CIS AV doesn't show alert in some cases

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
#1

A. The bug/issue

  1. What you did:
    Tried to execute a backup of my system drive with the Windows 7 backup

  2. What actually happened or you actually saw:
    The backup stopped with error 0x8000037: Windows Backup failed while trying to read from the shadow copy on one of the volumes being backed up

  3. What you expected to happen or see:
    Afterwards, it turned out, that the AV detected an PUA in the volume shadow copy, so I would have expected an alert message from CIS!

  4. How you tried to fix it & what happened:
    Disabled the AV component, the backup succeeded

  5. If its a software compatibility problem have you tried the compatibility fixes (link in format)?:

  • not a compatibility issue -

  1. Details & exact version of any software (execpt CIS) involved (with download link unless malware):
    Windows 7 Backup (x64, SP1)

  2. Whether you can make the problem happen again, and if so exact steps to make it happen:

  • Place a file that CIS detects (e.g. EICAR test file) in a folder that should be backed up (actually CIS didn’t detect it, as I placed it there, the signature must have been added afterwards)
  • Execute a backup
  • The backup will fail with the above error, no alert will be displayed, an AV detection event will appear in the CIS event log
  1. Any other information (eg your guess regarding the cause, with reasons):
    The detection location points to \Device\HarddiskVolumeShadowCopy<PathToFile>

B. Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug:
  • As described, no alert is shown
  1. Screenshots of related CIS event logs:
  • As described, there’s an malware detection entry:
    location: \Device\HarddiskVolumeShadowCopy<PathToFile>
    action: detect
    status: successful
  1. A CIS config report or file.
  1. Crash or freeze dump file:
  1. Screenshot of More~About page. Can be used instead of typed product and AV database version.

C. Your set-up

  1. CIS version, AV database version & configuration used:
    CIS 5.10.228257.2253, 12631, AV: stateful, D+: Paranoid, FW: custom

  2. a) Have you updated (without uninstall) from from a previous version of CIS:
    No
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:

  1. a) Have you imported a config from a previous version of CIS:
    No
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  1. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):
  • Countless, I’m using D+ in paranoid and Firewall in custom mode…
    Probably only the settings of the AV are interesting, see screenshot below

  1. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =
    D+=Paranoid, Sandbox off, FW=Custom, AV=stateful

  2. OS version, service pack, number of bits, UAC setting, & account type:
    Win 7, SP1, 64bit, UAC on, admin account

  3. Other security and utility software currently installed:

  • none -
  1. Other security software previously installed at any time since Windows was last installed:
  • none -
  1. Virtual machine used (Please do NOT use Virtual box):
    no

[attachment deleted by admin]

#2

Thank you very much for your bug report in standard format. We very much appreciate the effort you have made to document this bug.

We are sorry to trouble you further but there are some items of information missing or unclear in your post

  • Please append a CIS config file. Because of your unusual settings this will help devs replicate the problem.
  • Please append your active process list. For replication purposes and because I’d like to compare this with mine as I have this problem too!
  • C.7 and C.8, for similar reasons. I will edit A.5 to say ‘not a compatibility problem’ if you approve.

The reasons we need these items of information, though they may not seem directly relevant to the issue are explained here.

We would be very grateful if you would add these items of information so we can forward this post to the format verified board, where it is more likely to get fixed. You can find assistance using red links in the Format and here. If you need further help please ask a mod. If you do not add the information after a week we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.

In the current process we will normally leave it up to you whether you want to make a report which includes all necessary information or not. We may remind you if we think a bug of particular importance.

Many thanks again

Mouse

#3

I’ve appended screenshots of the active process list and changed A.5, C.7 and C.8.
But at the time of the screenshots, the Backup isn’t running.
For the config - I’ll probably need to clean it up - or don’t you need the special application rules, so that I can strip them completely? I think it’s more confusing than helpful to have the complete set.

#4

Thanks I’d just append your config as it is, so any problems with it can be replicated, if you don’t mind. Forwarding now.

Best wishes

Mouse

#5

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

#6

Seems, that I can’t edit my post anymore, so I’m attaching it here. Note, that I renamed the config, as the extension cfgx is forbidden.

[attachment deleted by admin]

#7

Yes, that is the case, sorry :slight_smile:

And thanks for the config.

Best wishes

Mouse