CIS Does Not Fully Protect Webcam, Even With HIPS Enabled [M1279]

A. THE BUG/ISSUE (Varies from issue to issue)
Can U reproduce the problem & if so how reliably?:
Yes, I repeat always, always with the same result
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1: Disable the Auto-Sandbox and enable the HIPS.
2: Download and run Spyshelter Anti-Test from here (note, direct download link).
3: Click on the webcam tab and click “start test”. You will see HIPS alerts (shown below):


4: Choose to block them all.
5: However, note that even after blocking them all it was still able to access the webcam:

(Note that in this picture the webcam covered, so that is the only reason it is a black image)

One or two sentences explaining what actually happened:
I ran the Spyshelter test, CIS showed HIPS alerts, I chose block on all alerts. However, it was still able to bypass the CIS protection and access the webcam.
One or two sentences explaining what you expected to happen:
I expected that access to the webcam will be blocked if all HIPS alerts are blocked.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
I have tested this on multiple computers, so it’s not a software conflict.
Any software except CIS/OS involved? If so - name, & exact version:
I do not know if I understood: Test Program: SpyShelter Antitest, no other program does not have a blocking feature webcam.
Any other information, eg your guess at the cause, how U tried to fix it etc:
No idea.

B. YOUR SETUP
Exact CIS version & configuration:
CIS 7.0.317799.4142
Antivirus: On access, high heuristics
Firewall: Safe mode,
Auto - Sandbox - disabled
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
AV- Enabled, on access
FW: Enabled, safe mode
BB: Disabled
HIPS, safe mode,
Have U made any other changes to the default config? (egs here.):
Configuration changed, not the default.
Have U updated (without uninstall) from CIS 5 or CIS6?:
I do not remember
if so, have U tried a a a clean reinstall - if not please do?:
Yes, I always have the same effect
Have U imported a config from a previous version of CIS:
Yes
if so, have U tried a standard config - if not please do:
Yes, I tried.
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
OS: Windows 8.1 64 bit, UAC max, administrator, real computer. Service pack was before buying a computer.
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
Only Windows 8, no virtual machine.
Other security products:

• Emsisoft Anti-Malware
• McShield
• Malwarebytes Anti-Exploit
• Spamihilator

Needed files:

Diagnostics:

Configuration (although note that I have Auto-Sandbox enabled, but during test I had that disabled):

[attachment deleted by admin]

Thank you. I made some changes to the first post. Please let me know if everything looks correct.

Also, please attach a diagnostics report and your exported configuration to the first post. Before exporting the configuration please make sure it is the same you used as when you made this test. Let me know if you have any questions.

Thanks.

PM reminder sent.

Ok, chiron.

Explain it to me, please 88)

Sure. Instructions on how to create the diagnostics report are given here.
Instructions on exporting your configuration can be found here.
Note that I just linked to the pages explaining this. If you have any specific questions please feel free to ask. I am absolutely willing to help.

Thank you.

Thanks Chiron
I just did not know what was going on.
First post supplemented with the necessary information.
By the way, I currently have enabled auto-sandbox, and during the test does not.

For future reference you can attach those files if you first put them in a zip file. However, the download links work fine as well.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time, availability, and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

Any information, Chiron?

Sorry, I have no new information at this time.

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.

Thank you.

Hello.
Thanks for the reply.
I have a slow internet, so download the latest version of the CIS is not yet possible. As will be possible, let you know.

Regards,
Zbc

Thank you. Please let me know what you find.

Hello,

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.1.0.4426) and let me know if this is fixed on your computer with that version.

Thank you.

As a work-around for anyone who’s concerned, you could disable the driver from Device Manager when you’re not using it. That should do the trick.

Hope it helps.

I just add camera and microphone drivers to Blocked Files in HIPS > Protected Objects > Blocked Files… but you have to be careful to add the correct file(s). You have to identify the drivers via Windows Device Manager. Disabling both drivers also disables Windows Camera and Sound Recording Apps.

qmarius’ suggestion is most direct, easiest method…

HJLBX

A better configuration change is to add *\RPC Controll\ntsvcs which is the Service Control Manager and *\RPC Control\plugplay to the protected COM Interfaces will protect against access to webcams and other plug & play devices. I did some testing with this and I noticed that by adding these two COM Interfaces, CIS will alert when the antitest executable tries to access these interfaces and by choosing to block, prevents access to the webcam. Adding \RPC Control\Audio will detect any access to the microphone.

Thank you futuretech… that’s guite a configuration tip. I wouldn’t have known to do such a things as I know very little about COM Interfaces.

+1

Best Regards,

HJLBX

As it turns out, this config does not block the Windows Camera and Sound Recorder Apps on W8.1. There are no alerts of any kind…

Best Regards,

HJLBX

Windows store apps work differently compared to windows desktop programs in how they access and interact with the OS, also those are trusted windows store apps that are considered safe by comodo and will not generate alerts in safe mode, unless you set hips to paranoid mode.

This is technically fixed as making a configuration change to add the following items to the protected COM interfaces list will protect against webcam and microphone access by unknown applications.

• \RPC Control\Audio
• *\RPC Control\ntsvcs
• *\RPC Control\plugplay

In addition if a webcam installs its own device object one can add \Device<name of device object> to the protected files list.