Antivirus scan silently adds new trusted vendors to the list

Hello.

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes, it happens always when I run an anti-virus scan i.e. quick scan.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
Go to your trusted certificate list and make sure only the few selected trusted vendors are on the list. You may have to disable cloud lookup and do some other modifications (see my settings below). The bottom line is that I was trying to configure CIS8 in a way to prevent any new certs from being added to the list - I want HIPS popups for all non-Comodo and non-Microsoft applications (with some exceptions like device drivers and software).

Okay, so after clearing most of the trash from the trusted vendors list, run some programs on your PC that are well known i.e. Firefox or maybe Foxit Reader then run an anti-virus scan with Comodo. During the scan, the certificates of the running processes will be silently added to the list of trusted vendors. You can check this out by opening the advanced settings again after the scan.

One or two sentences explaining what actually happened:
New vendor certificates get silently added to the trusted vendors list without my knowledge or permission while performing an anti-virus scan with CIS8.

One or two sentences explaining what you expected to happen:
I expect the trusted vendors list to remain unchanged. It should not be modified without my permission.

If a software compatibility problem have you tried the advice to make programs work with CIS?:
N/A, Programs work fine.

Any software except CIS/OS involved? If so - name, & exact version:
Firefox 44.0.2
Foxit Reader 7.2.0.722
Atmel Studio 7 (as-installer-7.0.790-web.exe)
VirtualCloneDrive 5.5.0.0
etc…

Any other information, eg your guess at the cause, how you tried to fix it etc:
I tried to remove the certs several times, but they always get added back. I’m not sure how to disable this, there doesn’t seem to be an obvious option to do so.

B. YOUR SETUP
Exact CIS version & configuration:
CIS8 - 8.2.0.4792, database version 24464
COMODO - Proactive Security

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
AV = Stateful
Firewall = Custom Ruleset
Auto-Sandbox = Disabled
HIPS = Safe Mode
Viruscope = Enabled
Gaming Mode = Disabled
Advanced View = Enabled
Widget = Disabled

Have you made any other changes to the default config? (egs here.):

Advanced settings: General: UI:

  • Theme = Modern, Language = English
  • All other checkboxes are off

Advanced settings: General: Updates:

  • Check for program updates = 1 day
  • Automatically download updates = On
  • Check for database updates = 6 hours
  • Do not check for updates = both checkboxes are off

Advanced settings: General: Logging:

  • Write to local log = On
  • Write to Windows log = Off
  • Delete and create a new log once it reaches 20MB
  • Send anonymous stats = Off

Advanced settings: General: Configuration:

  • COMODO Proactive Security = Active

Advanced settings: Security: Antivirus: Realtime Scan:

  • Enable realtime scan = On
  • Enable scanning optimization = On
  • Run cache builder = On
  • Scan memory on computer start = On
  • Do not show antivirus alerts = Off
  • Decompress archives = On (jar, exe, zip, rar, 7z)
  • Set new on-screen alert timeout = On, 120s
  • Max file size limit = Off
  • Max script size limit = Off
  • Use heuristics = On, Medium

Advanced settings: Security: Antivirus: Scans:

  • Full
  • Quick

Advanced settings: Security: Antivirus: Exclusions:

  • Recycle bin
  • C:\Program Files\COMODO\COMODO Internet Security*
  • Excluded applications list is empty

Advanced settings: Security: Defense+: HIPS: Settings:

  • Enable HIPs = On, Safe Mode

  • Monitoring settings are all enabled

  • Do not show popup alerts = Off

  • Popup Verbose mode = On

  • Create rules for safe applications = Off

  • Alert timeout = On, 60s

  • Adaptive mode under low resources = Off

  • Block all unknown requests = Off

  • Enhanced protection mode = On

  • Heuristic command line analysis = On

  • Detect shellcode injections = On, no exclusions

Advanced settings: Security: Defense+: HIPS: Rules:

  • I have a bunch of custom HIPS rules in here for various applications.
  • Too many options to list here.

Advanced settings: Security: Defense+: HIPS: Rulesets

  • All rulesets are at its defaults

Advanced settings: Security: Defense+: HIPS: Protected Objects:

  • Added “Physical Drives” group to Protected Files list
  • Added C:\Windows\System32\drivers\etc\hosts to protected files
  • Added D:* to protected files
  • Everything else is unchanged afaik

Advanced settings: Security: Defense+: HIPS: HIPS Groups:

  • Only added a new registry group for certificates
    *\Software\Microsoft\SystemCertificates*
    *\Software\Policies\Microsoft\SystemCertificates*
    *\Software\Wow6432Node\Microsoft\SystemCertificates*
    etc…

Advanced settings: Security: Defense+: Sandbox: Sandbox settings:

  • Do not virtualize access to folders = on (shared spaces)

  • Do not virtualize access to reg keys = Off

  • Automatic startup for services = Off

  • Highlight frame = On

  • Detect programs that require elevated privileges = On

  • Show privilege escalation alerts for unknown progs = On

  • Virtual Desktop password = Off

Advanced settings: Security: Defense+: Sandbox: Auto-sandbox:

  • Enable auto-sandbox = Off
  • Enable file source tracking = Off
  • Block all malicious applications = On
  • Block any suspicious location = On
  • Run virtually all unrecognised application = Off

Advanced settings: Security: Viruscope:

  • Enable viruscope = On
  • Do not show popup alerts = Off
  • Monitore sandboxed only = Off
  • recognizer_v8.2.0.4674.dll = On

Advanced settings: Security: Firewall:

  • I’ll skip this section since it’s unrelated

Advanced settings: Security: File rating: File rating settings:

  • Cloud lookup = Off
  • Analyze unknown files in cloud = Off
  • Do not show popup alerts = Off
  • Trust applications signed by trusted vendors = On
  • Trust files installed by trusted installers = Off
  • Detect potentially unwanted apps = Off

Advanced settings: Security: File rating: File groups:

  • Only added the “Physical Drives” group that consists of two entries:
    \Device\Harddisk*\DR*
    \Device\HarddiskVolume*

Advanced settings: Security: File rating: File list:

  • List od trusted and unrecognized files. I purged it just recently.

Advanced settings: Security: File rating: Submitted files:

  • None

Advanced settings: Security: File rating: File list:

  • I removed all vendors except Microsoft and Comodo. Some new vendors were also added like Logitech, AMD, Realtek, etc.

Have you updated (without uninstall) from CIS 5, 6 or 7?:
No

Have you imported a config from a previous version of CIS:
No, after formatting the PC and reinstalling Windows 7, I did a fresh CIS8 installation and manually configured the settings via the GUI window to match the settings to that of an older installation (before format).

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Genuine Windows 7 Professional 64-bit, SP1. UAC unchanged, account is a normal user created at OS installation. No VM’s in use,

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a = Microsoft EMET 5.2.5546.19547 (default configuration), VeraCrypt 1.16 (with full system disk encryption).
b = N/A

C. ATTACHED FILES

  • CIS8 diagnostics file
  • KillSwitch Process List
  • Screenshot

D. OTHER INFO
Possibly related threads:
https://forums.comodo.com/defense-sandbox-help-cis/disabling-continuous-addition-to-trusted-software-vendors-list-t76105.0.html;msg544921#msg544921
https://forums.comodo.com/addedrejected-wishes-cis/stop-putting-things-in-my-trusted-vendors-list-t35749.0.html;msg254901#msg254901

Note to mods: Please let me know, if the CIS configuration above is too difficult to read or if it’s missing any important information. I’ll upload my full CIS8 config instead.

[attachment deleted by admin]

It should be enough to disable the cloud lookup to prevent trusted vendors from being added automatically to the trusted vendors list, but I think you also need to disable automatically download program updates setting.

Cloud lookup is already disabled (see settings above), but I do have the program updates enabled. Personally I’m unsure what exactly the program updates are for. I always thought they’re for downloading new versions of CIS i.e. when 8.1 is released.

Anyway, I have an update.
Yesterday I rebooted into my linux installation and haven’t used Windows since I posted this bug report (apart for some online browsing before I switched the OS). Today I log into windows only to find that some certs have been added YET again despite having cleared them last time. I have totally no clue what’s causing this, and I definitely did not install any new applications last time.

Well at least there’s also some good news. Right on time, as if it were made just for me… a new Firefox version has just been released, and I decided to perform a little test.

  • After clearing out the unwanted certs I rebooted the PC => No new certs appeared
  • I opened the old Firefox (v44.0.2) and closed it => No new certs
  • I rebooted again => No new certs
  • I opened old Firefox (44.0.2) and ran the update to version 45.0 via the “Help => About Firefox” menu => No new certs
  • I restarted Firefox to complete the update => No new certs
  • I rebooted the PC => No new certs

Seems like the update did not trigger the new certificates to pop up in the trusted vendors list.
Now I’m a bit confused since the updating process was my main suspect.
We’ll see how this progresses, I’ll definitely keep an eye out for the changes.

~ Angle

UPDATE: I found out when this happens, and I can now reliably reproduce the problem. It happens during virus scans i.e. if I quick scan my computer, the antivirus will read the list of currently running processes and add any of those it finds trusted to the list without prompting the user!

EDIT: Updated first post with the relevant information.
EDIT2: Seems to also happen outside of the scan sometimes, strange.

Can’t replicate. Please check it again when next version is available.

Thanks.

Hello,

Please see attached video for proof.

Thanks.

[attachment deleted by admin]

Hi again,

Please do the following:

  1. Open “Advanced Settings”
  2. Go to “Antivirus” ~ “Scans”
  3. Right-click on “Quick Scan”
  4. Select “Options” tab

! Make sure ‘Use cloud while scanning’ option is disabled.

Hello.

I confirm that disabling the cloud lookup in the quick/full scan prevents new trusted vendors from appearing in the list while manually running the scan. I’m unsure, if this is a complete solution because I’ve had a few cases where some new vendors popped up in the list while I wasn’t running any scan. Might have been a scheduled scan or not.

In any case I’ll keep an eye out, if the problem persists and I’ll open up a new bug report, if it does.

P.S. What exactly does the cloud lookup service do? Is rating files and accumulating trusted vendors its only functionality?

Thanks and kind regards,
~Angle