Assembler file added to trusted files w/o lookup when has admin privs [Resolved]

first of all, I’d like to thank you guys to creating trust online.

TOPIC TITLE
strange configuration flow - files are automatically added to trusted files,
when it should be regarded unrecognized and sandboxed.


The bug/issue
1. What you did:
I was practicing assembly language and made some executable.
2. What actually happened or you actually saw:

bunch of a single executable (I assembled many times) is made trusted by COMODO.
3. What you expected to happen or see:
my executables should be sandboxed, as it didn’t exist in this world before :wink:
4. How you tried to fix it & what happened:
I removed all the minimum.exe and purged list, tried to execute it again, and it’s sandboxed.
but…
when i assembled it with Administrator privilege,
CIS automatically trusts this newly created file. strange ???
5. If its an application compatibility problem have you tried the application fixes?:
I have no idea 88)
6. Details (exact version) of any application involved with download link:
minimum.exe(source code below) (such an awful executable it is!! LOL)
7. Whether you can make the problem happen again, and if so exact steps to make it happen:

  • install masm32
  • make an executable with administrator privilege
  • try to execute it via command prompt

8. Any other information (eg your guess regarding the cause, with reasons):
MASM32 downloads : http://www.masm32.com/masmdl.htm
source code : here

a pic which may help to reproduce the problem : I used this build option.

sorry, I’m dumb so I can’t provide any technical information. thanks.

Files appended
1. Screenshots illustrating the bug:

2. Screenshots of related event logs or the active processes list:
the CIS log doesn’t contain any clue about auto-trusting file.

3. A CIS config report or file.
CIS Configuration exported
4. Crash or freeze dump file:
N/A

Your set-up
1. CIS version, AV database version & configuration used:

NO AV, I don’t use CAV

2. Have you updated (without uninstall) from CIS 3 or 4, if so have you tried reinstalling?:
No, it’s a fresh install of CIS V5.
3. Have you imported a config from a previous version of CIS, if so have U tried a preset config?:
Not ever.
4. Defense+ and Sandbox OR Firewall security level:
Safe/Safe/Enabled
5. OS version, service pack, no of bits, UAC setting, & account type:
Windows 7, 32-bit, UAC always, Administrator privilege
6. Other security and utility software running:
Trustport antivirus(testing), CTM, Sandboxie
7. Virtual machine used (Please do NOT use Virtual box):
No virtualbox, however I use it for my safety ;D

any informations, PM me and I’ll try. thanks in advance.

[attachment deleted by admin]

Are files created by trusted software automatically trusted? Can someone please let me know if my guess is right and this isn’t a bug?

if you consider even trusted files can drop a malware… in case of a security vulnerability…
and I can assemble a malware ;D

since CIS V5 trusted files list is getting bigger and bigger…

If I’m right though that created program would only be trusted on your computer.

okay… so it’s not a bug… thanks.

When masm runs does it run as ‘trusted installer’ in the Active Process List? If so ths is expected behaviour if trust files from (ie dropped by) trusted installers is ticked under D+ settings ~ sandbox settings.

Best wishes

Mouse

mouse as you said, maybe it’s not a bug it’s just Cloud Scanner that automatically trusts…
here is the additional information:

pic below shows MASM assembler/linker is treated not as trusted/installer, but as trusted…

and when I run the assembled, CIS automatically sandboxes it…

so I checked the D+ logs, and found these entries…

after a while, new executables are added to trusted files list…

so I executed it again, CIS left it unsandboxed…

[attachment deleted by admin]

Yes I think you have just found that CIS is performing file analysis faster than it used to.

I assume there are log entries for minimum saying ‘scanned online and found safe’ too, if so, and if they are dated at least a few hours after the submission time, then all is well. If not there could still be a problem.

Interesting…

Best wishes

Mouse

I couldn’t find any log that the assembled(minimum.exe) is scanned online and found safe.
it was just added to trusted file list after a short time, regardless it does regard the user/admin privilege…
I assembled it with user privilege and waited several minutes, it was sandboxed, it was submitted, but the verdict was not changed
but as soon as I re-ran and re-assembled it with admin privilege, although the ‘active process list’ shows the assembler/linker just trusted, CIS automatically adds minimum.exe to the trusted list.

all log I could find that is related with MASM was listed below.

[attachment deleted by admin]

OK I have no explanation for this, and so am forwarding to format verified

Thanks for your hard work in documenting this

Best wishes

Mouse

If you have UAC enabled and run IE as Administrator, that means you are performing administrative tasks. there is absolutely no reason for runnin IE as admin in Windows with UAC enabled.

Because IE is a safe application, the dropped files are also marked safe in this case because some admininstrator tool is performing this.

This is NOT a bug but an intended feature. In this case, you have to disable this feature of CIS.

Thanks for your answer which is much appreciated.

OK so CIS views running a program in UAC mode with admin privs as in this sense (dropped files are trusted) equivalent to declaring it an installer/updater in CIS.

Could the Active Processes List please reflect this in some way? Else I think users may continue to be puzzled. Also could the help file say this - if it does I cannot find it, but I may have missed it of course.

Best wishes

Mouse

uac passed = trusted installer policy could make a serious problem… ???
anyway it’s good to know that it’s deliberate, not a bug. thanks

but CIS keeps saying it(ml.exe link.exe qeditor.exe minimum.exe) ‘trusted’, not ‘trusted/installer’ even in administrator privilege.
considering what egeman said, maybe it’s just a slight UI miss…

Exactly I too think it should say ‘trusted/installer’ or maybe trusted/UacAdmin

It may well be the right balance security wise, but people need to know if say they use (with UAC on) a prog that needs admin privs and is exposed to unrecognised files, that prog will make dropped unreconised file trusted. Mya not happen very often, but it’s important they know.

I’m assuming Egemen that this applies beyond browsers, as the context of this topic is MASM, not IE8?

Best wishes

Mouse