Disabled the Automatically scan unrecognized files in the cloud and
Perform cloud based behavior analysis of unrecognized files options
Put test.exe file (see attach) in D:\test and added it in Unrecognized Files
Made new service with command
sc create test binpath= D:\test\test.exe start= auto
Enabled Block all unknown requests if the application is closed option
Changed Defense+ rules for Windows system applications from Windows system application to Trusted application
Rebooted PC.
What actually happened or you actually saw: CIS didn’t block the unknown service after reboot.
What you expected to happen or see: I expected that CIS blocked the unknown service or ran it in the Sandbox
How you tried to fix it & what happened: Reinstalled CIS but this didn’t help
If a software compatibility problem have you tried the compatibility fixes (link in format)?: I haven’t compatibility problem
Details & exact version of any software (execpt CIS) involved (with download link unless malware): test.exe file is attached. This is service from Toshiba, file is clean.
Whether you can make the problem happen again, and if so precise steps to make it happen: Yes, this problem is easily reproduced with any unknown service
Any other information (eg your guess regarding the cause, with reasons): Discussion is here
B. FILES APPENDED. (Please zip unless screenshots).:
Screenshots of the Defense plus Active Processes List (Required for all issues): Appended
Screenshots illustrating the bug: the same as screenshot of Active Processes List
Screenshots of related CIS event logs: Appended
A CIS config report or file: Appended
Crash or freeze dump file: No crashes or freezes so not appended
Screenshot of More~About page. Can be used instead of typed product and AV database version: Appended
C. YOUR SETUP:
CIS version, AV database version & configuration: CIS version 5.10.228257.2253, database 11826, configuration Internet Security (Firewall, Defense+ and Antivirus default)
a) Have you updated (without uninstall) from a previous version of CIS: No
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?: Yes
a) Have you imported a config from a previous version of CIS: No
b) if so, have U tried a standard config (without losing settings - if not please do)?: Yes
Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): All the changes described above
Defense+, Sandbox, Firewall & AV security levels: All default (D+=Safe, Sandbox=Enabled, Firewall=Safe, AV=Stateful, Heuristics=Low)
OS version, service pack, number of bits, UAC setting, & account type: Windows XP Pro, SP3, 32 bit, No Uac, Admin
Other security and utility software currently installed: None
Other security software previously installed at any time since Windows was last installed: None
Virtual machine used (Please do NOT use Virtual box)[color=blue]: No
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
I have experienced services unknown to CIS running as sandbox=disabled, verdict=unknown in the active process list, though I have not tried to see if ‘block all requests’ successfully blocks it
For example: VMWareAuthD service, part of Vmware PLayer 4.0.2 build-591240, runs in this way.
My system:
C. YOUR SETUP:
CIS version, AV database version & configuration: CIS version 5.10.228257.2253, database 11831, configuration Proactive (Firewall, Defense+ and Antivirus default)
a) Have you updated (without uninstall) from a previous version of CIS: No
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
a) Have you imported a config from a previous version of CIS: N/A
b) if so, have U tried a standard config (without losing settings - if not please do)?: N/A
Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): No
Defense+, Sandbox, Firewall & AV security levels: All default (D+=Safe, Sandbox=Enabled, Firewall=Safe, AV=Stateful, Heuristics=Low)
OS version, service pack, number of bits, UAC setting, & account type: Windows 7, SP1, 64bit bit, No Default Uac, Admin account
Other security and utility software currently installed: None
Other security software previously installed at any time since Windows was last installed: McAfee OEM (uninstalled using McAfee forced uninstall tool)
Virtual machine used (Please do NOT use Virtual box): No -it is installed but I did not use it in this instance.
mouse1, I think that you have a standard Defense+ rule for Windows system applications as Windows system application, so you don’t see an alert to start a new service. Change it to Trusted application then stop and ran service again.
Wiierdly applying the trusted files policy to the windows system group in D+ settings leads to this file being run as verdict=trusted, though unsigned, not in trusted files and not looked up in cloud acc to D+ logs.
However CCE has this file verdicted undetected by ‘basic’ and ‘safe’ by FLS
I’m guessing that the change altered the boot timing somewhat, allowing an unreported early boot process lookup. CIS has probably now cached that judgement maybe.
Seems I understood the reason for this strange behavior. When the Defense+ rule for Windows system applications was selected as Windows system application the file didn’t check, because its start was allowed with the rule. When you changed the rule to Trusted application, the Defense+ began to control startup and the file was checked. Not clear only why it didn’t move into Trusted Files.
Yes could be that. Strange behaviour anyway. Now gone back to the windows sstem policy, but vmware-authd file is still running as trusted so its remembered in some way.
I’ve never seen such behavior and I’ve never met caching of unknown files in CIS…
Did you disable the cloud scan? If this didn’t help could you share the file here though I’m not sure that it starts on my XP SP3…
Yes it’s strange. Doubt if it will start without Vmware player installed, though that is free from the Vmware web site.
I have met this before with other vmware files, suggesting that there is something systematic going on. Have reported it as a bug which seemed to be solved prior to 5.10. Wonder if they have reverted any of the code base?
I used sigcheck to check the signature. Gives lots of info, but no hint of what is wrong.