CIS automatically quarantines files or may delete

Comodo Internet Security - CIS Incomplete Issue Reports-CIS
1

I shall be uninstalling as soon as I’ve selected & downloaded replacement FW & AV. Shame as there’s a lot I like about the program; I gave up CIS after using 5.12.x as V6 was so awful yet decided to give v10 a trial. Initial impressions very good - interface has improved greatly. it’s hugely less resource-hogging than v6; and most (not all) tasks run faster.

However, v10 has some aspects are unacceptable. It has an infuriating bug that annoyed the hell out of me on v5: whenever it decides some file is any form of malware it pops up the ‘Ask GeekBuddy/No I’ll clean it’ box and when one clicks “I’ll clean it myself” it invariably quarantines the file. This morning it quarantined a file from Malwarebytes while the latter was running a full scan - MBAM was scanning its own directory at the time. Clicking on the AV result in the main window lists the file as being in Comodo quarantine; however in the advanced tool Quarantine list, it isn’t there. Presumably CIS decided to delete it… Looks like I’ll have to do a complete reinstall of MBAM. GRRRRRR…

Note I chose NOT to install GeekBuddy - that choice didn’t make any difference in 5.12x and it doesn’t make any difference now. Neither does having set advanced settings to disable automatic cleaning for all CIS AV scans.

It also keeps adding files like Samsung Magician (signed, trusted vendor!) to the autocontainer list every time I boot the PC. There are some lesser niggles, but for me breaking MBAM in the middle of a scan is a killer as far as CIS 10 is concerned.

2

Hi Heracliton,
Thank you for feedback.
1.
You can control Quarantine options via AV settings provided as explained in following help section:

You can select: Alert, Block and Quarantine (Default). It doesn’t auto delete the file.

May you please share MBAM version you used and will be great if you can share SHA-1 of file on which you observed false-positive on it.

You can manage scheduled “Full Scan” via settings as explained in following help section:

When malware is detected, considering file is auto quarantined due to CIS settings, GeekBuddy alert just offers help if someone needed, you can always de-select window not to see it again. It’s great for novice users who may need help.

Regading Samsung sandboxed files, may you please share sha-1 of those sandboxed files?

It’s great to hear a feedback, a little help from you will allow us to investigate problems you observed further.

Thanks
-umesh

3

Hi Umesh

Thank you for your reply. Comments in-line in blue

4

Can you compress and attach the cislogs.sdb from C:\ProgramData\Comodo\Firewall Pro and enable comodo property page from this post, then right-click on any file/folder/shortcut on your desktop and select dump content of the database, save and add the generated .txt file to the archive.

For the samsung file it appears to be signed with an expired digital signature certificate.

5

Hi Heracliton,

  1. Team is checking false-positive.
  2. Regarding detected file still getting deleted, please sharelog as suggested by futuretech and also please export active CIS configuration.
  3. Regarding definition for each detection, not yet.
Not sure that's at all a good idea as in further incidents like this morning's, I could end up with programs that will no longer run without any obvious reason why. And it should not have been autoquarantined as CIS defaults had been changed.
For Advanced users, yes and that's why settings exist but for novice (which is the most install base is typically), it's good as they don't know how to make a decision.

This file is valid time stamped, so even if certificate expired, product will still treat it as safe as signer is in trusted vendor list. I didn’t see it getting Sandboxed. Lets have look at requested configuration and log.

Thanks
-umesh

[quote author=Heracliton]
Hi Umesh

Thank you for your reply. Comments in-line in blue