If you try to end the Comodo processes in task manager they can all my terminated without being access denied, or not having the wrong permissions.
I do believe in CIS 6.3 when trying to kill the cmdagent.exe and cavwp.exe you would get denied. However now in 7.0 it just gets completely allowed.
Diagnostics report as attachment to your post In attachments
The full product and its version e.g. COMOOD Firewall 7.0.308911.4080 Comodo Internet Security Beta- 7.0.308911.4080
Your Operating System (32 or 64 bit) and Service Pa ck revision. and if using a virtual machine, which one. Windows 8.1 64bit, all updated. On host machine
List all the configuration changes you did. Are you using Default configuration? If no, whats the difference? All I have changed is bump up the heuristics and set BB to Limited
Did you install over a previous version without uninstalling first, or import a previous configuration file? (please try to avoid doing these things until we are told it is safe) I did a complete uninstall of the Final stable build and restarted before installing the beta, no imports were made.
Other Security, Sandboxing or Utility Software Installed Just malwarebytes scanner, no realtime functions enable or on startup.
Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step. i) Opening Task Manager
ii) Right click cmdagent or any other Comodo processes.
iii) Click End Proccess.
What actually happened when you carried out these steps When you end the process of any Comodo processes, there is no error or access denied or any prevention method to stop you from terminating the Comodo software.
What you expected to see or happen when you carried out these steps, and why (if not obvious) For the Comodo processes to not be so easily terminated.
This has been the intended behavior since version 6.0 I think, basically CIS will allow the user to terminate its processes however it will not allow an unknown process to do so.
Okay if what you are saying is true, just say by chance, someone has remote access to your computer or malware uses the task manager to kill processes, instead of using other methods such as cmd or 3rd party tools? Will that mean Comodo will just allow it?
The question there is, how does that someone get remote access in the first place? And an unknown malware shouldn’t be able to access the task manager in such a way when using the BB and when using HIPS it would alert about it, if we are talking about trusted malware then the fight is already lost because it would be allowed to do anything whatsoever.
Well I don’t really know what would happen with remote access since I haven’t really used it and don’t know how it works technically, as in if it looks like the normal user to CIS or if it looks like it is a certain process making those actions.
I will do so in the virtual machine I am currently installing.
Edit: Okay after testing on CIS 6.3 you are right it allows you to terminate with task manager (I must be tripping or thinking of like CIS 6.1 or 6.2)
Also for using a program to kill the processes using task manager. If it was running in Partially limited, it was unable to kill the processes, which is a good and see that it’s working.
However if the program gets allowed to ‘run as unlimited’ it gets access to terminating CIS completely. However it makes sense on why it’s allowed to do this. I just see it as a tiny flaw if someone were to mistake something as legitimate, or something being whitelisted malware it has access to terminating the software, and this can pose as a security risk. Also in general a security suite shouldn’t be easily terminated using any method, allowed software or not. Though that is my opinion.
I did try by adding a password to CIS to see if that prevents terminating the software, however even with a password on CIS it is still able to be completely terminated through task manager. This could be pretty bad if the reason for a password was to stop someone else on the computer, e.g. family member or friend, being able to allow things or terminate the software completely.
This is intended behavior, both with V6 and V7. It was added so that users could kill processes which were causing problems, which with V5 was not possible.
This is not a vulnerability because although the user is allowed to open the program and kill the processes, and untrusted software would not. Other trusted software may be able to do this, but not untrusted ones. If you can find a way which an untrusted software can kill any of the CIS processes please do report that as a bug immediately.
