CIS blocks all unknown actions when CIS is closed [M1438]

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes very reliably
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1.make sure “Block all unknown requests when the application is not running” is Unchecked/disabled Default setting
2.right click cis tray choose exit and click yes on dialog
3.attempt to run any unknown application
4.notice windows permission error
One or two sentences explaining what actually happened:
When CIS is fully exited any action that would generate a defense+ alert is blocked despite setting to block all unknown actions when application (CIS) is closed.
One or two sentences explaining what you expected to happen:
I expected the unknown application or action to be allowed because the setting to block is not checked and disabled.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Not applicable
Any software except CIS/OS involved? If so - name, & exact version:
Any application that is treated as unknown to CIS.
Any other information, eg your guess at the cause, how you tried to fix it etc:
I tried to enable then disable the previous mentioned setting to see if it would work properly.

Exact CIS version & configuration:
Proactive configuration, Comodo version
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS=Safe mode, Auto sandbox=Enabled, Firewall=Safe mode, AV not installed
Have you made any other changes to the default config? (egs here.):
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No, clean install
if so, have you tried a a a clean reinstall - if not please do?:
Have you imported a config from a previous version of CIS:
No, default proactive configuration
if so, have you tried a standard config - if not please do:
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 SP 1 x64, UAC=Disabled, admin account, real system non-VM
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=no b=not applicable

[attachment deleted by admin]

Tested and can replicate.

Also I noticed that after I launched CIS again and ran the application that was previously blocked, it didn’t launch and when trying to kill it from killswitch I get “Error (Test Viruscope.exe): An Attempt was made to access an exiting process.” After re-boot it launched OK, may have been a one-time issue.

futuretech, do you experience the issue above? Will test again but would have to reboot and currently can’t reboot because things…

No I couldn’t replicate, however i did notice that you need to wait awhile when you re open cis after having cis closed, to let cis fully load and initialize. Otherwise the unknown application will hang/be in a suspended state, because the backend of cis is waiting for the user to allow the action. But because the alert portion hasn’t been initialized, no alert will be displayed for the user to take action. And so cis will block the application after 2 minutes of no response from the user.

That makes sense, probably what happened to me, or similar.

Edit: I would think that checking if the alert has actually been shown would be a good idea and if it hasn’t been shown then show the alert again, to avoid such suspension issues I mean… I may make a wish for that later.

Default behaviour if the application is unknown, with the gui only closed all alerts are not shown only safe applications should run.

Please note just closing the gui does nothing to stop CIS from working as it should.


So then the next question is, why doesn’t “Exit” actually exit the application but only exits the GUI? Secondly, what good would exiting the GUI but not the application be? Why would one use such a feature? Thirdly, why isn’t there an “Exit Application” option?

Help documentation says otherwise:

Block all unknown requests if the application is closed - Selecting this option blocks all unknown execution requests if Comodo Internet Security is not running/has been shut down. This is option is very strict indeed and in most cases should only be enabled on seriously infested or compromised machines while the user is working to resolve these issues. If you know your machine is already 'clean' and are looking just to enable the highest CIS security settings then it is OK to leave this box [s]un[/s]checked. (Default = Disabled)

As it says when the application is closed, exiting the gui sorry does not shutdown the application.


No idea why they have the option really.


Edit To shutdown the application you need to stop the service I suppose they could include a link for that.

Edit 2 For information if you run in Paranoid mode if shutdown both the service and the gui and do not have a rule for the app. it will not run

Me neither, I mean, I just don’t see a reason for it and I’m even trying to think of one… I can understand wanting to exit the application completely… but just the GUI? I just don’t get it…

Okay then how would cis protect the user if it has been ‘shutdown’? Surely the protection/restrictions cant be applied if cis is not running? I would love to have a developer explain on what they consider as cis not running/shutdown and what this option does. Also I just tested this setting on version 5.12, if the gui is closed and execute an unknown application, and have the option unchecked, it runs without issue. But if you enable the block unknown option, have the gui closed, and run an unknown app, cis blocks it with the windows permission error displayed.

Edit: I disabled the service rebooted and the cis gui is also not running and it still blocked the application without having the block setting enabled. This I did on v8.1

Personally I believe that it’s supposed to work as futuretech says it works in v5.12, I believe that it’s a bug in v8 or at least I hope so. Whether or not mods consider it a bug or expected behavior I would argue that it’s a valid bug report and devs should have a final say in whether or not it’s a bug.

Its hard to say what the intended behavior is supposed to be so i will just forward this and see what the developers say.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Now in version the setting doesn’t seem to do anything as CIS does not block unknown applications from running even when the block all unknown application when CIS is closed is enabled. Instead when trying to execute an unknown program when the gui of CIS is closed, the program hangs as the backend of CIS is waiting for user action, but because the gui is closed no alert is displays so CIS chooses to block when the alert times out. When the settings is disabled the same thing happens and the application is paused during execution until the user makes a decision but again no alert can be displayed so it gets blocked when the timer expires.

I’ve updated tracker data: linked your post in the tracker.


Hi futuretech,

On second though that might be intended. What do you think?
Please expand on the following : “[…] the program hangs as the backend of CIS is waiting for user action […]”.


By default CIS will wait for user action for every alert display based on the on screen alert timeout period (120 seconds default), when that time expires with no input from the user dealing with the alert cis will automatically choose block which is OK as this is by design. However, it is my understanding that when the alert portion of cis is not running from either the user right-clicking the cis tray and selecting exit or during the login process when it hasn’t been loaded yet, the option ‘block all unknown requests when the application is not running’ is to facilitate how cis responds when an alert cannot be displayed because it is not running. With the option enabled, cis should automatically block the action, but if the option is not enabled then cis should allow the action. When I first reported the bug, cis would always block despite the setting, now with version 8.2 cis doesn’t recognize that the alert cis process is not running so it waits for 120 seconds for an answer from the user, but because the alert never appears due to being terminated, cis only blocks when it reaches the timeout period regardless if the settings is enabled or not.

To see this behavior in action, attempt to execute an unknown application after exiting out the cis tray with will also terminate a process that handles the alerts. As you do this, have task manger open with the process list shown and notice how the application is listed but is not shown on screen, then after awhile you will get a windows access denied warning just as if you had choosing to block execution from a hips execution alert.

Not fixed with CIS version on Windows 7 or 10. Now the behavior is whether the setting to block unknown applications when CIS is closed is enabled or disabled, the application does not immediately get blocked or allowed as CIS will only block application when alert timeout has expired.

I’ve updated tracker data.
Thank you.

When CIS is closed (exited), the default has always been to block.
Since closing the program is really only closing the GUI, of course you won’t receive alerts.
This is not a bug, but rather by design, a good one at that.