this is a problem with your windows, not with cis 8.
I see that if we do some changes with windows services and/or processes, some elements from comodo does not behave like it was suposed to. im my win 7 pro x64 updated i have disabled some services and some processes i made they to be in manual initialization mode, I disabled the UAC too. with all that changes I tried to replicate what was discussed in this topic and I can not confirm these issues/bugs. there are no issues at all with cis 8 on my running system.
maybe some kind of crazy behavior is caused by windows services/components that are making cis 8 do things different but I dont have time to test one by one to see what is making these changes.
oh. and to remove these files/folders you have to change the audit and proprietary permitions to your local adm account, otherwise it will not be possible to remove these cus they are revoked by $SystemLocalxxx/$SystemNetworkxx/$Systemxxx/$Localxxx… or something else.
Yes, just catching-up myself on this “Feature” of V8. I wish they’d given a little-bit more info on what they were doing with ADS before we move to this point down the road. I’ve got two choices, roll-back with a Restore to last week (and V7) or try and unwind this with Uninstall, Cleanup, and back to V7. At least I only did this on one VirtualBox XP machine in W10 TP which is OK, and one minor office machine that’s the problem.
This timestamp issue is a problem as is the pop-up problems with moving files to other than NTFS volumes, but I’m also concerned about some prior discussions at MS on lock-down of executables with ADS (a security issue), primarily from run in Command Prompt (if my memory is correct). Not saying it’s a done deal, but you got to think about ADS as a malware route vector and how MS might combat that in future product (or maybe even retro back to all NT 6 versions with a security patch/fix).
This idea makes me uncomfortable as it’s too close to how stealth malware operates, and that’s the most I’ll say on the design.
Try launching NirSoft’s “AlternateStreamView” with “Run as administrator” level. That should do the trick. (It did for me. NirSoft also has a bunch of other really useful system utilities…)
I’m sure that it was Comodo v8 that updated all the timestamps, as Comodo’s ADStreams were attached to all the impacted files. That’s extracts from .zips, copies from network sources, and installations from installers - basically any of these particular file types being introduced to the system, regardless of the method or destination, and all with the ADSs attached. I found affected files throughout my system & am just glad to remove v8 prior to the monthly Windows Patch Tuesday.
The behavior completely stopped as soon as v8 was uninstalled, and doesn’t occur with v7, same basic settings.
I was thinking that maybe this was a way for Comodo v8 to “tag” files as having been “inspected” and maybe save some processing down the road by avoiding re-assessment. However, for that type of thinking, a much better approach would be to keep a separate database file, similar to the approved vendors, etc., and leave the system files alone.
Anyway, Comodo is supposed to be protecting our system files, not tampering with them. I can’t see this ending well, if kept as is.
I agree I have just found a time stamp change and Comodo ADS on an IE version installed after CES 8.0. And that would have been installed by the Windows installer of course.
Does 8.0.0.4344 behave differently?
I imaged my system with 7.0.317799.4142, so I could test that myself, but if someone has already tried it would be great
I uninstalled Comodo Internet Security 8.0.0.4314 beta
and downloaded Comodo Firewall 8.0.0.4337.
But both the thing I disliked the most with CIS 8.0
the ADS feature / bug, and the forced File Rating (a million files in “Trusted Files” list)
is also present in CFW 8.0.
So I will uninstall CFW 8.0 and instead try some earlier versions…
…the ADS is only in v 8.0 of course,
and I remember in version 5.12, there was no forced File Rating if you had disabled both Antivirus, Defense+ and Sandbox.
What I liked about the Firewall in this version 8.0, though,
was the ability to use wildcards.
I could e.g. set that the application
“C:\Windows\SysWOW64\Macromed\Flash*.exe”
should have the rule
“Allow IP Out From MAC Any To MAC Any Where Protocol Is Any”
This saved me the trouble of updating the application every time Flash was updated.
The only thing that stopped me from upgrading to v8 is the ADS ‘feature’, can someone from the developers team tell us if it’s a bug or on purpose and if so why it exist?
I am running Comodo 8.0.0.4344. The ADS Feature destroyed my incremental Backup since it is based on the modification date and COMODO changes with that timestamp. I will now recopy my 3TB backups and scan my HDD for all Comodo ADS data. The timestamp problem should be easily reproducible for anyone as described in my first post.
I can replicate the issue.
This is inform to you moderators to edit the first post. This ADS feature! even affect on .jpg files.
I uninstalled CIS :-TD
All Comodo v8 users, or anyone contemplating installing v8, should know about this behavior. It should be noted as part of the release notes. If it’s a “feature”, users should be able to determine whether they care about the consequences to their system. If it’s a bug, it should be a “known issue” for the same reason.
While it’s possible that only a small percentage of users will be concerned about ADStreams and modified time-stamps to all executable-category files introduced to a system after v8 installation (whether Trusted or Unknown, including program installations, Windows Updates, extracts from Archives, copies from external or network drives, applications in development, etc.), certainly a good number of users will be concerned and have a right to know about this going in. You don’t want them having to find out only after time has passed, requiring troubleshooting to determine the cause for potentially 1000s of program and system files having their time-stamps altered and ADSs attached. That would generate a lot of anger and bad-will. This is serious enough and consistent enough v8 behavior that users have a right to know in advance & chose for themselves. Anything less is just bad policy, because this is not standard behavior that anyone would ever expect performed on their system by a protective application.
After uninstalling Comodo I just scanned my C:\ partition for ADS. Comodo really seems to interfere with Windows updates, especially with Internet Explorer Updates since there are a lot of .JS files. This is definitively no good behaviour and should be fixed as fast as possible.
I removed the ADS with the ADS Scanner. Since Admin privileges are not enough, I followed Uchiukes guide. You simply have to download the runassystem64 and runfromtoken exe files, place them in system32 and use the batch file to run any program as NT-AUTHORITY.
I can confirm this new “feature” on 5 PCs, running Windows 7 x86/x64 and Windows 8.1 x64.
This messes up my files timestamps and makes file comparison, file syncing and backups useless.
Also copying files I get a warning from my Speedcommander tool, that there are hidden ADS, that could not be copied.
Could any of the developers start saying something about this unwanted behaviour, please? >:(
