CIS labels all url links so they display a WARNING even after CIS is uninstalled

I discovered a bug in Comodo Firewall 8 that has just been confirmed and I hope it gets fixed. When I was testing to see if same bug was part of version 10 (it was) - Bug 1935 - I also discovered something that is not a bug, and that troubled me deeply about the nature of Comodo software…

Namely, when you first install CIS, upon first launch of version 10 suite there is an *EXPLOSION of activity, just crazy scanning everywhere. This scanning appears to permanently affect html links. So that after you remove Comodo 10, the html links are by default somehow labeled and changed to display a big WARNING if launched by double clicking on them. The weird thing is a way I discovered to get rid of this warning (copy/paste the link files away from their original location to a couple of other places and then back. And weirdly, those places were not on a FAT32 partition).

Here is the screenshot of the warning. I routinely disable Windows from showing these kinds of warnings, but after simply installing CIS, it labeled all url links so they display this warning if you try to double click on them.

What is the reason for this?

Did I miss an installation option that gives users an option (just an option) to NO, do NOT scan anything, because instinctively we know that programs can affect our personal files if you give them uncontrolled access. I have other examples, but I digress, so is there an option to not scan files automatically upon installation of CIS?

And more importantly: why is CIS permanently changing our url link files?

I suspect that streams were altered when you used version 8. It’s probably just a coincidence that you discovered it upon scanning. You just have to remove the streams. Further insight can be provided with Streams (from Microsoft) application. Also, it’s probably normal for a first scan (regarding aggressive behavior).

Hi, qmarius, I am treating this as a separate issue from the streams issue bug. BTW, other than you confirming it, how do we know that reported bugs are officially, real, acknowledged, and in a queue to be fixed for the next version… will there be a new version 8, ever?

But back to this.

Comodo Firewall 8 did not cause this because it was already permanently installed on my system, as a Firewall, not a suite.
The Firewall does not scan upon install, only the suite does. I double click on .url links all the time.
I had to install CIS 10 suite because there was no individual Firewall 10 download.

But we are back to the original problem of dealing with Comodo Bugs:

1. Is it real?
2. What is the reason for its existence?

Workarounds are secondary, since if the above questions are answered, there there is a chance that the bug would be fixed.
And we can’t talk about bugs or use the word ‘bug’ because it took a while for the bug you confirmed to be acknowledged.

Having a workaround takes away from acknowledging the bug and that directly takes away from fixing the bug.

I do not plan on using CIS because I kind of remember having similar problems when CIS first came out. I only use Comodo software because there is a a Firewall-only download and that allows escape from exactly the kind of things that happen with CIS: intrusive, mandatory change of personal files…

But I don’t want to be critical, I’m sure people have a use for many of Comodo’s features.

I have one .url file saved for testing purposes.
It does not show as having any ADS (!)
Copy-pasting it somewhere else removes the warning.

This is found to be a Windows problem that occurs after installing one or more of the following updates:

kb3175024
kb3177186
kb3184122

How to Disable the Security Warnings for Certain File Types Using Group Policies:

To solve the problem (though less secure), you can completely disable this warning using GPO.

To do it, in the “Local Group Policy Editor” go to:

User Configuration-> Administrative Templates-> Windows Components-> Attachment Manager.

1. Enable the policy Do not preserve zone information in file attachments. All the downloaded files will be run without the warning on all computers.

or

2. Enable the policy Inclusion list for low file types, and in its settings specify the list of file extensions you would like to run, e.g., .exe; .vbs; .msi. The system will ignore the markers on the files with these extensions and run them without the warning.

Just doing step 1 solved the issue on my system.

Reference site: How to Disable “Open File - Security Warnings” on Windows 10? | Windows OS Hub

Hi.
Yes, I modify my Windows OS to not display these nags.
If CIS did not cause this on its own, than I would stand corrected.
Since I won’t be installing CIS, I won’t pursue or test this further.

If CIS does not in any way physically affect the files it automatically scans upon first install, then great.

But L.A.R. Grizzly, this is a real separate bug, I was hoping more people could actually test and post in the official bug thread for it:
https://forums.comodo.com/bug-reports-cis/unable-to-delete-cmdtcid-streams-when-cis-is-installed-m1935-t116661.0.html
qmarius replicated it, can you?

I hadn’t realized that you were referring to ADS. I can’t test it because I’m not using CIS 8. CIS 8 destroyed my 32 bit systems, so I installed CIS 7 (which doesn’t have ADS). I’m in no hurry to try CIS 10 either (when released). I’m happy with 7.0.

You don’t trust me? Huh. It’s not like I’m assigning numbers from head.

will there be a new version 8, ever?

It's up to them to decide that. Here's my two cents though (if you want) : it's possible but you should expect a fix with version 10.

Comodo Firewall 8 did not cause this because it was already permanently installed on my system, as a Firewall, not a suite.

Streams data was added by Auto-Sandbox (more exactly, "File source tracking") module which is included in mentioned configuration.

I had to install CIS 10 suite because there was no individual Firewall 10 download.

You could change that from the configuration if I'm not mistaken. (It's a known issue.)

And we can't talk about bugs or use the word 'bug' because it took a while for the bug you confirmed to be acknowledged.

Sorry about that. I'm very busy lately and it could take some time.

I do not plan on using CIS because I kind of remember having similar problems when CIS first came out. I only use Comodo software _because_ there is a a Firewall-only download and that allows escape from _exactly_ the kind of things that happen with CIS: intrusive, mandatory change of personal files...

Feel free to report all the issues that you experience. Appreciate time and contribution.

I have one .url file saved for testing purposes. It does not show as having any ADS (!) Copy-pasting it somewhere else removes the warning.

A screenshot should be useful. Please provide output of Streams application (from Microsoft). This is usually caused by streams data addition.

Wow, what? What do you mean ‘destroyed your systems’ - can you post how?
Are you on Windows 7? I found Comodo Firewall to be very unstable and buggy even under Windows 8.1, let alone Windows 10.

I care about Comodo Firewall because I didn’t see any competing program last time I checked.

qmarius, I have a lot to say. First of all thank you. I am grateful for your posts and for your help.
Comodo is different from other software development, things are strange and just a little bit weird here, if I may say, because the only thing I care about is seeing ability to remove Alternate Data Streams restored in Comodo Firewall stand alone installation. I do not want to be critical, this is a fine piece of software that has helped a lot of people. Comodo can be less weird. Here’s what’s different abut things here, if Comodo developers care:

• Actual, real bugs are not acknowledged. There are zero posts in the official bug report thread and you acknowledged in a separate thread that the bug is real. Most places after a week, there would be some kind of a post of acknowledgement in an officially opened bug report.

• What does ‘assigning numbers’ mean? Are you referring to number M1935? Did you assign that number? Is that not a randomly generated number? Are you a developer? Does the fact that M1935 is displayed there signify acknowledgement? There is no way for an average person to know this. Average person just assumes that ‘nothing officially’ happened because the bug report remains empty of any comments. Maybe the developers think it’s unique and not a bug? That is why I asked the poster above to test and report, the more people report - more chances that this problem is not unique but a real bug present on every machine.

• Yes Streams data was added by Auto-Sandbox (more exactly “File source tracking”) - this is great I’m sure for people who want it. They are by definition people who can turn this feature ON if they want it. This being On by default means that this statement is true: Comodo Firewall labels every file you download. Read that out loud to an average user and 10/10 of them will RUN, not walk away from Comodo software. The notion that their downloads are labeled. They don’t know what ADS means, They don’ care. That is scary and should not be default. If this was an option and not default - nobody would ever say a word. People could be told: “Do not turn things ON you don’t understand” - that is the golden rule that would apply for non-default items.

• You cannot install just the Firewall when installing CIS, no.

• I am reporting all issues hereby in this post, I would like to report what is in it to an appropriate location on the forum, would appreciate a link for me to do so, just so I don’t make a mistake.

• Since we are clear that there is a bug in Firewall 8 where ADS cannot be removed, no screenshots are needed for that.
As for the CIS bug - the screen shot is in post#1 of this thread
I am suggesting that yes the screen shot can appear in Windows by itself but that I had disabled such warnings, I am very experienced in modifying the Windows operating system, I am a Senior Member art overclockers forums and post in the active Windows OS section there every single day: http://www.overclockers.com/forums/forumdisplay.php/17-Microsoft-Operating-Systems

I care less about the CIS bug but if Comodo Software by itself caused the warning in the screenshot above to appear, we would be back to the problem of default Comodo features changing the nature of user’s personal files, a mortal sin of any software ever.

If somebody turns something ON, then it’s their fault for doing it.
But if you simply install software and it changes your personal files, there is no explanation or excuse for that… Users head for exists the moment they hear even a suggestion that a software could/would do that.

The url file displays NO STREAMS whatsoever.
Double clicking on the url displays the warning in post#1 of the thread,
Copying the url file away from its original location, removes this warning - just the act of copying the file elsewhere removes it.
And FAT32 is not involved so FAT32 ‘didn’t strip away’ anything from that .url file.

I care less about this bug but I am willing to experiment.
I am scared away from CIS though because of it.

I don’t know what the previous poster is saying but the words “destroyed his system” he used are enough for there to have been a RED ALERT at Comodo Development, whatever feature caused that should have been immediately offered as an option that is OFF by default, don’t you think?

I’m using Win7 Pro. It seemed to work OK on my 64 bit systems, but when I went to install it on my 32 bit systems, disaster struck. Fortunately, I have backup HDDs and images, so recovery wasn’t so bad.

https://forums.comodo.com/news-announcements-feedback-cis/why-did-you-uninstall-cis-please-help-us-improve-by-telling-us-why-t73410.0.html;msg805758#msg805758

• Actual, real bugs are not acknowledged. There are zero posts in the official bug report thread and you acknowledged in a separate thread that the bug is real. Most places after a week, there would be some kind of a post of acknowledgement in an officially opened bug report.

Although it's not healthy, sometimes I do the work for the user by filling all the details. Technically, your report is against standards. :) (Users complain that reports are not looked into and they do not have time. Understandable from my side. Just trying to help.)

• What does 'assigning numbers' mean? Are you referring to number M1935? Did you assign that number? Is that not a randomly generated number? Are you a developer? Does the fact that M1935 is displayed there signify acknowledgement? There is no way for an average person to know this. Average person just assumes that 'nothing officially' happened because the bug report remains empty of any comments. Maybe the developers think it's unique and not a bug? *That is why* I asked the poster above to test and report, the more people report - more chances that this problem is not unique but a real bug present on every machine.

I'm a volunteer, not employee. In general, users should read pinned topics. https://forums.comodo.com/bug-reports-cis/what-happens-to-issues-we-report-t62323.0.html https://forums.comodo.com/bug-reports-cis/read-this-before-creating-a-new-bug-report-t97200.0.html (Any other question may be answered by a moderator trough PM.)

Comodo Firewall labels every file you download. Read that out loud to an average user and 10/10 of them will RUN, not walk away from Comodo software. The *notion* that their downloads are labeled. They don't know what ADS means, They don' care. That is scary and should not be default. If this was an *option* and not default - nobody would ever say a word. Do not turn things ON you don't understand - that is the golden rule that would apply.

Do note that, by default, downloads get tagged with stream data regardless of CIS. https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/

• You cannot install just the Firewall when installing CIS, no.

Well, yes. It's a known issue with used beta version. However, you may change that. (eg Control Panel > Programs and Features > Change)

• I am reporting all issues hereby in this post, I would like to report what is in it to an appropriate location on the forum, would appreciate a link for me to do so, just so I don't make a mistake.

Again, as mentioned above, just follow what is pinned. https://forums.comodo.com/bug-reports-beta-corner-cis-b330.0/

The url file displays NO STREAMS whatsoever. Double clicking on the url displays the warning in post#1 of the thread, Copying the url file away from its original location, removes this warning - just the act of copying the file elsewhere removes it. And FAT32 is not involved so FAT32 'didn't strip away' anything from that .url file.

Could you kindly provide step-by-step instructions? Can't seem to replicate it. Tested with Windows 10.

All I care about personally is waiting for the next version to see if I can remove ADS.
But I can provide information for this other (possible) bug that happened on the side, that I accidentally discovered.

I modify my Windows 8.1 not to display Open File - Security Warning for downloaded files. I do so like this:

Run > gpedit.msc [available on Windows 8 Pro - not available on Windows 8 (non-pro) version.]

User Configuration > Administrative Templates > Windows Components > Attachment Manager >
In the right pane, double click on ‘Inclusion list for moderate risk file types’ > Enabled > Under 'Options: > . > OK
Do the same for ‘Inclusion list for low file types’
[That gets rid of Open File - Security Warning]

Scroll up and set “Do not preserve zone information in file attachments” to Enabled
[That gets rid of Open File - Security Warning for downloaded files]

This ↑ disables all Windows warnings of the kind posted in screen shot in post#1 of this thread. CIS appears to have re-enabled those warnings. Screenshot was taken after simply installing the latest CIS 10 Beta.
I saw CIS immediately start scanning files and could not press the STOP button fast enough.
(Un)fortunately I have a super-fast M.2 drive on a 2016 Skylake system so the “damage” was lightning quick and substantial.

The moment I double click on the .url files inside my Windows System (modified) Favorites location, the screenshot warning popped up. By copy/pasting .url files elsewhere, then back to Windows System Favorites location, that warning was no longer there.

I kept one single .url file that still displays this issue because it was inside a different folder which probably got (also) scanned by CIS before I could press STOP.

That is the extent of what I can contribute to this issue.

I just wanted to also add that I started an entire thread at ocforums over (incorrectly) believing that Windows 8.1/10 prevented ADS removal.
It never occurred to me that Comodo could be the culprit but it was, it wasn’t Microsoft.

Once this is done, COMODO will no longer attach streams to files:

Security Settings > Defense+ > Sandbox > Auto-Sandbox > UNCHECK: Enable file source tracking > OK
[otherwise each downloaded file will be labeled with Alternate Data Stream data]

So after COMODO is disabled from doing that, ADS is no longer detected on most or all downloaded files.
So it is not correct that ADS are added by Windows always, simply because ADS programs no longer detect streams being added once COMODO is disabled from adding them.

Of course the real and actual problem is that we cannot remove existing ADS because COMODO prevents their removal. The only way to remove them is by uninstalling COMODO. We hope to see that chnage in the next version.

Not caused by CIS (see below link). Could you confirm?
http://answers.microsoft.com/en-us/windows/forum/windows_10-security/a-warning-popup-when-opening-any-url-file-in/8142f4b7-6678-4670-a59b-f01b89860dac?page=1

It is entirely possible that by huge coincidence Microsoft’s own doing caused this change at the very same time I installed CIS.
Thank you for finding that link that shows identical symptoms were being experienced by others through fault of Microsoft.

The ADS streams added by CIS have the following name: $CmdTcID. That way you can identify them.