Author Topic: List of current bugs discussion  (Read 24891 times)

Offline safemode

  • Comodo's Hero
  • *****
  • Posts: 299
Re: List of current bugs discussion
« Reply #75 on: November 27, 2021, 02:27:37 PM »
I've tried out your suggestion. The setting was at default (checked) all the time so I've tried again and now with unchecked setting.
However the issue still persists and also HIPS "Create rules for safe applications" doesn't work when executing a Trusted application elevated as SYSTEM.

So, no change...

Try opening up CIS interface > Tasks > Containment tasks > View Active processes > Under 'Rating' check if the application running as SYSTEM is rated as either Unknown/Installer or Trusted/Installer.

I think the issue maybe lies within the fact that Installer Detection cannot be turned off (even if disabling the suggested setting) but maybe I am mistaken and this has no relation to the issue you are reporting.

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 643
Re: List of current bugs discussion
« Reply #76 on: November 27, 2021, 05:00:57 PM »
HIPS "Create rules for safe applications" doesn't work when executing a Trusted application elevated as SYSTEM.

Seemingly HIPS doesn't monitor Trusted or Unrecognized applications at all when they run elevated as SYSTEM...

I havn't activated  "Create rules for safe applications"

And of course some more settings to protect my PC as shown in the attechments.

Edit: Forgotten, I deactivated "trust files by trusted installers".
« Last Edit: November 28, 2021, 02:10:37 AM by prodex »

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 1069
Re: List of current bugs discussion
« Reply #77 on: November 28, 2021, 08:27:58 AM »
Quote
33. HIPS does not monitor access to COM Interfaces that are of InProcServer32 server type, so even when adding a COM object interface by its ProgID or CLSID to protected COM Interfaces, HIPS will not alert on access to that COM object by an unknown application.
Hi all,

Could anyone please elaborate the issue no - 33 as well.
We are checking on issue no -31 & 32.

Thanks
C.O.M.O.D.O RT

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1832
Re: List of current bugs discussion
« Reply #78 on: November 28, 2021, 12:07:00 PM »
Hello C.O.M.O.D.O RT,

Do you confirm issue no. 30 including not working "Create rules for safe applications" as elaborated in previous posts?

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 1069
Re: List of current bugs discussion
« Reply #79 on: November 29, 2021, 03:49:15 AM »
Hello C.O.M.O.D.O RT,

Do you confirm issue no. 30 including not working "Create rules for safe applications" as elaborated in previous posts?
Hi CISfan,

We have checked and couldn't able to reproduce the issue no - 30.
And for the "Create rules for safe application" issue, we did check the option "create rules for safe application" & HIPS in "safemode" and run some trusted application, the rules does created & listed in the hips rules setting as the "Create rules for safe application" is checked.
Or did we missed something to understand ?
May I know your:
1.Win version & system type(32bit/64bit) ?
2.CIS/CFW  version ?

Thanks
C.O.M.O.D.O RT

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1832
Re: List of current bugs discussion
« Reply #80 on: November 29, 2021, 04:17:20 AM »
Hi CISfan,

We have checked and couldn't able to reproduce the issue no - 30.
And for the "Create rules for safe application" issue, we did check the option "create rules for safe application" & HIPS in "safemode" and run some trusted application, the rules does created & listed in the hips rules setting as the "Create rules for safe application" is checked.
Or did we missed something to understand ?
May I know your:
1.Win version & system type(32bit/64bit) ?
2.CIS/CFW  version ?

Thanks
C.O.M.O.D.O RT

Hello C.O.M.O.D.O RT,

Answering your question 1 & 2 : V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

Regarding the not working "Create rules for safe applications", did you run the Trusted applications elevated to SYSTEM ?
Note that when running the same Trusted applications normally (not elevated) "Create rules for safe applications" does work correctly. The issue happens when Trusted applications run elevated to SYSTEM, have you tried that?
Please also make sure to delete the Trusted application HIPS rule(s) before running the Trusted application to have HIPS re-create the rule when running the Trusted application.

Regarding issue no.30 (and the "Create rules for safe applications" issue) did you try to reproduce it on Windows 10, 8 and 7 ?

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 1069
Re: List of current bugs discussion
« Reply #81 on: November 29, 2021, 06:09:42 AM »
Hello C.O.M.O.D.O RT,

Answering your question 1 & 2 : V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

Regarding the not working "Create rules for safe applications", did you run the Trusted applications elevated to SYSTEM ?
Note that when running the same Trusted applications normally (not elevated) "Create rules for safe applications" does work correctly. The issue happens when Trusted applications run elevated to SYSTEM, have you tried that?
Please also make sure to delete the Trusted application HIPS rule(s) before running the Trusted application to have HIPS re-create the rule when running the Trusted application.

Regarding issue no.30 (and the "Create rules for safe applications" issue) did you try to reproduce it on Windows 10, 8 and 7 ?
Hi CISfan,

We did run trusted application as "administrator" and checked the hips rules setting, the rules are being created for the trusted application which is ran as administrator.
Where the Hips is in "safemode" and the option "create rules for safe application" is checked
We have checked on win 10, 7 & 8 machines
So, we couldn't able to reproduce this issue.
 
Thanks
C.O.M.O.D.O RT

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1832
Re: List of current bugs discussion
« Reply #82 on: November 29, 2021, 06:22:15 AM »
Hi CISfan,

We did run trusted application as "administrator" and checked the hips rules setting, the rules are being created for the trusted application which is ran as administrator.
Where the Hips is in "safemode" and the option "create rules for safe application" is checked
We have checked on win 10, 7 & 8 machines
So, we couldn't able to reproduce this issue.
 
Thanks
C.O.M.O.D.O RT

Hello C.O.M.O.D.O RT,

Issue no.30 and the issue "Create rules for safe applications" only happen when applications first are elevated from "administrator" to "SYSTEM" before they are run. Please run the applications with SYSTEM credentials (not administrator) and check again.
Thank you.

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 1069
Re: List of current bugs discussion
« Reply #83 on: November 29, 2021, 06:35:53 AM »
Hello C.O.M.O.D.O RT,

Issue no.30 and the issue "Create rules for safe applications" only happen when applications first are elevated from "administrator" to "SYSTEM" before they are run. Please run the applications with SYSTEM credentials (not administrator) and check again.
Thank you.
Hi CISfan,

Could you please check your inbox for pm and respond.
 
Thanks
C.O.M.O.D.O RT

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5364
Re: List of current bugs discussion
« Reply #84 on: November 29, 2021, 04:39:33 PM »
Hi CISfan,

We have checked and couldn't able to reproduce, whoever added this issue no - 30 in the List of current bugs could please elaborate so that we will check and report this to the team.

Thanks
C.O.M.O.D.O RT
Run any keylogger or any application that can perform direct disk access such as a hex editor and run them as SYSTEM using process hacker run as feature. HIPS will not alert an automatically allow the action for the following HIPS access rights: Direct Disk, Direct Keyboard, Direct Monitor, Direct Physical Memory, Access to protected COM interfaces, DNS/RPC Client service, and Interprocess memory access.
« Last Edit: November 29, 2021, 04:51:23 PM by futuretech »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5364
Re: List of current bugs discussion
« Reply #85 on: November 29, 2021, 04:50:49 PM »
Hi all,

Could anyone please elaborate the issue no - 33 as well.
We are checking on issue no -31 & 32.

Thanks
C.O.M.O.D.O RT
One easy way to check is to get OleViewDotNet and then click registry menu then select Prog IDs to list all registered COM objects by their Program IDs, then expand the WindowsInstaller.Installer. Once you expand the COM object it should produce an alert for that specific COM object due the default COM interface WindowsInstaller.* being listed under protected COM interfaces. Now if you try to expand the InternetExplorer.Application.1 COM interface, you will get an alert for OLEview.net trying to access the protected COM interface of InternetExplorer.Application.1

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1832
Re: List of current bugs discussion
« Reply #86 on: November 29, 2021, 04:56:57 PM »
Run any keylogger or any application that can perform direct disk access such as a hex editor and run them as SYSTEM using process hacker run as feature. HIPS will not alert an automatically allow the action for the following HIPS access rights: Direct Disk, Direct Keyboard, Direct Monitor, Direct Physical Memory, Access to protected COM interfaces, DNS/RPC Client service, and Interprocess memory access.

I've provided C.O.M.O.D.O RT another "run as SYSTEM" method that I've used during testing issue no.30. I confirm that the process hacker run as feature yields the same issue result.

Could you replicate also the not working "Create rules for safe applications" issue, related to no.30, as described in my previous posts?

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 1069
Re: List of current bugs discussion
« Reply #87 on: November 30, 2021, 05:57:01 AM »
Run any keylogger or any application that can perform direct disk access such as a hex editor and run them as SYSTEM using process hacker run as feature. HIPS will not alert an automatically allow the action for the following HIPS access rights: Direct Disk, Direct Keyboard, Direct Monitor, Direct Physical Memory, Access to protected COM interfaces, DNS/RPC Client service, and Interprocess memory access.
Hi futuretech,

Could you please check your inbox for pm and respond.

Thanks
C.O.M.O.D.O RT

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 2335
    • ZorKas
Re: List of current bugs discussion
« Reply #88 on: November 30, 2021, 10:07:30 AM »
HIPS will not alert an automatically allow the action

Does it depend on the processes already requested ?

Windows 10 Pro x64 22H2 Build 19045.2486 - Windows 11 Pro x64 22H2 Build 22621.1105 - Linux Emmabuntus x64 ED4 - Comodo CIS Pro v.12.2.2.8012

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 1069
Re: List of current bugs discussion
« Reply #89 on: December 01, 2021, 07:08:29 AM »
Hi all,

The issue no -30 & 31 has been reported to the team.
Thanks to futuretech for providing the detailed information & video for issue no -30 & 31.

Thanks
C.O.M.O.D.O RT

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek