comodo dragon —>
*dragon just runs auto and ignores my rule.
**dragon just runs auto and ignores my rule.
However if “treat unrecognized files is not checked or checked and anything except blocked”
*dragon will not run
** I get an alert that wirar trying to execute dragon
When using winrar’s built-in virus scan button and choosing “?.exe” (any unrecognized exe) —>
It will get blocked in all cases
Conclusion:
When “execution control level = enabled” and “treat unrecognized files checked as BLOCKED”
Defense+ rule “run an executable” is not applied and it is all about the file (safe or not) (vendor ok?)
I have checked this on several machines and all same result, can anyone conforms this or disagrees?
I can screen video record that and post here next if u want to (less than 5 mb file).
I edited your post to have capitals at the beginning of each sentence. That makes it easier to read or skim posts more efficiently. Eric
Treaat unrecognised files as blocked is only works for sandboxing and unrecognised file. The setting does not work for when a file gets run in the sandbox manually. When running a file in the sandbox manually the settings under Sandbox Settings apply. That is confusing when using CIS for the first time.
and the execution of a program if safe (trusted vendor) it gets allowed automatically
If the slider of Defense + Settings is set to Safe Mode then that is expected behaviour; also in Paranoid mode.
if unrecognized it gets blocked Automatically without any alerts in both cases.
For the latter case. The manual states: "By default, CIS will display an alert whenever it runs an unknown application in the sandbox. ". Strictly speaking blocking is not sandboxing so it will not give an alert. I just tried this in v6 mod preview and it will not alert when blocking. I think the situation will be the same on v5.x (I can't test right now).
Now all the above applies to sandbox as will, if unrecognized it gets blocked Automatically and sandboxed, if safe (trusted vendor) it gets allowed automatically without being sandboxed. (normal)
Example:
When I have a rule for winrar in defense+ rules under “run an executable” and comodo dragon listed in the “blocked*” list or “not listed**”.
When using winrar’s built-in virus scan button and choosing comodo dragon —>
*dragon just runs auto and ignores my rule.
**dragon just runs auto and ignores my rule.
This is confusing. Are you running an anti virus scan from Winrar on Dragon? Or do you use Winrar AV scan facility to launch Dragon? What AV does Winrar call?
However if "treat unrecognized files is not checked or checked and anything except blocked"
*dragon will not run
** I get an alert that wirar trying to execute dragon
Are you using an explorer dialogue box to start Dragon?
When using winrar's built-in virus scan button and choosing "?.exe" (any unrecognized exe) --->
It will get blocked in all cases
Conclusion:
When "execution control level = enabled" and "treat unrecognized files checked as BLOCKED"
Defense+ rule "run an executable" is not applied and it is all about the file (safe or not) (vendor ok?)
Could you rephrase and describe your conclusions more extensively?
reconclusion:
When “execution control level = enabled” and “treat unrecognized files checked as BLOCKED”
Defense+ rule “run an executable” is not applied.
At this moment comodo defense+ act according to Trusted files list and ignores whatever in “run an executable” under defense+ rule of the specific program.
about winrar and dragon:
I’m using winrar’s built-in virus scan to trigger comodo defense+ alert about “run an executable”
you can use anything else eg; (internet download manager to open a pdf file) this will trigger an alert that internet download manager want to execute acrord32.exe. (got my point?)
Retest recorded:
attached an avi file (1.46 GB) 8 mins of screen recording in a winrar archive compresed to (8 mb only), it will take 2-3 mins or less to unrar it. PLEASE watch the video on speed of X2 (so you will waste 4 mins from your life only).
The key is that the automatic sandbox setting plays a role where it should not be playing a role. It should not be overriding a D+ rule.
I got curious and made a similar testing case using XnView to start Dragon while using the mod preview of CIS v6.
I made a custom D+ rule for XnView to block the starting of Dragon. With v6 the bug you found seems to be fixed. Changing the automatic sandbox between Partially Limited and Blocked had not influence. XnView could not start Dragon.
Thank you for the fast reply, as for now the final offical version is 5.10 and you conform that the bug is on this version, however the bug is fixed on v6.
That what I understand from your reply, is my understanding right or I misunderstood something?
