Bug in accepting alert for "Window Messages". [NBZ]

The bug/issue

  1. What you did: Clicked a link from external application (PuTTY Tray) to make it open in default browser (Opera).
  2. What actually happened or you actually saw:

Got an alert popup “opera.exe is trying to modify the user interface of ctfmon.exe”. I allowed this request with selected “remember” option. The effect was that application policy “Window Messages” for opera.exe changed from “ask” to “allow” (allowing all further requests) without adding ctfmon.exe onto exclusions list.

  1. What you expected to happen or see:

After accepting such request CIS should remain in “ask” state and add exclusion for ctfmon.exe onto “Allowed Applications” list for “Window Messages”, similar to explained below other situations.

  1. How you tried to fix it & what happened: Not repairable by user.
  2. If its an application compatibility problem have you tried the application fixes?: N/A
  3. Details (exact version) of any application involved with download link: PuTTY Tray 0.60r3, Opera 10.63, Process Explorer 12.04 (however bug is in internal logic in CIS).
  4. Whether you can make the problem happen again, and if so exact steps to make it happen:
  • make one app send other one winmsg
  • allow & remember on alert
  • check access rights policy
  1. Any other information (eg your guess regarding the cause, with reasons):

I wanted to be sure that this is indeed a bug, so I produced other events which have exception lists (“Interprocess Memory Accesses” and “Processes’ Termination”) through killing any application in Process Explorer (SysInternals). As I expected I got two separate alerts: “procexp.exe is trying to access opera.exe in memory” and “procexp.exe is trying to terminate opera.exe” - both I allowed with remember. Now checked the access rights for PE and both events remained in “ask” state with added entries for opera.exe in theirs exclusion lists.

Conclusion: The “Window Messages” CIS’ event handler now incorrectly behaves similar to events without exclusions like “Keyboard”, “Disc” or “DNS Client Service” (state is changed from “ask” to “allow” on accept&remember).

Files appended

  1. Screenshots illustrating the bug: Did not attached, but I might reproduce this bug any time and attach such on a request.
  2. Screenshots of related event logs or the active processes list:
  3. A CIS config report or file:
  4. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used: 5.0.162636.1135 / 6370
  2. Have you updated (without uninstall) from CIS 3 or 4, if so have you tried reinstalling?: N/A
  3. Have you imported a config from a previous version of CIS, if so have U tried a preset config?: Customized “Proactive Security”.
  4. Defense+ and Sandbox OR Firewall security level: D+:Paranoid (monitoring settings: all checked)
  5. OS version, service pack, no of bits, UAC setting, & account type: XP SP2
  6. Other security and utility software running: None.
  7. Virtual machine used (Please do NOT use Virtual box): None.

Moving to verified.

Many thanks for reporting in standard format

Best wishes

Mouse

  1. What you did: set Defense+ access rights for %windir%\explorer to ‘ask all’. Mouse-over the CIS sys-tray icon.
  2. What actually happened or you actually saw: CIS alert, i.e., explorer trying to modify user interface cfp.exe. checked ‘allow’, ‘remember this’. Defense+ access rights for %windir%\explorer Windows Messages changed to ‘allow’ (nothing listed in allowed applications)
  3. What you expected to happen or see: expected to see ‘%ProgramFiles%\COMODO\COMODO Internet Security\cfp.exe’ listed in ‘Windows Messages’ allowed app listing (access right remains ‘ask’)
  4. How you tried to fix it & what happened: added ‘%ProgramFiles%\COMODO\COMODO Internet Security\cfp.exe’ manually to Windows Messages ‘allowed applications’. Ticked ‘ask’, applied settings
  5. If its an application compatibility problem have you tried the application fixes?: N/A
  6. Details (exact version) of any application involved with download link: N/A
  7. Whether you can make the problem happen again, and if so exact steps to make it happen: Yes (per above)
  8. Any other information (eg your guess regarding the cause, with reasons): bug

Your set-up

  1. CIS version, AV database version & configuration used: CIS v5.0.162636.1135, VSDV 6759, proactive

  2. a) Have you updated (without uninstall) from CIS 3 or 4: No
    b) if so, have you tried reinstalling (if not please do)?: N/A

  3. a) Have you imported a config from a previous version of CIS: no
    b) if so, have U tried a preset config (if not please do)?: N/a

  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. ): custom policy, checked ‘ask’ for all access rights

  5. Defense+ and Sandbox OR Firewall security level: AV enabled (Statefull), Firewall (custom), Defense+ (paranoid), Settings: general: everything unchecked; exec ctrl: enabled, all checked (unrecog = untrusted); sandbox: enabled, all checked 'cept auto-trust files from trusted installers; monitored: all checked.

  6. OS version, service pack, no of bits, UAC setting, & account type: Win Server 2003 Std. Service Pack 2
    32bit
    UAC: N/A (active directory not installed)

  7. Other security and utility software installed:Ad-Aware 8.3.5, Spybot 1.6.2, Windows Defender

  8. Virtual machine used (Please do NOT use Virtual box):N/A

Thank you for your bug report in standard format.

It will be moved to verified and merged with previous bug report.

Thank you

Dennis