List of current bugs discussion

[C.O.M.O.D.O RT]

Hi all,

As we always say CIS is not dead. Development plans are still going on.
We have already confirmed and provided these list of current bugs to the developers and few bugs are already fixed & yet to be released. Among them we couldn't reproduce 6 issues, but still they were brought to developers notice.
6. Embedded-code detection for misexec.exe does not work so msiexec.exe /I <URL to msi packaage> will not be detected.
13. Infinite loop of cloud scanner detection when executing an application that is detected by cloud scanner file lookup. Choosing clean or any of the ignore options will still bring up the alert and you can't do anything else unless you hard shutdown the system.
17. AV still scans executable files even when the executable is listed under scan exclusions.
19. Network zone or firewall rules using a host name is unusable as the firewall will use all IP addresses in range from lowest resolved IP to highest resolved IP, instead of just the IP's belonging to the domain. e.g. <IPV4 Name="yahoo.com" AddrType="16" AddrEnd="98.137.11.164" AddrStart="74.6.143.25"/>. So every IP address within that range will be blocked if you created a block rule based on host name type or used blocked network zones with host name type. However in the registry there is another value called Addrs that does contain a list of IP addresses that do pertain to the domain. But it seems it is not used yet?
21. HIPS rules using environment variables are not handled correctly as alerts will still be shown for applications that already have rules in place. One example is using paranoid mode and still getting alerts for svchost.exe and from explorer.exe to access keyboard despite rules already set to allow. Another example which is kind of related to bug 8. listed previously, using paranoid mode while executing applications on removable media or mounted volumes. When explorer HIPS file path rule is defined using the environmental variable %windir% (default HIPS rule), HIPS will always ask to execute the same application. Changing the HIPS rule path to C:\Windows does not alert again.
39. Firewall blocks outgoing connection requests for trusted applications at system startup if they attempt network access before CIS UI is loaded(cis tray and alerts UI processes) causing many blocked events in the firewall log for those trusted rated applications.
So, Could you please provide us the related forum link or step to reproduce of above mentioned 6 issues for further investigation.

11. Firefox and IE a blank page is shown instead of the Comodo block page when blocking/asking for HTTPS URLs.

And the issue no-11 won't be fixed as the developer has said that there is no way to show block page for https url ,because it is encrypted and we can only block it.

Thanks
C.O.M.O.D.O RT

[ZorKas]

Hi,

Many thanks to the whole team 

[prodex]

The list with bugs is closed.

https://github.com/advisories/GHSA-jx54-6487-2fhh

 Published on 22 Jun ? Updated on 29 Jun

Comodo Antivirus 12.2.2.8012 has a quarantine flaw

Description
Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

[victorlopes]

Hi all,

As we always say CIS is not dead. Development plans are still going on.
We have already confirmed and provided these list of current bugs to the developers and few bugs are already fixed & yet to be released. Among them we couldn't reproduce 6 issues, but still they were brought to developers notice.
6. Embedded-code detection for misexec.exe does not work so msiexec.exe /I <URL to msi packaage> will not be detected.
13. Infinite loop of cloud scanner detection when executing an application that is detected by cloud scanner file lookup. Choosing clean or any of the ignore options will still bring up the alert and you can't do anything else unless you hard shutdown the system.
17. AV still scans executable files even when the executable is listed under scan exclusions.
19. Network zone or firewall rules using a host name is unusable as the firewall will use all IP addresses in range from lowest resolved IP to highest resolved IP, instead of just the IP's belonging to the domain. e.g. <IPV4 Name="yahoo.com" AddrType="16" AddrEnd="98.137.11.164" AddrStart="74.6.143.25"/>. So every IP address within that range will be blocked if you created a block rule based on host name type or used blocked network zones with host name type. However in the registry there is another value called Addrs that does contain a list of IP addresses that do pertain to the domain. But it seems it is not used yet?
21. HIPS rules using environment variables are not handled correctly as alerts will still be shown for applications that already have rules in place. One example is using paranoid mode and still getting alerts for svchost.exe and from explorer.exe to access keyboard despite rules already set to allow. Another example which is kind of related to bug 8. listed previously, using paranoid mode while executing applications on removable media or mounted volumes. When explorer HIPS file path rule is defined using the environmental variable %windir% (default HIPS rule), HIPS will always ask to execute the same application. Changing the HIPS rule path to C:\Windows does not alert again.
39. Firewall blocks outgoing connection requests for trusted applications at system startup if they attempt network access before CIS UI is loaded(cis tray and alerts UI processes) causing many blocked events in the firewall log for those trusted rated applications.
So, Could you please provide us the related forum link or step to reproduce of above mentioned 6 issues for further investigation.And the issue no-11 won't be fixed as the developer has said that there is no way to show block page for https url ,because it is encrypted and we can only block it.

Thanks
C.O.M.O.D.O RT

this is really good to know but please, dont take me wrong and dont be sad about it but this kind of answers we are getting for atleast 1 year. I understand many things and I will stay quit, waiting for things to show up, but then again, say that development is kicking is not enough to make us relaxed

anyway, thank you for be here, always, trying to bring some info, even if not news, but still, youre trying to do your best with what they bring to you. so thank you.

[futuretech]

Hi all,

As we always say CIS is not dead. Development plans are still going on.
We have already confirmed and provided these list of current bugs to the developers and few bugs are already fixed & yet to be released. Among them we couldn't reproduce 6 issues, but still they were brought to developers notice.
6. Embedded-code detection for misexec.exe does not work so msiexec.exe /I <URL to msi packaage> will not be detected.
13. Infinite loop of cloud scanner detection when executing an application that is detected by cloud scanner file lookup. Choosing clean or any of the ignore options will still bring up the alert and you can't do anything else unless you hard shutdown the system.
17. AV still scans executable files even when the executable is listed under scan exclusions.
19. Network zone or firewall rules using a host name is unusable as the firewall will use all IP addresses in range from lowest resolved IP to highest resolved IP, instead of just the IP's belonging to the domain. e.g. <IPV4 Name="yahoo.com" AddrType="16" AddrEnd="98.137.11.164" AddrStart="74.6.143.25"/>. So every IP address within that range will be blocked if you created a block rule based on host name type or used blocked network zones with host name type. However in the registry there is another value called Addrs that does contain a list of IP addresses that do pertain to the domain. But it seems it is not used yet?
21. HIPS rules using environment variables are not handled correctly as alerts will still be shown for applications that already have rules in place. One example is using paranoid mode and still getting alerts for svchost.exe and from explorer.exe to access keyboard despite rules already set to allow. Another example which is kind of related to bug 8. listed previously, using paranoid mode while executing applications on removable media or mounted volumes. When explorer HIPS file path rule is defined using the environmental variable %windir% (default HIPS rule), HIPS will always ask to execute the same application. Changing the HIPS rule path to C:\Windows does not alert again.
39. Firewall blocks outgoing connection requests for trusted applications at system startup if they attempt network access before CIS UI is loaded(cis tray and alerts UI processes) causing many blocked events in the firewall log for those trusted rated applications.
So, Could you please provide us the related forum link or step to reproduce of above mentioned 6 issues for further investigation.And the issue no-11 won't be fixed as the developer has said that there is no way to show block page for https url ,because it is encrypted and we can only block it.

Thanks
C.O.M.O.D.O RT

6. enable embedded code detection for msiexec and open a command or powershell prompt, then enter msiexec.exe /i url to msi package e.g. https://d3.7-zip.org/a/7z2201-x64.msi

13. install firewall only, switch to proactive configuration, disable auto-continment, and run pchunter.

17. add all applications file group to av scan exclusions, open procmon and filter on cavwp.exe file system activity, execute any application and watch cavwp perform file i/o on exe file.

19. added bug report topic.

[C.O.M.O.D.O RT]

6. enable embedded code detection for msiexec and open a command or powershell prompt, then enter msiexec.exe /i url to msi package e.g. https://d3.7-zip.org/a/7z2201-x64.msi

13. install firewall only, switch to proactive configuration, disable auto-continment, and run pchunter.

17. add all applications file group to av scan exclusions, open procmon and filter on cavwp.exe file system activity, execute any application and watch cavwp perform file i/o on exe file.

19. added bug report topic.

Hi futuretech,

Thank you so much for sharing the information.
We will test and update you.

Thanks
C.O.M.O.D.O RT

[hicham0716]

Hi futuretech,

Thank you so much for sharing the information.
We will test and update you.

Thanks
C.O.M.O.D.O RT

did you get my message bro?

[C.O.M.O.D.O RT]

did you get my message bro?

Hi hicham0716,

Yes we have got your message and take that to the team notice.
We will keep you posted.

Thanks
C.O.M.O.D.O RT

[Avos]

Hello COMODO RT,
do you have any news for us?
I honestly don't understand why block other discussions.

[Adrosmart]

Well, guys, it was nice while it lasted. I have Comodo since 2008 and I can honestly say it never failed me. I guess the pandemic or maybe having too many free users as opposed to the licensed ones put too much strain on the company. Right now we are probably one bad windows 10 update from incompatibility.

So what is our next option after Comodo is no longer supported?

[NoScript]

Well, guys, it was nice while it lasted. I have Comodo since 2008 and I can honestly say it never failed me. I guess the pandemic or maybe having too many free users as opposed to the licensed ones put too much strain on the company. Right now we are probably one bad windows 10 update from incompatibility.

So what is our next option after Comodo is no longer supported?

Portmaster looks very promising but its still in Alpha and kinda hard to fully understand but its free.

[Adrosmart]

Portmaster looks very promising but its still in Alpha and kinda hard to fully understand but its free.

Never heard of Portmaster but I will check it out. I was reading some other forums and it seems WiseVector StopX is doing quite a bit of waves and it has a HIPS component similar to Comodo plus they are also sporting some kind of AI detection method. One thing I don't like about it is that the developers are based in China.

I really hope Comodo will pull through.

[owyhee]

Avast. Seems ok. Just waiting for news on comodo

[victorlopes]

no news about these bugs? nothing yet?

[victorlopes]

Avast. Seems ok. Just waiting for news on comodo

avast or avg... run away from these things...

so, nothing new about cis? ceo abandoned us and the forum. real good way of making trust online.