Have U made any other changes to the default config? (egs here.):
Changes I have made: Firewall
I’m using a custom ruleset. I want an alert for every internet connection attempt.
I am NOT using the Comodo DNS-servers File rating
Trust applications singed by Trusted vendors is UNTICKED
I also sandbox apps as limited instead of partially limited. But you can already see this in the screenshots.
Like I said, probably nothing relevant.
Have U updated (without uninstall) from a previous version of CIS: NO
[li]if so, have U tried a a clean reinstall - if not please do?:
[/li]- Have U imported a config from a previous version of CIS: NO
[li]if so, have U tried a standard config - if not please do:
[/li]- OS version, SP, 32/64 bit, UAC setting, account type, & VM used: Windows XP SP3 32 bit - fully updated. UAC? Does XP have this?:-). Limited user acount. I’m not using a VM.
Other security/sandbox software a) currently installed b) installed since OS: a) NO B) NOD32 HIPS but I have disabled it.
Thank you very much for your bug report in standard format. We very much appreciate the effort you have made to document this bug.
We are sorry to trouble you further but there are some items of information missing or unclear in your post:
OS version, SP, 32/64 bit, UAC setting, account type, & VM used:
Have U made any other changes to the default config? (egs here.): Please state these if they appear on the list of examples
The reasons we need these items of information, though they may not seem directly relevant to the issue are explained here.
We would be very grateful if you would add these items of information so we can forward this post to the format verified board, where it is more likely to get fixed. You can find assistance using red links in the Format and here. If you need further help please ask a mod. If you do not add the information after a week we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.
In the current process we will normally leave it up to you whether you want to make a report which includes all necessary information or not. We may remind you if we think a bug of particular importance.
1)I’ll add a diagnostic report too. My access to the computer in question is not possible right now. Expect it later today.
2) I will check against update (2708).
Please PM me your e-mail. I will send you the file. Please be careful when running it. It does not seem to destroy or damage anything, it just tries to connect out.
You can upload the sample to any free upload site & send the link to users who wants to test it.
To send it to the users click on their name to open their profile, there you will see send this user a personal message.
Dont paste the link here.
By the way I think the issue here is coz the malware is detected & trusted too.
I checked another harmless sample just to see what happens & I think detection worked fine i.e everytime the sample was executed it was blocked. But I tested it in Virtual Kiosk & I only recieved cloud alert for the first execution, all the other tries of execution were blocked but I didn’t received cloud alert. So I dont know if this is Virtual Kiosk issue.
When I leave the sandbox ON, The file is blocked regardless of the Cloud scanner responding or not. My point is that the Cloud scanner does not detect it with the sandbox OFF and that therefore the file gets trusted and loaded into memory.
Jeroen’s bug - disabling the Behavior Blocker leads to no Cloud lookups, and therefore the file being trusted
Narens bug. Multiple executions in Kiosk don’t lead to multiple detections
The question is whether one is causing the appearance of the other.
Jeroen, could you turn the Behavior Blocker off and reboot please, if you think you can do this safely. Then try the sample and see if you get a Cloud alert. If you don’t then we should consider them separate issues.
In which case, Naren would you be kind enough to make a separate bug report in standard format please as yours is an important issue too?
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
I guess Jeroen tested ■■■■■.exe, the malware which he sent me too. If he tested ■■■■■.exe then that malware is trusted when behavior blocker is enabled too. And I submitted that sample to comodo in the thread whitelisted/trusted malware.
I dont know if behavior blocker disabled than cloud lookup works or not.
But if BB disabled & I got cloud alert once than doesn’t this means cloud lookup is working?
Yes, but it could be something specific to his machine, OS. He needs to test as I suggested, that will give some eaxtra info. Not sure it’s just a false whitelisting problem, else there would be no cloud alert. Maybe it’s both on TFL and Virus list, but there should be an integrity constraint to prevent that as we are dealing with signatures. Maybe the integrity constraint is failing.
Referring to the bold part, I do not fully agree. If I do not turn the BB off, Killswitch will report ■■■■■.exe as malicious. Somehow “ignore once” is more permanent than it should be, causing ■■■■■.exe to get trusted.