Author Topic: List of current bugs  (Read 6809 times)

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5358
List of current bugs
« on: January 28, 2021, 12:33:24 PM »
This is a curated list of bugs found in the latest available CIS version 12.2.2.8012. Anyone who wishes to add bugs they have found should still continue to post to the bug report board, preferably in the bug reporting format or in such a way that all necessary information is included in the post. Reported bugs that have been confirmed by Comodo or reproduced by more than one user will be added to this list. All other posts and discussion of this list have been split into a separate topic and should be used for further discussion: List of current bugs discussion topic.

Bug list Last updated 1/12/2022

1. Silent mode firewall silently blocks network access for unrecognized applications and does not log the block.

2. Firewall does not filter network access when windivert or wintun is being used. Cloudflare Warp which uses windivert, applications that use wintun are OpenVPN version 2.5 or later and Wireguard. Due note that Windows firewall and other 3rd party firewalls that use WFP can still perform application filtering when wintun and windivert are running.

3. Sandbox bypass with ssts64 fileacc1.exe and filectl1.exe when run in containment, they are still able to modify files outside of sandbox. Fileacc1 is able to change the security descriptor of files/folders by setting deny to the "Everyone" user group. Filectl1 is able to overwrite file contents with NULL bytes using FSCTL_SET_ZERO_DATA I/O control code.

4. HIPS/Sandbox bypass with SetVolumeMountPoint and DeleteVolumeMountPoint. The fix would be to hook the SetVolumeMountPoint and DeleteVolumeMountPoint WinAPI functions and treat it as a form of direct disk access like CIS does for the DefineDosDevice API function. That way you get a HIPS alert for direct disk access and it would be auto blocked when run in containment anytime an application calls these functions.

5. No file source tracking for .msi files so auto-containment rules will not work for those .msi files.

6. Embedded-code detection for misexec.exe does not work so msiexec.exe /I <URL to msi packaage> will not be detected.

7. Excessive firewall logging of blocked events.

8. CIS relies on device name paths instead of using normal file paths so it causes issues with scan exclusions and HIPS/firewall rules for applications/files located on removable media.

9. Incorrect detection of direct disk access by non-contained applications that access files/folders that are defined in protected data folders. Only noticeable with unrecognized applications or setting HIPS to paranoid mode, topic about this issue.

10. HTTPS filtering does not work with chrome browser or other chrome based browsers such as Microsoft Edge and Opera.

11. Firefox and IE a blank page is shown instead of the Comodo block page when blocking/asking for HTTPS URLs.


12. Other valid strings are still prevented from being used for web filter categories. e.g
https://*
*/*.exe
*/img/*

13. Infinite loop of cloud scanner detection when executing an application that is detected by cloud scanner file lookup. Choosing clean or any of the ignore options will still bring up the alert and you can't do anything else unless you hard shutdown the system.

14. HIPS does not represent certain token privileges correctly, was fixed in 7092 but did not carry through to 8012.
 
15. Can't paste IPv4 address in global and application rules, it only works in network zones.

16. Autorun analyzer and killswitch do not perform file rating lookup of files.

17. AV still scans executable files even when the executable is listed under scan exclusions.

18. Can no longer use pipe symbol | in protected files for blocking write access of contained applications running under one of the restriction levels. It gives an error message of please enter valid data.

19. Network zone or firewall rules using a host name is unusable as the firewall will use all IP addresses in range from lowest resolved IP to highest resolved IP, instead of just the IP's belonging to the domain. e.g. <IPV4 Name="yahoo.com" AddrType="16" AddrEnd="98.137.11.164" AddrStart="74.6.143.25"/>. So every IP address within that range will be blocked if you created a block rule based on host name type or used blocked network zones with host name type. However in the registry there is another value called Addrs that does contain a list of IP addresses that do pertain to the domain. But it seems it is not used yet? Topic link

20. HIPS rules will get corrupted by being completely erased when a new rule is being created during system shutdown, such as when HIPS is in training mode or create rules for trusted applications is enabled in HIPS settings.

21. HIPS rules using environment variables are not handled correctly as alerts will still be shown for applications that already have rules in place. One example is using paranoid mode and still getting alerts for svchost.exe and from explorer.exe to access keyboard despite rules already set to allow. Another example which is kind of related to bug 8. listed previously, using paranoid mode while executing applications on removable media or mounted volumes. When explorer HIPS file path rule is defined using the environmental variable %windir% (default HIPS rule), HIPS will always ask to execute the same application. Changing the HIPS rule path to C:\Windows does not alert again. Not limited to just HIPS rules as firewall application rules has the same issue, e.g. in both rule sections you can have a rule already defined for an application with the file path using the environment variable, and then another rule will be created for the same application when using create rules for safe applications or training mode. Also you can manually add an application rule with the file path of the environment variable while already a rule with the standard path exists. e.g. you can have both %windir%\explorer.exe and C:\Windows\explorer.exe defined as an application rule, you won't get a warning indicating a rule for that application already exists.

22. Contained applications can add/remove/change user accounts and groups, prior versions did not allow such action.
Sept. 9th Edit: This appears so far to only affect Windows 7, as during my PM discussions with COMODO RT, they could not replicate on Windows 10.

23. According to help documentation for the containment logs, it describes being able to see the process tree of the contained application but such feature does not exist, and the PID is also not being recorded in the logs.

24. Microsoft Edge can not open any website or page when sandboxed. Topic link: Microsoft Edge can not open any website or page when sandboxed

25. Sometimes the CIS tray notification icon does not render and leaves an empty space. Topic link: Comodo Firewall systray icon invisible [M2419]

26. Windows security center does not always recognize CIS being active or enabled. Topic link: Windows security center does not always recognize CIS

27. Over time an issue occurs where the cmddata file grows to an excessively large file size. Topic link: Large cmddata file

28. CIS will constantly inform of a new update is available even when the latest version is installed, happens after updating to a new version using the internal program updater. Various posts reporting this issue scattered throughout, can't be bothered to find all previous posts, but most recent topic here: Comodo version 12.2.2.2.8012 wants to install over and over and over again??

29. Renaming a portset for which a firewall rule uses, it cause issues after re-naming the port set.

30. HIPS ignores certain actions of applications that are running as the SYSTEM account. E.g. Direct disk, direct keyboard, direct monitor access. That means if an unrecognized application is elevated to SYSTEM, HIPS will not alert for various actions carried out by that unrecognized application.

31. HIPS bypass on Windows 10 of proxytest.exe and wfpblock.exe from matousec's security software testing suite 64-bit. Workaround is to add *\RPC Control\LRPC* to protected COM Interfaces.

32. HIPS bypass/ignore of folder creation, so unrecognized applications will not generate an alert when creating folders/directories. Previous CIS versions used to monitor such action and HIPS alert references the action when an unrecognized application creates a new file, HIPS will say program is trying to create a new file/folder.

33. HIPS does not monitor access to COM Interfaces that are of InProcServer32 server type, so even when adding a COM object interface by its ProgID or CLSID to protected COM Interfaces, HIPS will not alert on access to that COM object by an unknown application.

34. Cannot run virtual desktop when Windows Defender real-time protection is active it will throw an error message saying "User data is corrupted, please reset Sandbox and try again", this is the case when installing Comodo firewall only, workaround is to add the Comodo installation folder to Windows Defender scan exclusions. Topic link.

35. The Anti-virus will not scan files larger than 40 MB even when the setting "Limit maximum file size to" in the scan profile is disabled. The AV should scan all files regardless of size unless the option is used to limit the maximum file size that the AV should scan.

36. The scan option "Apply this action to suspicious autorun processes" for Anti-Virus scan profiles is not available when the theme is set to the arcadia or modern themes.

37. VirusScope does not track file attribute changes that are performed by non-contained applications, so it cannot be reversed. But it does appear to detect file attribute changes for contained applications.

38. Some VirusScope recognizers do not get detected for unknown applications that are running in containment but are detected when the application is not running in containment. E.G. Generic.Infector.4 will not be alerted for an unrecognized contained application that moves itself to startup folder, however if the same application were to do the same action without being contained, a VirusScope alert will appear to the user.

39. Firewall blocks outgoing connection requests for trusted applications at system startup if they attempt network access before CIS UI is loaded(cis tray and alerts UI processes) causing many blocked events in the firewall log for those trusted rated applications.

40. High CPU usage of cmdagent.exe process when a RAM drive is in use. Topic link.

41. Green border around console applications when run in containment is no longer shown on Windows 10 21H2.

42. Create rescue disk downloads older version instead of the more recent v2 version that can be downloaded through the standalone link.
« Last Edit: August 20, 2022, 11:04:52 AM by futuretech »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5358
Re: List of current bugs
« Reply #1 on: November 12, 2021, 01:37:45 PM »
All posts were split to create the discussion topic. Note to Comodo staff, please reply to this topic indicating the status of these and any other bugs that are being worked on thank you.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5358
Re: List of current bugs
« Reply #2 on: January 12, 2022, 04:01:51 PM »
Added bugs 34-42.

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 1013
Re: List of current bugs
« Reply #3 on: January 13, 2022, 04:00:18 AM »
Added bugs 34-42.
Hi futuretech,

Thanks for notifying, could you please check your inbox for PM and respond.

Thanks
C.O.M.O.D.O RT

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5358
Re: List of current bugs
« Reply #4 on: August 20, 2022, 11:07:01 AM »
Added bug report topic of bug number 19.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek