CIS10: some of unknown files runs with full privileges

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes, always.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Turn off the internet.
2: Install the attached foobar2000 setup.
One or two sentences explaining what actually happened:
The foobar installer is not digitally signed and the internet is turned off so the Lookup Cloud is disabled, but the CIS recognized these files as Trusted in the File Rating->File List although the manually Lookup of these files shows they as Unrecognized.
As a result, unknown files with full privileges are run and what I demonstrated on video - YouTube
One or two sentences explaining what you expected to happen:
The unknown files should be marked as Unrecognized in the File Rating->File List and run virtually or with HIPS (when enabled).
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Any software except CIS/OS involved? If so - name, & exact version:
For example the foobar2000 v1.3.15
Any other information, eg your guess at the cause, how you tried to fix it etc:
Nothing helped:

  1. Deleting all Trusted Vendros
  2. File Rating Settings->Trust Applications Signed by Trusted Vendros: OFF
  3. File Rating Settings->Trust Files Installed by Trusted Installers: OFF
  4. File Rating Settings->Enable Cloud Lookup: OFF

Exact CIS version & configuration:
CIS, default config.
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Have you made any other changes to the default config? (egs here.):
First default and then tested different settings.
Have you updated (without uninstall) from CIS 5, 6 or 7?:
Have you imported a config from a previous version of CIS:
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 x64, SP1, 64 bit, UAC default, account type administrator, VMware Workstation 12.5.5
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=Sandboxie 5.16 b=No.

[attachment deleted by admin]

When I ran the foobar2000, mine was also run outside of the sandbox without disabling any cloud lookup or file rating settings. I think this software may be whitelisted by comodo via file hashes, which comodo uses to whitelist unsigned apps.

Of course, if you have the Cloud Lookup enabled, the file will be set to Trusted after check the hash in the cloud.
But in the scenario with Cloud Lookup disabled, it would indicate that the whitelist of that trusted apps is stored in the updated signature databases and I hope it is like this.
I will try to modify the foobar installer by changing one bit of data, which will change the hash. And what will happen.

Do note that it’s not digitally signed file.;msg847363#msg847363
“cavse”: {
“timestamp”: “2017-04-11T05:53:00.189Z”,
“avdbver”: 26892,
“type”: “white”,
“sigid”: 409512905554198719
As you can see, it’s trusted by signature. Also, it’s recognized as Installer. Generated files will be rated as Trusted.

Now everything is clear :slight_smile: Thank you for the info.

By the way, mentioned files which were generated are also trusted by signature.