Cloud Scanner stops working after disabling Auto-Sandbox [V6][M242]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic title, NOT here.

  • Can U reproduce the problem & if so how reliably?: 100% reproducable
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    Please refer to the screenhots when reading this:
  1. Check that the cloud scanner is enabled. !!! leave the AUTO-SANDBOX enabled !!!
  2. Watch the cloud scanner throw an alert when I execute ■■■■■.exe and choose “Ignore Once”
  3. Disable the AUTO-SANDBOX
  4. Look at the firewall stopping ■■■■■.exe from connecting to the internet when I execute it again
  5. Watch Killswitch in horror trusting the ■■■■■.exe file
  • If not obvious, what U expected to happen:
    I would expect the Cloud Scanner to step in and ask me to block ■■■■■.exe. I would also expect killswitch to mark the file as “malicious” and not as trusted.
  • If a software compatibility problem have U tried the conflict FAQ?: not relevant
  • Any software except CIS/OS involved? If so - name, & exact version: all other security software has been properly disabled.
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
  • Always attach - Diagnostics file, Watch Activity process list, (dump if freeze/crash). If complex - CIS logs & config, screenshots, video, zipped program (not m’ware)

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- CIS version & configuration: CIS 6.0.260739.2674.

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    AUTO-SANDBOX disabled. D+ disabled. Firewall enabled, AV enabled…
  • Have U made any other changes to the default config? (egs here.):
    Changes I have made:
  • I’m using a custom ruleset. I want an alert for every internet connection attempt.
  • I am NOT using the Comodo DNS-servers
    File rating
  • Trust applications singed by Trusted vendors is UNTICKED

I also sandbox apps as limited instead of partially limited. But you can already see this in the screenshots.

Like I said, probably nothing relevant.

  • Have U updated (without uninstall) from a previous version of CIS: NO
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS: NO
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, & VM used: Windows XP SP3 32 bit - fully updated. UAC? Does XP have this?:-). Limited user acount. I’m not using a VM.
  • Other security/sandbox software a) currently installed b) installed since OS: a) NO B) NOD32 HIPS but I have disabled it.

Report added. Please PM me for the password.

[attachment deleted by admin]

Thanks for your post.
Could you send me this file so I can try some stuff out please?

Thanks could you check this against the update (2708) if possible.

Many thanks in anticipation


Thank you very much for your bug report in standard format. We very much appreciate the effort you have made to document this bug.

We are sorry to trouble you further but there are some items of information missing or unclear in your post:

  • OS version, SP, 32/64 bit, UAC setting, account type, & VM used:
  • Have U made any other changes to the default config? (egs here.): Please state these if they appear on the list of examples
  • diagnostics report

The reasons we need these items of information, though they may not seem directly relevant to the issue are explained here.

We would be very grateful if you would add these items of information so we can forward this post to the format verified board, where it is more likely to get fixed. You can find assistance using red links in the Format and here. If you need further help please ask a mod. If you do not add the information after a week we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.

In the current process we will normally leave it up to you whether you want to make a report which includes all necessary information or not. We may remind you if we think a bug of particular importance.

Many thanks again



1)I’ll add a diagnostic report too. My access to the computer in question is not possible right now. Expect it later today.
2) I will check against update (2708).
Please PM me your e-mail. I will send you the file. Please be careful when running it. It does not seem to destroy or damage anything, it just tries to connect out.

You can upload the sample to any free upload site & send the link to users who wants to test it.

To send it to the users click on their name to open their profile, there you will see send this user a personal message.

Dont paste the link here.

By the way I think the issue here is coz the malware is detected & trusted too.

I checked another harmless sample just to see what happens & I think detection worked fine i.e everytime the sample was executed it was blocked. But I tested it in Virtual Kiosk & I only recieved cloud alert for the first execution, all the other tries of execution were blocked but I didn’t received cloud alert. So I dont know if this is Virtual Kiosk issue.

When I leave the sandbox ON, The file is blocked regardless of the Cloud scanner responding or not. My point is that the Cloud scanner does not detect it with the sandbox OFF and that therefore the file gets trusted and loaded into memory.

So Naren, did you turn the sandbox off:-)?

OK, just now I tried a harmless sample trojansimulator from testmypcsecurity.

I tested the sample in Virtual Kiosk with autosandbox disabled.

When I executed the sample first time I got cloud alert & pressed ignore once.

Then I executed the sample 3-4 times & didn’t got cloud alert & the trojan installed successfully.

XP 32
CFW & D+ with Internet Security Config, AV not installed, Autosandbox disabled for testing

I think there are two proposed bugs here

  1. Jeroen’s bug - disabling the Behavior Blocker leads to no Cloud lookups, and therefore the file being trusted
  2. Narens bug. Multiple executions in Kiosk don’t lead to multiple detections

The question is whether one is causing the appearance of the other.

Jeroen, could you turn the Behavior Blocker off and reboot please, if you think you can do this safely. Then try the sample and see if you get a Cloud alert. If you don’t then we should consider them separate issues.

In which case, Naren would you be kind enough to make a separate bug report in standard format please as yours is an important issue too?

Best wishes


Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again


I guess Jeroen tested ■■■■■.exe, the malware which he sent me too. If he tested ■■■■■.exe then that malware is trusted when behavior blocker is enabled too. And I submitted that sample to comodo in the thread whitelisted/trusted malware.

I dont know if behavior blocker disabled than cloud lookup works or not.

But if BB disabled & I got cloud alert once than doesn’t this means cloud lookup is working?

Yes, but it could be something specific to his machine, OS. He needs to test as I suggested, that will give some eaxtra info. Not sure it’s just a false whitelisting problem, else there would be no cloud alert. Maybe it’s both on TFL and Virus list, but there should be an integrity constraint to prevent that as we are dealing with signatures. Maybe the integrity constraint is failing.

Referring to the bold part, I do not fully agree. If I do not turn the BB off, Killswitch will report ■■■■■.exe as malicious. Somehow “ignore once” is more permanent than it should be, causing ■■■■■.exe to get trusted.

Hi Mouse,

Steps taken:

  1. Turn BB off
  2. Reboot
  3. Turn Eset NOD32 real time scanning off, and unrar ■■■■■.exe
  4. Run ■■■■■.exe (stopped it from connecting to the outside world using Comodo firewall)
  5. Verified with Killswitch that ■■■■■.exe was running in memory. It was and as a trusted file. I could even glimpse Comodo saying “analyzing”.

Additional steps taken out of curiosity:
6) Turned BB back on.
7) Ran ■■■■■.exe and saw the Cloud Scanner alerting me.

OK, so you mean BB ON KillSwitch shows it malicious but if ignore once is selected KillSwitch shows it trusted, right?

I think this is a bug.

Ok, so you mean BB OFF you dont get cloud alert & KillSwitch shows it trusted, right?

With BB OFF I get cloud alert but only for the first time, the subsequent execution no cloud alert is there but the malware is blocked as I get windows cannot find specified file.

But 2 things here. First I tested in Virtual Kiosk & second I didn’t restarted the system after disabling BB as you did. But I think system restart is not necessary to disable BB, m I right?

Thanks Jeroen, that seems to confirm it. Let’s see what QA say.

That’s my understanding.


Can you please check and see if this is fixed with the newest version? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.