Hello.
A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes, it happens always when I run an anti-virus scan i.e. quick scan.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
Go to your trusted certificate list and make sure only the few selected trusted vendors are on the list. You may have to disable cloud lookup and do some other modifications (see my settings below). The bottom line is that I was trying to configure CIS8 in a way to prevent any new certs from being added to the list - I want HIPS popups for all non-Comodo and non-Microsoft applications (with some exceptions like device drivers and software).
Okay, so after clearing most of the trash from the trusted vendors list, run some programs on your PC that are well known i.e. Firefox or maybe Foxit Reader then run an anti-virus scan with Comodo. During the scan, the certificates of the running processes will be silently added to the list of trusted vendors. You can check this out by opening the advanced settings again after the scan.
One or two sentences explaining what actually happened:
New vendor certificates get silently added to the trusted vendors list without my knowledge or permission while performing an anti-virus scan with CIS8.
One or two sentences explaining what you expected to happen:
I expect the trusted vendors list to remain unchanged. It should not be modified without my permission.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
N/A, Programs work fine.
Any software except CIS/OS involved? If so - name, & exact version:
Firefox 44.0.2
Foxit Reader 7.2.0.722
Atmel Studio 7 (as-installer-7.0.790-web.exe)
VirtualCloneDrive 5.5.0.0
etc…
Any other information, eg your guess at the cause, how you tried to fix it etc:
I tried to remove the certs several times, but they always get added back. I’m not sure how to disable this, there doesn’t seem to be an obvious option to do so.
B. YOUR SETUP
Exact CIS version & configuration:
CIS8 - 8.2.0.4792, database version 24464
COMODO - Proactive Security
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
AV = Stateful
Firewall = Custom Ruleset
Auto-Sandbox = Disabled
HIPS = Safe Mode
Viruscope = Enabled
Gaming Mode = Disabled
Advanced View = Enabled
Widget = Disabled
Have you made any other changes to the default config? (egs here.):
Advanced settings: General: UI:
- Theme = Modern, Language = English
- All other checkboxes are off
Advanced settings: General: Updates:
- Check for program updates = 1 day
- Automatically download updates = On
- Check for database updates = 6 hours
- Do not check for updates = both checkboxes are off
Advanced settings: General: Logging:
- Write to local log = On
- Write to Windows log = Off
- Delete and create a new log once it reaches 20MB
- Send anonymous stats = Off
Advanced settings: General: Configuration:
- COMODO Proactive Security = Active
Advanced settings: Security: Antivirus: Realtime Scan:
- Enable realtime scan = On
- Enable scanning optimization = On
- Run cache builder = On
- Scan memory on computer start = On
- Do not show antivirus alerts = Off
- Decompress archives = On (jar, exe, zip, rar, 7z)
- Set new on-screen alert timeout = On, 120s
- Max file size limit = Off
- Max script size limit = Off
- Use heuristics = On, Medium
Advanced settings: Security: Antivirus: Scans:
- Full
- Quick
Advanced settings: Security: Antivirus: Exclusions:
- Recycle bin
- C:\Program Files\COMODO\COMODO Internet Security*
- Excluded applications list is empty
Advanced settings: Security: Defense+: HIPS: Settings:
-
Enable HIPs = On, Safe Mode
-
Monitoring settings are all enabled
-
Do not show popup alerts = Off
-
Popup Verbose mode = On
-
Create rules for safe applications = Off
-
Alert timeout = On, 60s
-
Adaptive mode under low resources = Off
-
Block all unknown requests = Off
-
Enhanced protection mode = On
-
Heuristic command line analysis = On
-
Detect shellcode injections = On, no exclusions
Advanced settings: Security: Defense+: HIPS: Rules:
- I have a bunch of custom HIPS rules in here for various applications.
- Too many options to list here.
Advanced settings: Security: Defense+: HIPS: Rulesets
- All rulesets are at its defaults
Advanced settings: Security: Defense+: HIPS: Protected Objects:
- Added “Physical Drives” group to Protected Files list
- Added C:\Windows\System32\drivers\etc\hosts to protected files
- Added D:* to protected files
- Everything else is unchanged afaik
Advanced settings: Security: Defense+: HIPS: HIPS Groups:
- Only added a new registry group for certificates
*\Software\Microsoft\SystemCertificates*
*\Software\Policies\Microsoft\SystemCertificates*
*\Software\Wow6432Node\Microsoft\SystemCertificates*
etc…
Advanced settings: Security: Defense+: Sandbox: Sandbox settings:
-
Do not virtualize access to folders = on (shared spaces)
-
Do not virtualize access to reg keys = Off
-
Automatic startup for services = Off
-
Highlight frame = On
-
Detect programs that require elevated privileges = On
-
Show privilege escalation alerts for unknown progs = On
-
Virtual Desktop password = Off
Advanced settings: Security: Defense+: Sandbox: Auto-sandbox:
- Enable auto-sandbox = Off
- Enable file source tracking = Off
- Block all malicious applications = On
- Block any suspicious location = On
- Run virtually all unrecognised application = Off
Advanced settings: Security: Viruscope:
- Enable viruscope = On
- Do not show popup alerts = Off
- Monitore sandboxed only = Off
- recognizer_v8.2.0.4674.dll = On
Advanced settings: Security: Firewall:
- I’ll skip this section since it’s unrelated
Advanced settings: Security: File rating: File rating settings:
- Cloud lookup = Off
- Analyze unknown files in cloud = Off
- Do not show popup alerts = Off
- Trust applications signed by trusted vendors = On
- Trust files installed by trusted installers = Off
- Detect potentially unwanted apps = Off
Advanced settings: Security: File rating: File groups:
- Only added the “Physical Drives” group that consists of two entries:
\Device\Harddisk*\DR*
\Device\HarddiskVolume*
Advanced settings: Security: File rating: File list:
- List od trusted and unrecognized files. I purged it just recently.
Advanced settings: Security: File rating: Submitted files:
- None
Advanced settings: Security: File rating: File list:
- I removed all vendors except Microsoft and Comodo. Some new vendors were also added like Logitech, AMD, Realtek, etc.
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No
Have you imported a config from a previous version of CIS:
No, after formatting the PC and reinstalling Windows 7, I did a fresh CIS8 installation and manually configured the settings via the GUI window to match the settings to that of an older installation (before format).
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Genuine Windows 7 Professional 64-bit, SP1. UAC unchanged, account is a normal user created at OS installation. No VM’s in use,
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a = Microsoft EMET 5.2.5546.19547 (default configuration), VeraCrypt 1.16 (with full system disk encryption).
b = N/A
C. ATTACHED FILES
- CIS8 diagnostics file
- KillSwitch Process List
- Screenshot
D. OTHER INFO
Possibly related threads:
https://forums.comodo.com/defense-sandbox-help-cis/disabling-continuous-addition-to-trusted-software-vendors-list-t76105.0.html;msg544921#msg544921
https://forums.comodo.com/addedrejected-wishes-cis/stop-putting-things-in-my-trusted-vendors-list-t35749.0.html;msg254901#msg254901
Note to mods: Please let me know, if the CIS configuration above is too difficult to read or if it’s missing any important information. I’ll upload my full CIS8 config instead.
[attachment deleted by admin]