Applications that have changed aren't detected by CFP v3

I have noticed that after changes, applications still have the same access as they previously did.

In CFP v2 I would always get an alert that “The cryptographic signature of program.exe has changed” but I have never seen this in CFP v3

I think this should be implemented as it’s a very big security hole. I can take an executable, replace it with a completely different program (but named the same thing as the original) and CFP v3 just lets it execute with no questions asked.

Therefore, if the file is modified/infected by virus or replaced, it appears it would not be detected.

As a test I took my CPU-Z cpuid program in C:\Program Files\CPU-Z\cpuz.exe and renamed it to cpuz.bak

I then copied notepad.exe into that folder and renamed it to cpuz.exe

I was able to start it with no problems!!

CFP should have alerted me that the executable had changed from last time! - it’s a completely different executable!!!

Why is this not detected? What happened? It needs to be fixed ASAP!!

This issue was discussed before and Egemen answered it.
CFP is too intelligent and it knows when a user makes a change rather than a malware. It allows user made changes (manual) and stops the malware made changes :wink:


You are manually changing something and like Melih says Comodo is too intelligent cause it knows the user is doing that. If malware where trying to modify something first it would have to try and run which would give you an laert from D+. Then when you got that alert even if you aloud it to run you would get another alert. Your first alert would be for Explorer.exe the second would be from the malware itself trying to modify a file or rename it. You can test Comodo very easily by downloading the GRC leak test. After the test passes and the firewall part of Comodo blocks it then rename the leak test from leaktest to something like Firefox.exe. You will see D+ kick in with an alert. GRC even tells you to rename the test.

I understand that it would detect an executable trying to modify another, my point is what happens if the executable is changed when CFP is not looking?

Think of this scenario:

A user has a USB drive with applications on it which he takes with him to run on other PCs, without having to install the applications on the PC he’s plugged the drive into.

His own PC at home uses CFP but at some point he puts the drive into a PC which doesn’t run CFP and is infected by a virus which modifies executables on the USB drive.

When he takes the drive home and plugs it in, he then runs one of the executables which was infected.

Would CFP detect that this executable was infected and hence modified when it was not there to see the modification happening?

Simple Answer:

User Made Changes= Allow (Manual)
Infected Files/Malware= Alert & Block.

As Melih saids… CFP 3 does KNOW what is user based and what is malware based. That’s the smart technology that Defense+ uses! So off course malware/infected it will be prevented.


Are u joking? That is not correct. No way CFP can know this.

Infact CFP has no hash check so it can never tell that a file is modified( whether by user or by nalware). However it can alert about file modifications in real time.

Prove me wrong if you are true.

Figures you gotta throw your 2 cents in. Do you ever have anything positive to say about Comodo? BTW I have proven you wrong. Twice as in matter of fact or have you forgotten those screen shots of mine.


You can try to rename a file manually, you will see that CFP will allow that.
Then try to rename a file automatically (just like malware would), you will see that CFP will catch it.

This is the innovation we have that we call “Stateful File Inspection”. I don’t think this exist anywhere else imo. We are in full control of a file change and we know whether its a manual(user) change or automatic change. Go ahead, try it…I think its bloody brilliant :slight_smile: and it takes Security to next level!


Ok, let us first clarify the issue.

Do you mean CFP will catch file the file modification in real time? OR

You mean that if CFP is disabled, a file( that has allowed rule already in CFP) is modified by malware, then I enable CFP and execute the file, CFP will catch that a previously allowed file is modified and want to run. It will give an alert.

What do you mean exactly. Please let me know and I will sure run some tests anmd post here. You may be right but I want to see it in real by myself.

I am only talking when CFP is enabled.

But if CFP is disabled and you modify some safe files, then, these files will be seen as “new” files to CFP and won’t be trusted either.

However the main discussion point is: People rename/modify files manually while CFP is on, and because CFP is very intelligent and allows this, people think CFP is failing. They assume that CFP will also allow automatic modifications by other software/malware. But we know this assumption is wrong.

Hope this clarifies

Hmmmm… If You don,t mind let me say that you are playing with the words.

All I know that it,s a simple default rule for explorer.exe in CFP that allows it to modify any file without pop up. It can be achieved in ANY HIPS— lety me repeat – in ANY CALSSICAL HIPS.

I wonder how can you claim it to be an intelligence on behalf of CFP, an innovation , Stateful File Inspection" that does not exist anywhere else.

See how i get a pop up alert while renaming a file manually with non-default rules in CFP. IMO all you can say that you put a default allow rule for explorer.exe to make it user friendly for non-power users. U can achieve same thing by editing explorer.exe rules in any classical HIPS.

Please tell me if I am wrong. Thanks a lot for your patience.

[attachment deleted by admin]

Where’s Da Egemen? lol ;D



Renaming and replacing a file:
Default policy allows such operations. SFI automatically protects explorer.exe in this case. Well, policies are the part of CFP intelligence ofcourse. However one of the points here is, we are able to create and distribute such default policies with CFP because CFP can live with such a default policy.
Can other classical hips solutions make sure that explorer.exe can not be used by other applications to bypass the policy?
For example, do they provide means to protect COM interfaces that could be used to manipulate explorer.exe?
Do they provide means to protect knowndlls both in MEMORY and on DISK, to prevent injection into explorer.exe? I can list a couple of more threats.

Believe me when I say, developing a classical HIPS, is one of the easiest tasks. An above-average developer can develop a simple classical HIPS in 2 weeks. Surf the internet and you will even find open source versions.

If you look at CFP, even its heuristics can catch 60-70% of unknown viruses BEFORE you execute them. It is not a 2 week classical hips. So when we say something in public, we dont just say it. We mean it. We genuinely try to protect the users. Not trying to sell them our software by marketing stuff…

Also in 2-3 months, we will introduce some new technologies into our Defense+ and make it Defense++++. I think comparing with the others will then be quite irrelevant.


How about an optional option to turn on a global file hash check? (off by default to save resources/time) I think this would be a good idea

I’ll trow my 2cents as well.

Creating policies for removable devices is a a risky behaviour. IIRC CFP by default don’t learn files on removable devices.

Anyway if a file was replaced as long the user didn’t also mark it as trusted CFP will display alerts for whatever action wasn’t allowed before.

This will reduce the actual risks.

Hi egemen, your reply makes a lot of sense and I really like such a professional reponse rather than the responses posted before.

To be realistic, I am just an average user, so I can,t say musch about the points you raised. I can say just what I see. Sure other classical HIPS protect explorer.exe from injection as well. Latest EQS beta has com filters also( not sure though how good they are as compared to CFP). Some classical HIPS are better( atleast IMO) in detection of service/ driver install as compared to CFP as they give a clear service/ driver install and load alert rather than an ambigious SCM access alert that might be bening in many cases. The rest I don,t know.

Heuristics of CFP are really great indeed but what about false positives, we will only know about the false positives when these heuristics are tested by some third party. ANyway i do like the extensive white list of CFP and the aggressive heuristics. (R)

CFP really needs a better way than “file path” association to make sure that the exetable using a giving policy is the same one for with the policy was created in the first place.

I understand perfectly your idea that at SOME point the user will be notified that some application is making changes - but as i explained before, THERE ARE TONS of popups which the ordinary user will just allow just because they don’t know what registry modifications means, what driver install means, etc… YOU CAN"T COMPLETELY RELLY ON THE USER TO KEEP THE HIPS app->rule association integrity intact. But that user will know/pay more atention if after installing something CFP says (after the user installs something) something like this: “A modified exe is trying to use the assigned policy - allow or deny”. Now the user will think, why that last install modified “iexplorer.exe” for example…

I will like to have an option where Defence Plus intead of checking file path will just check file hash. That will avoid pop ups when I run my portable applications from different locations of my HD.

Second that too. Such an option will be great.

I am having similar problem, in my case a VPN software which everytime you connect installs his stuff under diff random name and i have to re-do the policy stuff again for basicaly the same executable under different name, because comodo treats it as diff one…

Also, if there is an option to easily tell Defense+ to protect/watch for change only for apps for which there is a rule, this will be good too.
In practice, for most users, defense+ is hassle. As i user i care only for the apps for which i defined rules. I don’t care much the rest if its get modified.

If it is not a temp folder but specific to this application only, u can make a general allow rule fro any executable( *.exe) to execute from this folder without any pop ups.