This is a trivial matter but am curious as to why the newest version of Comodo handles batch files differently from previous versions.
In previous Comodo versions, batch files of any type posed no issue, as with Containment enabled they would all be isolated prior to causing any system changes as could be seen with version 12.0.0.6882 on either Win10 or Win7 systems.
With the new version 12.2.2.7062 this is not the case on Win10 systems) either W10H2 or previous). As evidence, please note the following:
1). Create a simple batch file to either disable Windows firewall and/or delete System restore points. Any if these will be isolated and be prevented from working on either Win7 or Win10 systems.
2). Create a batch file (shutdown.exe /r /t 00) to reboot the system (or shutdown.exe /s /t 00 to shutdown) and it will be blocked on Win7 systems BUT NOT on Win10H2 systems .
Curious as to the change (Expiring Minds Want to Know) .
V12.2.2.7062 (Firewall only) Windows 7 SP1 Ultimate 64-bit (clean install with all MS-updates)
Uummmm just created a batch file containing the line “shutdown.exe /r /t 00”.
Double clicked on the batch file in explorer and it ran not contained rebooting the system.
After rebooting the batch file was rated trusted in File Rating.
Created a batch file called “123.bat” containing the line “shutdown.exe /r /t 00”. It was alerted by HIPS and once allowed, it was BLOCKED by Containment.
Created a batch file called “456.bat” containing the lines instructed here, it was alerted by HIPS and once allowed, it was BLOCKED by Containment.
Decided to TEMPORARILY enable Cloud Lookup and got following result:
“123.bat” was allowed to run, the System was restarted and “123.bat” was “Scanned and Found Safe” according to HIPS logs.
“456.bat” was alerted by HIPS and once allowed, it was BLOCKED by Containment.
Seems the culprit here is Cloud Lookup which is trusting the batch file containing the line “shutdown.exe /r /t 00”.
Please check file hashes using verdict.valkyrie.comodo.com if it comes up as clean then it will have a trusted file rating. Now to see if shutdown/reboot is prevented from being performed by contained applications, you should run powershell or the command prompt in containment and run the respective commands, use run virtual task or alt-click on executables and choose run in containment.
To conduct new test I’ve created a new batch file with a different name containing the line “shutdown.exe /r /t 00”, here’s the result:
With Cloud Lookup enabled → The batch file is executed and the system is rebooted. After reboot the batch file is rated trusted in File Ratings.
With Cloud Lookup disabled → The batch file is executed and the system is rebooted. After reboot the batch file is not listed in File Ratings at all.
Running the line “shutdown.exe /r /t 00” from contained cmd reboots the system too.
An unrelated HIPS Alert shows up briefly while Windows is busy shutting down (it doesn’t stay long enough on the screen to read it).
Guys- this is a very odd thing that ONLY happens with the Containment module of version 7062 on Windows 10. It has nothing to do with any other part of Comodo (like the HIPS or the Cloud) and is even more trivial (but odder) than expected.
It is specific to the reboot/shutdown batch file with a time switch set at 00. If you wanted to delay the reboot (or shutdown) for any amount of time it will be blocked as usual (an example being turn off the computer in 10 seconds: shutdown.exe /s /t 10).
Same file hash will not be re-added unless the previous one with the different file name is removed so it is expected not to have duplicate entries of the same hash.
Your using a config that does not have either protected COM Interfaces selected under objects to monitor against modification or the COM Interface group “Pseudo COM Interfaces - Privileges” is not added under protected COM interfaces.
Yes it has to do with cloud lookup, the bat file is trusted if it only contains either of those commands exactly as shown, once you modify it even just a little bit, the hash will be different and will be checked against the cloud for the new rating. You can confirm this by looking at the rating in the file list and specifically view the file details file rating of the file to see source of file rating decision.
Edit: hash of bat file with reboot command 08FEC8CA0E331FCB401E69221269307CF2F0BB7A
and hash of bat file with shutdown command A1BC7E0D0B97DC4AABBEC1B43CFFDE4DE65B1311
Starting the batch file by double clicking within explorer (in the order below):
With Cloud Lookup disabled → HIPS Alert “explorer is trying to execute blabla.bat” → Choose Block Only → batch prevented from execution → No reboot.
With Cloud Lookup disabled → HIPS Alert “explorer is trying to execute blabla.bat” → Choose Allow → batch not prevented from execution → Reboot occurs.
After above reboot batch file not listed in File Rating.
As for the latest version of CIS, I think the Dev decided to exclude shutdown.exe from containment. It’s evident in the trust rating they gave. So, regardless of the file rating of the batch file(Trusted or Unrecognized), shutdown.exe will not be contained.
I think Futuretech meant that you need to test with Proactive Security config in order to get the expected result (.bat file being Contained with Cloud disabled, contained cmd.exe being unable to shutdown the system), since Firewall Security config does not monitor/protect certain COM Interfaces.
V12.2.2.7062 (Firewall only) Windows 7 SP1 Ultimate 64-bit (clean install with all MS-updates)
Config in use : COMODO - Proactive Security (with some changed settings)
New test, no batch files listed in File Rating, created new batch file with another name and different content to force different hash:
[at]echo HelloWorld
shutdown.exe /r /t 00
Starting the batch file by double clicking within explorer (in the order below):
With Cloud Lookup disabled → HIPS Alert “explorer is trying to execute blabla.bat” → Choose Block Only → batch prevented from execution → No reboot.
With Cloud Lookup disabled → HIPS Alert “explorer is trying to execute blabla.bat” → Choose Allow → Application contained → No reboot.
After the above the batch file got listed in File Rating as Unrecognized.