Author Topic: List of current bugs  (Read 2004 times)

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5227
List of current bugs
« on: January 28, 2021, 12:33:24 PM »
1. Silent mode firewall silently blocks network access for unrecognized applications and does not log the block.

2. Firewall does not filter network access when windivert or wintun is being used. Cloudflare Warp which uses windivert, applications that use wintun are OpenVPN version 2.5 or later and Wireguard. Due note that Windows firewall and other 3rd party firewalls that use WFP can still perform application filtering when wintun and windivert are running.

3. Sandbox bypass with ssts64 fileacc1.exe and filectl1.exe when run in containment, they are still able to modify files outside of sandbox. Fileacc1 is able to change the security descriptor of files/folders by setting deny to the "Everyone" user group. Filectl1 is able to overwrite file contents with NULL bytes using FSCTL_SET_ZERO_DATA I/O control code.

4. HIPS/Sandbox bypass with SetVolumeMountPoint and DeleteVolumeMountPoint. The fix would be to hook the SetVolumeMountPoint and DeleteVolumeMountPoint WinAPI functions and treat it as a form of direct disk access like CIS does for the DefineDosDevice API function. That way you get a HIPS alert for direct disk access and it would be auto blocked when run in containment anytime an application calls these functions.

5. No file source tracking for .msi files so auto-containment rules will not work for those .msi files.

6. Embedded-code detection for misexec.exe does not work so msiexec.exe /I <URL to msi packaage> will not be detected.

7. Excessive firewall logging of blocked events.

8. CIS relies on device name paths instead of using normal file paths so it causes issues with scan exclusions and HIPS/firewall rules for applications/files located on removable media.

9. Incorrect detection of direct disk access by non-contained applications that access files/folders that are defined in protected data folders. Only noticeable with unrecognized applications or setting HIPS to paranoid mode, topic about this issue.

10. HTTPS filtering does not work with chrome browser or other chrome based browsers such as Microsoft Edge and Opera.

11. Firefox and IE a blank page is shown instead of the Comodo block page when blocking/asking for HTTPS URLs.


12. Other valid strings are still prevented from being used for web filter categories. e.g
https://*
*/*.exe
*/img/*

13. Infinite loop of cloud scanner detection when executing an application that is detected by cloud scanner file lookup. Choosing clean or any of the ignore options will still bring up the alert and you can't do anything else unless you hard shutdown the system.

14. HIPS does not represent certain token privileges correctly, was fixed in 7092 but did not carry through to 8012.
 
15. Can't paste IPv4 address in global and application rules, it only works in network zones.

16. Autorun analyzer and killswitch do not perform file rating lookup of files.

17. AV still scans executable files even when the executable is listed under scan exclusions.

18. Can no longer use pipe symbol | in protected files for blocking write access of contained applications running under one of the restriction levels. It gives an error message of please enter valid data.

19. Network zone or firewall rules using a host name is unusable as the firewall will use all IP addresses in range from lowest resolved IP to highest resolved IP, instead of just the IP's belonging to the domain. e.g. <IPV4 Name="yahoo.com" AddrType="16" AddrEnd="98.137.11.164" AddrStart="74.6.143.25"/>. So every IP address within that range will be blocked if you created a block rule based on host name type or used blocked network zones with host name type. However in the registry there is another value called Addrs that does contain a list of IP addresses that do pertain to the domain. But it seems it is not used yet?

20. HIPS rules will get corrupted by being completely erased when a new rule is being created during system shutdown, such as when HIPS is in training mode or create rules for trusted applications is enabled in HIPS settings.

21. HIPS rules using environment variables are not handled correctly as alerts will still be shown for applications that already have rules in place. One example is using paranoid mode and still getting alerts for svchost.exe and from explorer.exe to access keyboard despite rules already set to allow. Another example which is kind of related to bug 8. listed previously, using paranoid mode while executing applications on removable media or mounted volumes. When explorer HIPS file path rule is defined using the environmental variable %windir% (default HIPS rule), HIPS will always ask to execute the same application. Changing the HIPS rule path to C:\Windows does not alert again. Not limited to just HIPS rules as firewall application rules has the same issue, e.g. in both rule sections you can have a rule already defined for an application with the file path using the environment variable, and then another rule will be created for the same application when using create rules for safe applications or training mode. Also you can manually add an application rule with the file path of the environment variable while already a rule with the standard path exists. e.g. you can have both %windir%\explorer.exe and C:\Windows\explorer.exe defined as an application rule, you won't get a warning indicating a rule for that application already exists.

22. Contained applications can add/remove/change user accounts and groups, prior versions did not allow such action.
Sept. 9th Edit: This appears so far to only affect Windows 7, as during my PM discussions with COMODO RT, they could not replicate on Windows 10.

23. According to help documentation for the containment logs, it describes being able to see the process tree of the contained application but such feature does not exist, and the PID is also not being recorded in the logs.

24. Microsoft Edge can not open any website or page when sandboxed .
https://forums.comodo.com/bug-reports-cis/microsoft-edge-can-not-open-any-website-or-page-when-sandboxed-t127322.0.html;msg909693#msg909693
« Last Edit: September 10, 2021, 11:10:19 PM by futuretech »

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2840
  • Security Saskquatch
Re: List of current bugs
« Reply #1 on: January 28, 2021, 01:10:36 PM »
 :-TU Very detailed. Hopefully they'll get address when we next get a preview build!

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5227
Re: List of current bugs
« Reply #2 on: April 05, 2021, 11:29:36 AM »
Just to note that all of these bugs are affecting 8012 build.

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26225
Re: List of current bugs
« Reply #3 on: April 16, 2021, 03:35:31 PM »
Thank you for posting. :-TU

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5227
Re: List of current bugs
« Reply #4 on: April 21, 2021, 09:22:06 PM »
22. Contained applications can add/remove/change user accounts and groups, prior versions did not allow such action.
Sept. 9th Edit: This appears so far to only affect Windows 7, as during my PM discussions with COMODO RT, they could not replicate on Windows 10.

23. According to help documentation for the containment logs, it describes being able to see the process tree of the contained application but such feature does not exist, and the PID is also not being recorded in the logs.
« Last Edit: September 09, 2021, 11:29:29 AM by futuretech »

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 501
Re: List of current bugs
« Reply #5 on: April 26, 2021, 07:42:40 PM »
22. Contained applications can add/remove/change user accounts and groups, prior versions did not allow such action.

23. According to help documentation for the containment logs, it describes being able to see the process tree of the contained application but such feature does not exist, and the PID is also not being recorded in the logs.

For 22., it is very terrible. :-\

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 501
Re: List of current bugs
« Reply #6 on: September 09, 2021, 07:13:06 AM »

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 501
Re: List of current bugs
« Reply #7 on: September 09, 2021, 07:16:05 AM »
[at]C.O.M.O.D.O RT

Could you please verify this list one-by-one  about the one that has been resolved?

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 337
Re: List of current bugs
« Reply #8 on: September 10, 2021, 04:22:12 AM »
I will update the status of these issues.

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1891
  • 'Your best teacher is your last mistake'
    • Schneier on Security
Re: List of current bugs
« Reply #9 on: September 10, 2021, 04:27:05 AM »
 :-TU
I will update the status of these issues.
Ploget

All Win 10 x 64 Pro - 21H1 (19043.1288) / CIS 12.2.2.8012
Comodo Forum Policy
“If you think you are too small to make a difference, try sleeping with a mosquito”

Offline domo78

  • Comodo's Hero
  • *****
  • Posts: 250
Re: List of current bugs
« Reply #10 on: September 10, 2021, 04:53:15 AM »
I would add this item to the list (pending confirmation of C.O.M.O.D.O RT tests)

25. Renaming a Portset causes disruptions in the rules that use it.


Edit to change number to sequence 
« Last Edit: September 10, 2021, 11:16:28 AM by Ploget »

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: List of current bugs
« Reply #11 on: September 10, 2021, 01:18:59 PM »
Should all bugs which already have been reported in several forum sections be added one-by-one to this list too?

Offline domo78

  • Comodo's Hero
  • *****
  • Posts: 250
Re: List of current bugs
« Reply #12 on: September 13, 2021, 03:07:41 PM »
26. After running an application in the Container followed by a Container reset an error occurs with Comodo Virtual Service Manager
https://forums.comodo.com/bug-reports-cis/comodo-virtual-service-manager-t127442.0.html

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 337
Re: List of current bugs
« Reply #13 on: September 17, 2021, 12:49:29 AM »

25. Renaming a Portset causes disruptions in the rules that use it.

Hi All,

Is anyone facing this issue which is reported by domo78, if so kindly drop us the steps to reproduce .

Thanks
C.O.M.O.D.O RT

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1950
Re: List of current bugs
« Reply #14 on: September 17, 2021, 03:38:42 AM »
Hi All,

Is anyone facing this issue which is reported by domo78, if so kindly drop us the steps to reproduce .

Thanks
C.O.M.O.D.O RT

Hi C.O.M.O.D.O RT,

It's easy:
1- Place an exe in the container
2- Reset the container
3- Open the windows event log
4- The error appears

Service Control Manager

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
  <EventID Qualifiers="49152">7034</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2021-09-17T07:23:44.1016317Z" />
  <EventRecordID>77768</EventRecordID>
  <Correlation />
  <Execution ProcessID="872" ThreadID="5768" />
  <Channel>System</Channel>
  <Computer>R****</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="param1">COMODO Virtual Service Manager</Data>
  <Data Name="param2">1</Data>
  <Binary>63006D006400760069007200740068000000</Binary>
  </EventData>
  </Event>

Windows 10 Pro x64 Build 19043.1237 - Comodo CIS Pro v.12.2.2.8012

Windows 10 Pro x64 Build 19043.1288 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.2

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek