CIS and Symantec SWV

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
1

Is there any chance that these will function together?

I wasn’t sure where to post this but decided to consider it a bug because what CIS does isn’t rational.

SWV creates virtual file system and registry layers containing applications which can be turned on or off. Files in a layer are held in a physical location and a file system filter driver maps them to a virtual location when the layer is turned on.

When something executes a file in a layer or an executable in the layer does something CIS detects it and displays an alert which can create an associated rule. The rule always shows the physical not virtual location of the file and the rule is subsequently ignored. If you keep executing something in a layer and allowing and remembering the alerts CIS just keeps adding identical rules.

If I manually create a rule for an executable using its virtual location that is also ignored. I tried everything I can think of to work around this and have failed.

CIS detects a request to execute something in a layer or something in a layer doing something then creates rules which don’t match what it detected and that is the irrational bit.

This isn’t a new problem. I found one or two posts about this going back a couple of years when SWV used to be Altiris SVS.

2

Adding a screenshot of the CIS Active Process list and sysinternals Process explorer properties for process 2416 which is running from an SWV layer. Process explorer thinks it comes from the virtual location. CIS thinks it comes from the physical location, but, I assume CIS thinks it comes from the virtual location in other places which is why it doesn’t match rules?

[attachment deleted by admin]

3

I have no experience with these type of programs. CIS “forgetting” rules looks like how it treats USB sticks and mounted disks. They are not considered safe by default and as a consequence CIS will not maintain rules after the session or when the device gets unmounted.

4

I was one of the starter in the previous threads regarding this issue. Just bumping here and hoping that Comodo or SWV can co-exist together at some point.