WerFault on cis.exe not good sign …
Seems cis is crashing or having problems…
Hi CinderBH,
We are checking on this, and thanks for sharing the requested information.
Thanks
C.O.M.O.D.O RT
Reconsider doing #20 …
In the event that it really is an issue with the current update, then even if I reinstall 100 times it won’t matter.
I hope I understand you correctly, but why do you think #20 won’t possibly resolve the issues you’re having?
I mean if I would see repeated WerFaults on cis.exe in my CIS logs I would not hesitate to uninstall CIS and install it anew if only to check if that would resolve the WerFaults since I know that having WerFaults means something is not working as it should or has become unstable in cis operation.
CIS is just too complex to fix these kind of issues by just tweaking something in hopes that it resolves everything.
Hi CinderBH,
Are you using video editor(shortcut) portable or windows installer?
Thanks
C.O.M.O.D.O RT
I used the installer. But as I said, the problem now in general is that I can’t unblock applications because they don’t appear in the Unblock Applications window. Even adding them manually as Trusted doesn’t work, and the only solution seems to be temporarily disabling Auto-Containment.
Hi CinderBH,
Thank you for providing the requested information.
We are checking on this and we will keep you posted.
Thanks
C.O.M.O.D.O RT
What’s the file size of cmddata found in your "C:\ProgramData\Comodo\Cis\lmdb" directory?
That’s an odd question. But it’s 96 MB.
Not so odd question, some users reported file size of cmddata over 1Gb which should not happen. Your file size is normal same as mine.
What happens if you add the Ignore rule as indicated in the screenshot?
When creating the Ignore rule make sure to enter in “File Location” exactly this: ?:*.*
Also make sure that the Ignore rule is located at the top of the rules list (if not click and drag the rule to the top of the list) as shown in the screenshot.
Curious what happens now on your end when you run any apps.
Okay, with that rule set, things don’t get auto-contained anymore.
Ok that’s good.
This Ignore rule was just a check (no solution) to see if CIS Containment would consult and process the containment rules list, it does do that.
Now remove the Ignore rule from the rules list as it allows running everything uncontained (that’s not secure to do).
Okay, done. Hopefully that gave some sort of clue.
If you add an Ignore rule for a Trusted app (for which you know it runs contained) in the same manner (position at the top of the rules list) doesn’t that still work then?
Trying a bunch of apps that should count as Unknown after setting that rule, and none of them are getting auto-contained, save for the occasional consent request from CIS. Also all of them show up as “scanned and found safe” in the HIPS event log.
Ok that’s working correctly.
Bare in mind that unknowns apps only run contained for as long as they match one of the existing (CIS default) auto-containment rules. An Unknown app which entered your system (a 0-day) will always run contained (it matches an auto-containment rule) but that same Unknown app will run uncontained when there is no matching auto-containment rule anymore (e.g. after some days a unknown app runs uncontained because there is no matching auto-containment rule for it).
Referring to your topic title “Can’t disable auto-containment on Trusted applications”, are Trusted apps still being run auto-contained on your end?
Well, not since I set up that second rule the way you said.