CIS 4.0.14 X86, Scheduled task which runs no file is automatically sandboxed

Hello,

I have just enabled the sandbox and disabled autodetect installers. Unknow exe’s give me a popup that they are sandboxed. So far so good i would say.

But then comodo alerted me on UpdateApplications.exe running from c:progfiles:Comodo System Cleaner
I removed that program and ran CCleaner afterwards to check the reg for traces remained.
When i tried to open the properties by clikcing on the filenamen in the sandbox alert, comodo said that the file did not exist.
How can a non existing exe be started and sandboxed? no process with that name was running afterwards.
And the file does not exist on the given location. Does this have something to do with the ‘virtual copy’ vista holds somewhere? i do not know the specifics of these virtual files (hence the quotes).

I hope i did not maken a mess of things

System Information:
Vista Home Premium SP2 x86
UAC enabled, Admin rights account
T5550 1,8 GHz, 3 gb

Sophos AV
Comodo Firewall only (unchecked AV during install)
D+ ‘paranoid’
Sandbox enabled, autodetect installers unchecked
Firewall ‘safe mode’

Thanks. Could you please do a Windows Explorer Search of your entire hard disk for Updateapplications.exe. Please include system and hidden files in the search.

If you find it please note the path, zip it up and post it here.

Then please navigate to Control Panel ~ Scheduled tasks and find Comodo System Cleaner Update. Right click and look at its properties. Take a screen shot please of the task tab associated with this task and post it here.

There have been a few of these problems so you can help us greatly by posting this info so we can find out what is going on.

Best wishes

Mouse

sounds like a left over task to me, just the same issue I had.

Exactly. But we need to find out exactly what is going on I think, not just delete the task. In this case I have the app installed myself. But if I remove the .exe and run the task there is no sandbox alert. So there is more to it than that!

Also of course the update executable is digitally signed

Unless you know what is actually happening of course :slight_smile:

Best wishes

Mouse

I think the problem is that normally the task is fine because it calls for a signed executable to run, so CIS sees that and lets it happen. But when you uninstall CSC and it leaves that task it tries to run and call a exe that does not exist anymore, CIS sees that and goes wait, I don’t know why it’s doing that so I will sandbox anything it calls for, at least tries to call.

That’s what I thought, but I tried to replicate it and it did not happen! So there is something else going on…
Hopefully this guy will post details and we will find out. Pre-fetch seems often to be involved, in that a .pf file is sometimes found, but nothing else…

Hi, i will try and collect the data when possible.
I am in GMT+1 and the problem is on my laptop which is at home. So this PM i will try to find this task and
some remains in the vista virtual store.

I deffo will not just delete the task. I will ask in this thread first once i get more info.

I started wondering about this virtual store Vista uses. This is some kind of virtualisation right? Does this not get in the way of the Comodo Sandbox?
Must i disable UAC?

Thanks, I very much appreciate your help with this.

Mouse

I dont know if this helps but i uninstalled CSC a while ago and D+ never asked me what to do with UpdateApplications.exe.
Once i enabled sandbox the sandbox alerted me after a little while that this exe was sandboxed

I will find out more and post back here

Thanks that’s in line with what has happened to others.

We’ll be clearer hopefully when you post the information.

Best wishes

Mouse

I searched for the file and came up empty. No results, so the VirtualStore does not contains this file. Which is as expected because it is a safe signed file is it not?

Then i checked the tasks and there was a task pointing to this non-existing file like languy99 said

The image attached shows the left over task and the reaction of the sandbox when i manually run it

I tested some more with a new test task. I configured it to run a program that does not exist
c:\program files\non existing dir\non existing dummy.exe

The second screenshot shows the result. Sandbox takes no risk and intercepts it even though the file does not exist

[attachment deleted by admin]

see the sandbox looks for anything that might be out of the ordinary and protects you. If you delete that task you will have the pop up anymore. Something happened to me.

I do feel safer now that the ‘weird’ behavior is explained. If comodo detects something weird that tries to run on the system, it intercepts even when the file supposedly does not exisit. It could be a hacker/malware trick to run a file that does not exist upon runtime or something.

I think this is a good thing.
Comodo takes no risk

btw, can i delete the task or do you need some more info about it?

Maybe mouse wants some more info, I would wait for him.

Thanks that is really useful information, especially the additional experiment. Since we have an easy way to replicate it the devs should be able to fix it.

It does seem to be somewhat system specific, maybe OS specific, thought as it does not happen on my machine. Would you (and perhaps Languy) mind adding the standard bug report info as requested here. This is now the best documented reference to this bug so I’ll also move it to the bug report forum, and pm a QA guy.

Finally would you mind not disabling instead of deleting the task just in case a dev. want to ask anything, at least until the next version is issued (soon I think).

Many thanks again for taking the trouble to document this.

Mouse

Ok, i altered the startpost.
I hope i added sufficient info regarding my system and bug

I will keep the scheduled task disabled on my system at least until the next release (prob longer as i tend to forget that i disabled it)

That’s great, thanks :slight_smile:

Best wishes

Mouse