Block all unknown requests when the application is closed

  1. What you did:
    Enabled ‘Block all unknown requests when the application is closed’ and reboot

  2. What actually happened or you actually saw:
    Notification pops up that Searchindexer.exe (Part of the windows search indexer)has been sandboxed atfer rebooting with the above setting enabled

  3. What you expected to happen or see:
    Expectd vista just to boot normally without sandboxing this process

  4. How you tried to fix it & what happened:
    Tried adding as a trusted file, creating D+ rules as a trusted app, but issue still occurs

  5. Details (exact version) of any software involved with download link:
    Windows Vista x64 SP2 with windows search indexing enabled

  6. Any other information you think may help us:
    Make sure this is tested on vista and not XP, as XP doesnt have the windows search features like vista does.

Files appended

  1. Screenshots illustrating the bug:n/a
  2. Screenshots of related event logs or the active processes list:n/a
  3. A CIS config report or file.n/a
  4. Crash or freeze dump file:n/a

Your set-up

  1. CIS version, AV database version & configuration used:
    V5.0
  2. Whether you imported a configuration, if so from what version:
    Using default v5 profile and enabling Block all unknown requests when the application is closed
  3. Defense+ and Sandbox OR Firewall security level:
    Default
  4. OS version, service pack, no of bits, UAC setting, & account type:
    Vista x64 SP2
  5. Other security and utility software running:
    None
  6. Virtual machine used (Please do NOT use Virtual box):
    no

Anyone else get this?

It has been reported more than several times during beta testing. According to egemen it is best to use this only in case one suspect one’s systems is infected. It is not for day to day use.

Ok, I have turned it off in that case.

Seems like a good failsafe though incase of cis being closed.

Ok transferring this to help so others can benefit.

Best wishes

Mouse

Is this a reason for not fixing it?

Prior to V5 I always ticked this option without problems. I have not tried it with V5 yet as people have said there are problems. I think if there are problems with it these problems should be fixed.

It has been report by another member that you do not need this box ticked to be protected.

I have not tested this yet will post back when I have time.

Dennis

The devs think that this is OK. The mods are not sure. So user discussion of how much a security problem this is will be useful. Over to you guys!

Happy to re raise this as a bug when we have say some proof of concept…

Best wishes

Mouse

Since I’m not using sandbox functionalities, I’m not affected by this specific issues. In fact I’m still using CIS 3.14 on my production machines, since version 4 had also a - in my eyes - big security flow, which brought me back to 3.14.
This is more a general post about handling bug reports:

  • A user reports a bug, he does this in the requested form and provides all information needed.
  • A moderator confirms, that there were already similar reports
  • The devs see no reason to do something about it, since the affected option isn’t used in the default configuration (means the devs even know about this bug)
  • Another moderator likes a discussion about security issues in case the buggy option is disabled - at this point the chances, that the bug gets fixed is almost zero. But maybe a heated and emotional discussion about possible security issues will start and lead far far away from the problem.

I like to quote Melih at this point:
Our forum is one of the best, if not the best, in terms of problem resolution, speed, help and great place to be!
That was the answer on the question about the professionality of the forum, dealing with bug reports and end user problems. Maybe we should ask the topic opener about this.

Kind regards
Michael

Sorry should have explained further. (We mods are all volunteers and so have limited time…)

I agree the ‘issue’ is known, and I agree that the author was very helpful in putting this in the right format. The difficulty for us is that the devs have made it clear that users should leave this unticked in normal usage and they will be acceptably safe if they do so. So if I forward it as verified and make a tracking system entry it will likely get marked as ‘invalid’ and not looked at.

But I retain some worries. I don’t know if these are soundly based or not. So the best way of progressing this issue I’m thinking, is to see if anyone can come up with an example where leaving this unticked resulted in a demonstrable vulnerability - a PoC.

So a Poc please, no rants!

Best wishes

Mouse

Tested it works the same whether ticked on not.

After closing the gui (cfp) if you have the sandbox active the application is sandbox if it normally would be with the gui running.

Sandbox not active the application fails to run.

Dennis

I know - it’s not an easy job.

So, you’re telling me, a bug that doesn’t affect security isn’t a bug by COMODO’s definition.

As long as the sandbox is enabled, I don’t see a problem here. The sandbox does something similar as the option does. At least concerning D+ alerts. Is outgoing traffic still allowed for sandboxed apps? Then maybe there could be a problem. But I have no PoC.

If the sandbox is disabled, I would definitely recommend to enable this option - so the devs’ statement should be refined a bit.

Regards, Michael

That was changed already in v4.1.

Sorry I have already posted if the sandbox is disable the process does not run, so no reason to tick the box.

The only case for using this option would be if one suspect one’s systems is infected, and that there is a danger of both CIS processes being killed.

If you insist on ticking the box be warned that some processes will not run, the core system processes are safe so windows will always run.

Dennis

Thanks for understanding.

So, you're telling me, a bug that doesn't affect security isn't a bug by COMODO's definition.
Not really. What I mean is that this *specific* issue isn't really an issue if security is not affected. Boot time security was the reason for this setting. So if CIS has adequate ways of dealing with this w/o this setting under normal circumstances, then the need to keep this unticked unless malware infected is probably not an issue.
As long as the sandbox is enabled, I don't see a problem here. The sandbox does something similar as the option does. At least concerning D+ alerts. Is outgoing traffic still allowed for sandboxed apps? Then maybe there could be a problem. But I have no PoC. If the sandbox is disabled, I would definitely recommend to enable this option - so the devs' statement should be refined a bit.

I think others have now answered these further points?

Hope all is reasonably clear now

Many thanks

Mouse

Edit by EricJH: fixed a quote

As far as I’m concerned, all is answered. Thanks for giving me a look behind the scenes. As you might already know, I’m not really happy now, but it’s pointless to discuss about bug management since neither you nor I can change anything here.

Thanks BigMike

Doubtless we would agree on many things… :slight_smile:

Best wishes

Mouse