Summary - Give a clear summary in the topic subject, NOT here.
Can U reproduce the problem & if so how reliably?:
If U can, exact steps to reproduce. If not, exactly what U did & what happened: 1:Disable autosandbox so that only the HIPS is running under Defense+ 2:Create a custom ruleset, called “Blocked Application”, which has all possible actions set to Blocked. 3:Apply this “Blocked Application” rule to mediaplayer exe + mediaplayer setup 4:Double click a movie file which is associated with mediaplayer. 5:Check task manager, next to cavwp.exe you will see mediaplayer exe running. 6:If you check the Defense+ logs you will see some blocked events regarding mediaplayer, although the process was allowed to run
If not obvious, what U expected to happen:
I expected that if a rule is made to block it that it will not even be able to have a process running.
If a software compatibility problem have U tried the conflict FAQ?:
Any software except CIS/OS involved? If so - name, & exact version:
Windows 7 64 bit mediaplayer
Any other information, eg your guess at the cause, how U tried to fix it etc:
I noticed that this process runs under the same svchost as comodo av does. This seems very unusual to me.
In older versions of CIS creating a block rule like this for the HIPS prevented the process from running.
Backpack process ignores block rules
B. YOUR SETUP
Exact CIS version & configuration:
CIS version 7.0.317799.4142
Have U made any other changes to the default config? (egs here.):
All on high and secure
Have U updated (without uninstall) from CIS 5 or CIS6?:
No, this was a clean install
[list type=lower-alpha][li]if so, have U tried a a clean reinstall - if not please do?:
[/li]- Have U imported a config from a previous version of CIS:
[li]if so, have U tried a standard config - if not please do:
[/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 64bit, not a virtual machine
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
Okay, I’m not sure why it is able to run. I assume it is not able to actually start any files, but I’m not sure why it would be allowed to run at all.
In order to forward this to the devs please edit your first post so that it is in the format required here.
Also, please attach a diagnostics report, a KillSwitch process list, and your current configuration to your first post.
I have not tried as I do not currently have the time for testing.
However, I’m wondering whether this is a bug or intended behavior. Is it normal for a process to be allowed to run itself if there is a block rule? If it is then I would expect that the process would not be able to do anything, meaning perform any of the actions defined on this page. Does it seem that the process is able to do this?
If you think it is, or are not sure, then I think it’s best to format the first page and I can submit this to the devs for consideration. The worst they can say is that this is intended behavior.
Please send it to me via PM and I will post it in the tracker where forum members cannot see it. The reason for this is that if it turns out to be more complicated than it currently seems (which I have seen happen many times) I would rather not introduce any unnecessary delays.
In that case I will forward this to the devs as-is, acting under the assumption that this is likely replicable without that information (which I believe is likely for this issue). However, I have mentioned in the tracker that if the config file or the diagnostics report does turn out to be needed for replication that you would be able to supply it to them upon request.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
NOTE: If the default predefined rule “isolated application” doesnt show this effect,
create a predefined rule with the name “blocked application”. And set all as blocked.
(I create this rule, because the name “isolated” doesnt fit.)
Do you mean that if the devs try to replicate this by using the predefined rule “isolated application” and it does not replicate that they should manually create a new rule called “blocked application” (which has every possible action has been chosen to be blocked) and apply that to the application?
If so, do you mean that this does not replicate on your computer if you use isolated?