CIS 10 - Flooded with false alerts when using Google Chrome

A. THE BUG/ISSUE (Varies from issue to issue)

Can you reproduce the problem & if so how reliably?:

Yes, every time.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

1: Start Google Chrome. Just that.
2: If loading any page, further alerts may appear, as Chrome may load or reload additional add-ons (see below).

One or two sentences explaining what actually happened:

First, one “potential security breach” alert as soon as Chrome is loaded - it tries to contact google.com and CIS decides that’s suspicious… Then several successive alerts that "unrecognized application C_cmd.exe_XXXXXXX.bat [where XXXXXXX is a long random hex string] is trying to access conhost.exe". Such batch files are located in one of CIS’ own folders (C:\ProgramData\Comodo\Cis\tempscrpt) and each corresponds to a loaded Chrome add-on (verified by editing and viewing the batch files).

One or two sentences explaining what you expected to happen:

I expected nothing to happen and to be able to surf the Web normally without any hassle.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

None found for Google Chrome. CIS 10 is brand-new as of today, and I don’t think such advice even exists at this point.

Any software except CIS/OS involved? If so - name, & exact version:

Google Chrome 55.0.2883.87m (64-bit)

Any other information, eg your guess at the cause, how you tried to fix it etc:

As for the “potential security breach” alert, I tried to whitelist google.com, as explained at Comodo Internet Security Essentials - Understanding Alerts, Trusted Root Certificates, but it didn’t work. I tried all combinations of settings, including www.google.com, just google.com and *.google.com (asterisk wildcard, which I don’t know if it’s supported), as well as “Action” and “Status” (very ambiguous and unclear UI design there). Nothing worked, the alert still popped up the next time I opened Chrome.

I also tried disabling Web filtering, but that didn’t work either - the error still occurred when I loaded Chrome next time. I understand that this error is supposed to happen when an untrusted SSL certificate is found, but I find it very unlikely that Chrome (which is made by Google and everybody knows that it connects to Google all the time) received and accepted an invalid Google certificate - but it could conceivably use some non-standard protocol to “phone home”.

As for the “unrecognized app” error, I tried whitelisting “C:\ProgramData\Comodo\Cis\tempscrpt\C_Cmd*.bat” as “allowed applications”, but the only way I could stop the error from happening was disabling HIPS altogether - which I didn’t want to do. I also find it odd (not to mention embarrassing!) that CIS 10 considers a batch file generated by itself “unrecognized”…

B. YOUR SETUP

Exact CIS version & configuration:

CIS 10.0.0.6086

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

Firewall - Safe Mode
Auto-Sandbox - Disabled
HIPS - Safe Mode when the problem happened (currently disabled so I can surf the Web in peace)
Viruscope - Disabled (I run another AV)
Website filtering - Enabled

Have you made any other changes to the default config? (egs here.):

Only whitelisting apps (too many alerts with Windows system modules, which should be the subject of a separate bug report).

Have you updated (without uninstall) from CIS 5, 6 or 7?:

No, but I did upgrade from CIS 8.

 [b]if so, have you tried a a a clean reinstall - if not please do?[/b]:
 Is it worth the hassle for a case like this? Judging from the kind of problem, I find it very unlikely that this would be solved by a clean reinstall.

Have you imported a config from a previous version of CIS:

Not myself, but I suppose it must have done that when upgrading from CIS 8. My configuration was pretty much standard, though. I didn’t fiddle much with it.

 [b]if so, have you tried a standard config - if not please do[/b]:

 See above.

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows 10 Pro Anniversary Edition (build 14393.576) 64-bit, all Windows Updates current, standard UAC settings, admin account, no VM.

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

a= Kaspersky Anti-Virus 17.0.0.611c
b= Windows was cleanly installed from a non-OEM, original Microsoft ISO, so no bundled software. No other firewall, antivirus or such was ever installed.

C. ATTACH REQUIRED FILES

Diagnostics report attached. KillSwitch report not attached because I could not find how to generate it in CIS 10 - “Watch Activity” seems to no longer exist. HIPS Events log attached instead.

EDIT (UPDATE):

It is now less than an hour after my original posting. The “unrecognized app” error just happened, when I loaded a YouTube video, so I thought I’d post a capture. Please see it attached as a GIF image. Notice, however, that this time the error is because of Chrome trying to access the batch file, which is unusual - normally it’s the batch routine trying to access conhost.exe.

The batch file in question loads the EagleGet Monitor plug-in, but as I write now there are 30 “C_cmd.exe_*.bat” files in the “C:\ProgramData\Comodo\Cis\tempscrpt” folder. Most of them load EagleGet Monitor, but there are also some for Adobe Flash and for Kaspersky’s protection module. EagleGet is a download manager, but it also has a function for downloading Web videos such as YouTube’s.

I’ll try to whitelist EagleGet Monitor in CIS to see what happens.

This is not a bug but a feature

Then it’s a very ill-thought, ill-implemented and ill-tested “feature”. I’m aware that a trade-off is frequently needed between security and convenience, but making a user’s life miserable and nagging him every single time he just loads his browser or opens a new Web page is going too far and intolerable.

Option (1) above is impractical and doesn’t work, because CIS generates a new batch file every time, and previously trusted files will never be used again. And it is those batch files, not the actual application itself, that CIS 10 keeps nagging me about. CIS 10 doesn’t even recognize a core Windows system component such as conhost.exe as a valid application.

(Just incidentally and for the record, I was going to submit a separate bug report because it is preposterous how CIS 10 doesn’t recognize essential Windows system modules - all widely known, digitally signed by Microsoft and flagged as system components in their properties - and considers them “unrecognized applications”, when they should be whitelisted by default. In addition to the problems with Chrome, which are the subject of this report, CIS 10 also often nags me simply with Windows itself doing its job. But at least in that case it does remember user-assigned trust, and now this has become moot, as you will see.)

And option (2) is throwing away the baby with the bathwater, leaving a huge flank exposed to potential malware - a malicious application could easily run a very nasty Powershell script with impunity if checking the system’s DOS command interpreter is disabled. That defeats the purpose of a HIPS for a critical part of the system.

I hope Comodo will eventually implement an option (3) of just recognizing when an application is safe, based on previous user-assigned trust, as it should be. The way it is, such granted trust does not persist and is ignored, because CIS 10 does not recognize its own interventions and considers every new batch file it creates itself, not the sandboxed program, as a never before seen application. You may call that by a different name, but this is a bug in my book. And a BIG one at that!

I could tolerate this if it happened with an infrequently used, secondary application, but not with my default Web browser, which is used all the time. Remember that Google Chrome is now the most widely used browser in the world, hence also one of the most frequently used applications in the world (if not the most frequently used one) - and its add-ons, with which CIS 10 obviously has a problem, are one of the reasons for all that popularity. Therefore, CIS 10 making Chrome (especially with add-ons) nearly unusable is a very serious issue, and totally unacceptable. (Remember that there is also the issue of considering Chrome’s communication with Google “unsafe”, and whitelisting it isn’t working.)

So, if all I can do is throw away the baby with the bathwater, I think I’ll have to use option (4): throwing away the bathwater, the baby and the new bathtub all at once. I’m uninstalling CIS 10 and returning to CIS 8 - for now.

But since CIS 8 will no longer be maintained or updated, I’ll start having a look at the competition. I have been a loyal Comodo user for many years, but keepíng that loyalty has become impossible if Comodo says I should be happy with CIS 10 making my Web browsing experience constant torture. And many other users will probably do the same. You have gone too far this time. It seems to me that CIS 10 was released prematurely, without much testing in real-life conditions. This will hopefully be corrected in new versions, but it may be too late for me and other users. Sorry, but it is so.

As an aside, you get very similar effects (lots of issues with .bat files) when compiling C++ code using Visual Studio 2013 (and other versions). I believe that Comodo is picking up on the script files generated by the VS IDE which are then passed to the various command line tools (e.g. link.exe, cl.exe, regsvr32.exe, mt.exe etc).

Only (simple) solution/workaround that I am finding is to turn off Comodo when compiling code.

Disable embedded code detection. This is a usability problem and suggestions should be posted in appropriate board. Not really a bug.
(It’s a new feature.)

Just in case anyone’s wondering the setting for “Enable embedded code detection” is in the HIPS settings for CIS, and appears to work even if you’ve got HIPS turned off.

Thanks, but like I said above that I would, I have uninstalled CIS 10 - which was easier said than done, as there were leftovers all over the place after uninstall: in Program Files, ProgramData, User\AppData, etc. Fortunately, nothing that a reboot to Linux (which ignores Windows permissions) and later a Regedit search back on Windows couldn’t solve. I have no plans to reinstall it. Sorry, but it’s obvious that we have different definitions for a “bug,” because a “usability problem” that forces a user to choose between using his most frequently used program and keeping his mental sanity is a BIG bug for me.

Anyway, “Disable embedded code detection” might possibly solve (or work around) the problem with alerts for batch files created by CIS itself for every plug-in on every new page (I haven’t tested it, and now I won’t), but I very much doubt that would solve the other problem with Chrome, which apparently wasn’t noticed in my original report above: sending a big alert of a “potential security breach” every time Chrome “phones home” to Google, and it’s no secret that it does that all the time.

Whitelisting Google domains (by clicking on the gear icon on the alert, which I still remember) should solve the problem, but it doesn’t - CIS completely ignores it and keeps sending “security breach” alerts. I tried google.com, www.google.com, *.google.com, all with and without http:// and https://. Nothing worked. Either Chrome connects to a domain other than those, or it uses a protocol other than HTTP, or CIS has a bug (or a “usability problem”) in whitelisting, or more than one of the above.

Well, this is just a reminder of another, apparently overlooked problem FYI. Good luck. When CIS 11 appears, I’ll be sure to check it out and try it - but only after version 11.1 or 11.2, to make sure it has no “features” or “usability problems” that will make my life miserable.

For what it’s worth turning off (i.e. disabling) “Embedded code detection” fixed my issues of CIS preventing Visual Studio builds from working correctly.

This solution worked for me with the alerts I was getting: