Cloud AV allows malware to run while user decides whether to clean or not [M943]

A. THE BUG/ISSUE (Varies from issue to issue)

[ol]- Can U reproduce the problem & if so how reliably?:
Every time.

  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:

[li]Video demonstration

  • Install Comodo Firewall, not CIS
  • For the purpose of this test, disable BB and HIPS if they are active (This is to only test the Cloud AV)
  • Run a file that the cloud detects as a malware (for example Zemana Key-Logger Simulation Test Program)
  • Note that the file will initially be allowed to run without any hinderance.
  • However, after a second it is detected as malware and you get an alert from CFW
  • However, the program is still allowed to run in the background without any hindrance or blocking until the user clicks Clean
    [/li]
  • If not obvious, what U expected to happen:
    I expect that if a file is detected it should be automatically blocked, or frozen in some way, until the user selects whether to ignore or clean the file.
  • If a software compatibility problem have U tried the conflict FAQ?:
    N/A
  • Any software except CIS/OS involved? If so - name, & exact version:
    Zemana Key-Logger Simulation Test Program
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    I noticed that with Comodo Antivirus in CIS, detected executables are blocked until the user decides whether to clean them or ignore the detection. However, for Comodo Firewall the applications are allowed to run unhindered until the user cleans them. I do not know why there is this discrepancy, but they should be blocked as soon as they are classified as malware by the cloud AV.
    [/ol]

B. YOUR SETUP

[ol]- Exact CIS version & configuration:
Comodo Firewall 7.0.313494.4115

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    HIPS Disabled, BB Disabled, Firewall Custom Ruleset, AV not installed (Cloud AV enabled (Enable Cloud Lookup that is)) (HIPS level doesn’t really matter, same thing happens with it on safe mode)
  • Have U made any other changes to the default config? (egs here.):
    Yes, too many to note, will attach a config file.
  • Have U updated (without uninstall) from CIS 5 or CIS6?:
    No
    [li]if so, have U tried a a clean reinstall - if not please do?:
    N/A
    [/li]- Have U imported a config from a previous version of CIS:
    Yes
    [li]if so, have U tried a standard config - if not please do:
    Yes
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 8.1 64bit, UAC off, Administrator account and no virtual machine.
  • Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

[li]Zemana Anti-Logger Free

  • Shadow Defender
  • AX64 (If it counts)
    [/li][/ol]

[attachment deleted by admin]

Perhaps I am misunderstanding, but to my this looks like the intended behavior. The purpose of the antivirus alert, with the option to either clean or ignore, is to allow the user to let the object continue. If the user wants it automatically removed, they should select the option to automatically remove detected applications.

On the other side of it, it is not the job of the antivirus component, at least with CIS, to stop the object from running while it is either being analyzed or the antivirus popup is on the screen. This is the job of the BB and the Firewall component.

Thus, to me I do not see any evidence of a bug. Am I misunderstanding this issue?

Thanks.

Well first of the user could allow the object to continue launching even if the malware wasn’t allowed to run during the analysis, clicking Ignore should allow the malware to run and clicking clean should continue blocking the malware and remove it. Currently it doesn’t block it at all. Also I don’t want to automatically remove it, I want it to block the malware from executing.

Secondly “On the other side of it, it is not the job of the antivirus component, at least with CIS, to stop the object from running while it is either being analyzed or the antivirus popup is on the screen.”
So much for default deny. 88) (by the way, the actual AV part in CIS blocks it from running, only Cloud AV allows it to roam free without any consequences)

Thirdly “This is the job of the BB and the Firewall component.”
I disagree, it’s their job for unknown malware, not known malware, that’s just insane, why let the malware run at all if it’s a known malware!? And with the BB set to partially limited by default that basically means that any malware that can bypass partially limited gets a free pass even if they are detected, because I’ll bet you the malware can do its job faster than the user can analyze the file and click “Clean”.

Also not everyone want to use BB or HIPS, perhaps someone only wants the Cloud AV? Well tough luck, it’s not going to do you any good.

Whether this is a bug or not I don’t know, if it’s not then it’s a wish, thought I’d try my luck with bug first.

I think it’s set up this way so that if this was a software which the user wanted to continue using, it would not lose any of the loser’s data, or progress. Imagine if this was a program similar to Microsoft Word, and the use had written most of an essay. Suddenly one of it’s files was incorrectly detected. If this was handled the way it is right now the user could just click ignore and continue writing, nothing would be lost. However, if it was automatically blocked the user could not save their progress, and the program would be forced to close. Am I incorrect, or do you think this could work differently?

Sorry, perhaps I should have been more careful with my wording. I should have said that it is not the job of the detection component, which is really all that the cloud antivirus plays in this role. It is the BB which isolates, but I will discuss this after the next quote.

Until the user clicks the button to clean, Comodo Firewall should assume that this is an unknown file. The entire reason that the user would configure Comodo Firewall to ask, is because they want to manually decide whether it is malware or just an unknown file which is being detected. Thus, I do not see why this would not fall under the role of the BB. However, I have not used Comodo Firewall standalone. Thus, if the default for cloud detections is not to automatically remove the application, please let me know.

I don’t see why this is true. Do other antivirus products work differently when the detect possible malware? If so, what do they do? This information could be very helpful for me to fully understand this situation.

I’m not sure yet either. However, please continue this conversation here. Once I have a good enough understanding of it we can then figure out what to do next.

Thank you.

Yes I believe you are incorrect, it could simply stop the program from doing anything (imagine HIPS when you don’t answer the questions, it’s basically just waiting) until the user either a) Cleans it or b) Ignores it. Also I don’t see what this scenario has to do with the actual execution of a file which this issue is about. When executing an unknown file (because we all know trusted files are ignored by the AV) it should, if CFW can connect to the cloud, freeze the launching of the executable until it has finished analyzing it, if detected it alerts the user while still not allowing the executable to do anything, if the Cloud comes up with no detection then it lets the executable run.

I disagree, until the user clicks the button to ignore, Comodo Firewall should assume that the file is malicious and “freeze” it.

It’s not only the default to ask the user, you actually CAN’T configure it to automatically remove a detected malware in CFW! It has no AV settings whatsoever, it has Cloud ON and OFF, that is it!

Yes, Comodo AV in CIS. If a malicious file is detected (assuming it is set to ask the user for action) it will stop the executable from fully starting until action is taken in the form of either cleaning it or ignoring it, at least that has been my experience, perhaps I’ve had a bug all this time. 88) I’m going to re-install the AV part of CIS just to test it again, just in case…

At the moment I think the current behavior is intentional, so this might be more of a wish in form of a new check-box option “Block files from running until analyzed” under the Cloud lookup setting in the File Rating Settings?

Okay, in that case this sounds more like a wish. Also, now that I understand the situation better, I think I would likely agree with it. Please create a new Wish Request for this, assuming you find that Comodo AV reacts the same way.

If the behavior in Comodo AV does freeze it, then I think this is a bug. However, if Comodo AV reacts the same way, then please create a new Wish Request for this.

If it is intentional, and the same behavior is seen for both Comodo Firewall and Comodo Antivirus, then please do create a Wish Request for this.

Regardless of what you find, please respond to this topic and let me know the results of your investigation.

Thank you.

Alright, still making a snapshot of the current system… “The computer was shut down improperly. Backup will take longer than usual.” 88)

No problem. Let me know what you find.

Thanks.

Alright finished testing.

Lets start by making something clear, basically the issue I’m talking about is with Comodo Cloud AV which is both a part of CIS and CFW so this isn’t only an issue with CFW however CIS also has Comodo AV which is the full on AV with local signatures etc. I did not test only the Cloud AV in CIS since I don’t really know how to test that specifically when you also have Comodo AV since I always get alerts from Comodo AV instead of Comodo Cloud AV… Anyway…

So results:

Comodo AV in CIS: Blocks the file malicious file from starting until the user clicks ignore and exclude (clicking ignore once just re-alerts) (Timeline: Try to execute malware > Detected without it actually being allowed to run > Won’t run until the user clicks ignore and exclude)

Comodo Cloud AV in CFW: Doesn’t block the malicious file from starting however alerts after it has started but still doesn’t block it from doing anything. (Timeline: Try to execute malware > Malware is allowed to run > Cloud AV alerts for it but doesn’t block the malware from doing anything > isn’t blocked until user clicks “Clean”)

Thanks for testing this. In that case this may be a bug. Please edit your first post so that it is focused exclusively on the difference between what happens with Comodo AV and Comodo Firewall. I will forward this as a bug, after you have revised your first post. Then, if the devs reclassify this as a wish I will move it to the wish section. However, I will first consider this a bug.

Let me know when you have revised your first post.

Thanks.

I don’t really know how to reword it in such a way? ???

I gave it a try myself. I modified the first file, and the title, to try and make it clear exactly what the most critical problem is. Please look it over and let me know what you think. If everything is fine I will forward this to the devs as a bug.

Thanks.

I do not believe we understand each other.

My guess here:
1. What actually happens: Try to run detected file > It’s launched and the cloud starts to analyze it (basically checking if there are any signatures in the cloud for it) > The program is running > You get Cloud AV alert > Program is still running.
2. What I think you think I want to happen: Try to run detected file > It’s launched and the cloud starts to analyze it > The program is running > You get Cloud AV alert > Program should be blocked from taking any kind of action until user answer alert.
3. What I want to happen: Try to run detected file > It gets temporarily blocked from launching while it is analyzed > If nothing is found then continue launching the file / If the file is detected as malicious then keep blocking it and show the alert.

The normal Comodo AV does #3 and Cloud AV does #1, I want the Cloud AV to do #3, currently the edited bug report is for Cloud AV to do #2. Do we understand each other now? :embarassed:

Edit: Did some changes to the first post, thoughts?

The first post seems fine to me. Are you okay with the wording you put in the first post, or do you still think it incorrectly represents this issue?

If everything seems fine let me know and I can forward this to the devs.

Thanks.

Seems good enough.

Well found Sanya. Just posting here as Sanya did send me a video link and I suggested reporting. Hope that’s OK Chiron.

I viewed the video, and I agree this bit is a bug:
" if detected they should be blocked until the user selects whether to ignore or clean the file and if the file is not detected then it’s allowed to launch. (Like the normal Comodo AV behavior)"

(Just to check, if HIPS is on (in safe mode) is it blocked after Cloud AV detection (you’ll need to allow any HIPS alerts to find out). I think this may be another reflection of the ‘things don’t get blocked if HIPS is off’ problem).

I am not sure this bit is practical, time-wise. It would probably introduce too much delay. If it is, it is a wish:
“If there is an internet connection I expect the Cloud AV to block executables from being launched until they have been analyzed by the Cloud AV”

So it may be worth separating these in the tracker, and possibly in the forum. Sorry if that’s already been discussed.

Best wishes

Mike

If HIPS is on (safe mode) then HIPS itself will block the application from launching (unless launched from an application that is allowed to launch other applications, e.g applications with installer or updater policy) however this doesn’t change the behavior of the Cloud AV, if you click allow in the HIPS alerts it will allow the malware to run normally even as the Cloud AV alert is on screen.

I guess this is both a bug and a wish…

The bug: Cloud AV doesn’t block the malware from further actions even after it has been detected (Also the case with Viruscope btw) However I don’t know how this is in normal Comodo AV since that has always alerted me and stopped the malware BEFORE it’s allowed to launch, never tested having a malware launch first and THEN get alert…
The wish: For Cloud AV (If CFW can establish a connection to Cloud servers) to block the actual launch of unkown executables until they have been properly analyzed and the results are back from the cloud and then if it’s not detected it’s allowed to run but if it is detected then it’s still bloked until the user makes a choice. Of course this should be an option in the “File rating settings” under the cloud lookup which is greyed out when cloud lookup is not enabled… Should I make a wish for this? I doubt it will get enough votes though, doesn’t seem like a question many people would be interested in enough.

“if you click allow in the HIPS alerts it will allow the malware to run normally even as the Cloud AV alert is on screen.”

That’s what I needed to know, thanks

I agree there’s a wish plus a bug. Normal AV has local signatures. That’s how it can block immediately from execution I guess.

I’ll let Chiron decide whether there should be a separate wish in the forums, if that’s OK. Need to be separate in the tracker.

We’re going to have to handle this as one bug report and one Wish Request.

The bug report must be for the fact that it is not blocked while there is the Cloud Alert popup. I have edited the first post for this. Please look it over and let me know what you think. If everything is fine I will forward this as a bug to the developers.

However, also create a new Wish Request. This should be for an option for the Cloud AV to not allow applications to run until they have been checked in the cloud.

Let me know if you have any questions.

Thanks.

Alright, looked it through and fixed a grammatical issue, looks good now.