Comodo Firewall 12 HIPs and Containment Failure
1: CIS version:
Comodo Firewall 12.0.0.6818
2: OS version:
Win 7 Pro x64
3: What you did:
Proactive configuration with HIPs in Safe Mode and containment set to Automatic. Tested the location protection of HIPs->“Protected Objects”->“Protected Files” by turning off containment and running a simple .bat file to attempt to delete files located at a remote drive location. Ideal outcome was a block of the simulated attack. Tested first with containment turned off and all other protections on. As expected, HIPs protected the remote location, which I had added to “Protected Files”. I then reenabled containment and turned off HIPs to observe the behavior. Comodo containment protected as expected, and the .bat was contained. I then reenabled HIPs and turned off containment one more time and ran the .bat. At this point I expected to see the HIPs alerts, but this was not the case.
4: What you actually saw:
The .bat file in the 3rd test configuration ran without an alert, even though HIPs was on. As a matter of fact, when the container was reenabled, the .bat still ran without an alert. I continued to probe this issue to understand the problem, and I unblocked the .bat from within “Unblock Applications” for all areas and then found and eliminated the rules in HIPs and Containment. Only the containment rule was there as expected, and it was deleted. The file was not present in the “Files List”. Again, I ran the test with only HIPs enabled, and this time the .bat ran without an alert of any kind. I again checked for the presence of the file in the settings and dialogs, but it was not present. At this point, I proceeded to re-enable “Auto-Containment”. Again, I ran the test, and, again, the “Unrecognized” test .bat ran without an alert, this time with both HIPs and “Auto-Containment” enabled. I continued to probe the issue, and I saved the Proactive configuration setting and uninstalled Comodo Firewall using Comodo Programs Manager. I then reinstalled Comodo Firewall again and restored the Proactive configuration settings that had been used previously and saved. At this point, I ran the test, and Comodo Firewall HIPs again blocked the file as expected. Obviously, malware isn’t going to alert me to reinstall Comodo Firewall, so this is clearly unacceptable. Somehow, Comodo Firewall in this scenario is remembering the file, while at the same time giving it a completely free reign on the system. Yet, the file does not even exist in the program dialog settings anywhere, including rules and or the “Files List”. Also, it is not present in the “Unblock Applications” area. This file is “Unrecognized” by default, yet it still can run any time and do anything.
How is this file getting a free pass? This is a systemic fail. I ran the test 3 separate times repeating all of the same steps above and with the identical results. Once a file has been contained, even if the file’s presence is removed in the “Unblock Applications” area and from the “Files List”, along with all rules for the file, the file is still given a free reign, even though according to Comodo it is unsigned and unknown and therefore obviously “Unrecognized”. PLEASE FIX THIS IMMEDIATELY.
5: What you expected to happen or see:
When I re-enabled the HIPs and disabled “Auto-Containment” for the second time, I expected the normal HIPs alerts, first for Explorer and then for the location attack. Neither came. And, when containment was re-enabled, neither HIPs, nor that protection issued an alert to the running “Unrecognized” .bat on the desktop. Again, the file wasn’t in the “Files List” or anywhere else in the Comodo Firewall dialog. How could it possibly have run?
6: If possible attach a screenshot illustrating the GUI problem
No screenshots. PLEASE JUST TEST THIS SCENARIO. An “Unrecognized” .bat file is able to run under the above scenario. How is this possible? This should be tested too when HIPs is turned off first to see if this simpler test produces the same result later, when HIPs is re-enabled and “Auto-Containment” disabled. I have not tested this scenario.
I have tried everything to resolve this. Once the file is allowed by Comodo, there is no way to resolve the problem. I ran the Comodo Repair, rebooted numerous times, uninstalled and reinstalled, checked the settings for secondary HIPs references for the file in Explorer.exe. Literally, there is nothing there to skew the test. This result bears witness with 5+ years of experience I have had with Comodo Firewall now as something familiar to me. I feel certain I have seen this before without realizing what was happening.
This appears to me to be a very serious issue. PLEASE test and let me know what is causing this result in Comodo Firewall. I feel certain it happens in CIS and in CCAV too. I haven’t tested these. PLEASE TEST THIS IMMEDIATELY. Thankyou.