CIS doesn't block unknown services during load although blocking is enabled

A. THE BUG/ISSUE:

  1. What you did:
  2. Disabled the Automatically scan unrecognized files in the cloud and
    Perform cloud based behavior analysis of unrecognized files options
  3. Put test.exe file (see attach) in D:\test and added it in Unrecognized Files
  4. Made new service with command
    sc create test binpath= D:\test\test.exe start= auto
  5. Enabled Block all unknown requests if the application is closed option
  6. Changed Defense+ rules for Windows system applications from Windows system application to Trusted application
  7. Rebooted PC.
  8. What actually happened or you actually saw: CIS didn’t block the unknown service after reboot.
  9. What you expected to happen or see: I expected that CIS blocked the unknown service or ran it in the Sandbox
  10. How you tried to fix it & what happened: Reinstalled CIS but this didn’t help
  11. If a software compatibility problem have you tried the compatibility fixes (link in format)?: I haven’t compatibility problem
  12. Details & exact version of any software (execpt CIS) involved (with download link unless malware): test.exe file is attached. This is service from Toshiba, file is clean.
  13. Whether you can make the problem happen again, and if so precise steps to make it happen: Yes, this problem is easily reproduced with any unknown service
  14. Any other information (eg your guess regarding the cause, with reasons): Discussion is here

B. FILES APPENDED. (Please zip unless screenshots).:

  1. Screenshots of the Defense plus Active Processes List (Required for all issues): Appended
  2. Screenshots illustrating the bug: the same as screenshot of Active Processes List
  3. Screenshots of related CIS event logs: Appended
  4. A CIS config report or file: Appended
  5. Crash or freeze dump file: No crashes or freezes so not appended
  6. Screenshot of More~About page. Can be used instead of typed product and AV database version: Appended

C. YOUR SETUP:

  1. CIS version, AV database version & configuration: CIS version 5.10.228257.2253, database 11826, configuration Internet Security (Firewall, Defense+ and Antivirus default)
  2. a) Have you updated (without uninstall) from a previous version of CIS: No
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?: Yes
  3. a) Have you imported a config from a previous version of CIS: No
    b) if so, have U tried a standard config (without losing settings - if not please do)?: Yes
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): All the changes described above
  5. Defense+, Sandbox, Firewall & AV security levels: All default (D+=Safe, Sandbox=Enabled, Firewall=Safe, AV=Stateful, Heuristics=Low)
  6. OS version, service pack, number of bits, UAC setting, & account type: Windows XP Pro, SP3, 32 bit, No Uac, Admin
  7. Other security and utility software currently installed: None
  8. Other security software previously installed at any time since Windows was last installed: None
  9. Virtual machine used (Please do NOT use Virtual box)[color=blue]: No

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

I have experienced services unknown to CIS running as sandbox=disabled, verdict=unknown in the active process list, though I have not tried to see if ‘block all requests’ successfully blocks it

For example: VMWareAuthD service, part of Vmware PLayer 4.0.2 build-591240, runs in this way.

My system:

C. YOUR SETUP:

  1. CIS version, AV database version & configuration: CIS version 5.10.228257.2253, database 11831, configuration Proactive (Firewall, Defense+ and Antivirus default)
  2. a) Have you updated (without uninstall) from a previous version of CIS: No
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: N/A
    b) if so, have U tried a standard config (without losing settings - if not please do)?: N/A
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): No
  5. Defense+, Sandbox, Firewall & AV security levels: All default (D+=Safe, Sandbox=Enabled, Firewall=Safe, AV=Stateful, Heuristics=Low)
  6. OS version, service pack, number of bits, UAC setting, & account type: Windows 7, SP1, 64bit bit, No Default Uac, Admin account
  7. Other security and utility software currently installed: None
  8. Other security software previously installed at any time since Windows was last installed: McAfee OEM (uninstalled using McAfee forced uninstall tool)
  9. Virtual machine used (Please do NOT use Virtual box): No -it is installed but I did not use it in this instance.

Best wishes

Mouse

mouse1, I think that you have a standard Defense+ rule for Windows system applications as Windows system application, so you don’t see an alert to start a new service. Change it to Trusted application then stop and ran service again.

Interesting, but was not so much concerned about alerts, more about the privs of the running file.

An unknown service from a third party vendor (Vmware) should presumably be sandboxed.

Best wishes

Mouse

I don’t know but maybe VMWareAuthD service will run in autosandbox, just try :wink:

Wiierdly applying the trusted files policy to the windows system group in D+ settings leads to this file being run as verdict=trusted, though unsigned, not in trusted files and not looked up in cloud acc to D+ logs.

However CCE has this file verdicted undetected by ‘basic’ and ‘safe’ by FLS

Complex behavior…

Best wishes

Mouse

Really interesting behavior.
I think that to bypass it you need to disable the cloud in CIS and add the file in Unrecognized Files manually.

I’m guessing that the change altered the boot timing somewhat, allowing an unreported early boot process lookup. CIS has probably now cached that judgement maybe.

Best wishes

Mouse

Seems I understood the reason for this strange behavior. When the Defense+ rule for Windows system applications was selected as Windows system application the file didn’t check, because its start was allowed with the rule. When you changed the rule to Trusted application, the Defense+ began to control startup and the file was checked. Not clear only why it didn’t move into Trusted Files.

Yes could be that. Strange behaviour anyway. Now gone back to the windows sstem policy, but vmware-authd file is still running as trusted so its remembered in some way.

Best wishes

Mouse

I’ve never seen such behavior and I’ve never met caching of unknown files in CIS…
Did you disable the cloud scan? If this didn’t help could you share the file here though I’m not sure that it starts on my XP SP3…

Yes it’s strange. Doubt if it will start without Vmware player installed, though that is free from the Vmware web site.

I have met this before with other vmware files, suggesting that there is something systematic going on. Have reported it as a bug which seemed to be solved prior to 5.10. Wonder if they have reverted any of the code base?

I used sigcheck to check the signature. Gives lots of info, but no hint of what is wrong.

Best wishes

Mouse