Hi, Comodo has isolated its own script, is this really the way it needs to work? Plus Comodo didn’t show any popup when it isolated the scripts. They were just 2 Command prompt windows with green borders around them. Please take a look at the screenshots for this issue and also for the one below. 88)
Also, i have another question. In the summary of the logs it says that 85 unknown files have been detected but 0 have been submitted. I have the “Analyze unknown files in the cloud by uploading them for instant analysis” set to ON. So what’s going on?
Also, i had the initial released version of Comodo 10 installed and my SUMo notified me of available update 10.0.0.6092, but Comodo has not. I have been checking through the Comodo interface for 20 days now, it said that it was up to date, but it wasn’t. I have then uninstalled Comodo and downloaded the installer from the site and installed the new one. Why Comodo was not detecting its own update?
Oh yes. This is a new feature we have introduced to catch fileless malware. Fileless malware uses script interpreters such as powershell.exe to execute code through commandline. There are various ways. What CIS 10 does is it catches embedded commandlines and sandboxed them.
But while sandboxing them, we create a file out of them i.e. convert file-less scripts into files in C:\ProgramData\Comodo\Cis\tempscrpt. If is the command-line interpreter. What you can do is
1-You can trust them just like any other file
2- Or you can disable cmd.exe from commandline parsing from Settings->HIPS->Do Heuristics commandline analysis(Certain applications)
Good to know it is by design. Do you have an idea why the number of detected unknown files is waaayy bigger than the number of submitted files(which is actually 0) when automatic submission of sandboxed and unknown files is ON? Plus when something gets quarantined there is no notification shown. Comodo is allowed in Windows 10 notification settings app.
It’s probably related to how often you encounter/run it. In my opinion, it’s better to inspect those by yourself; not submit. Also, a very high number of unknown scripts could indicate a possible compatibility issue (with involved applications).
Only, I work with a lot of Powershell scripts using variable arguments, and this creates really many C_powershell.exe_***.ps1 files and alerts. I understand I can exclude Powershell from heuristics analysis, but isn’t there a way to avoid the script replication for the scripts opened from a specific folder?
Thanks!
After about two and a half years, I think this question is still valid.
I wonder if there is today a way to avoid the script replication for the scripts opened from a specific folder. I have tried finding a solution, but not succeeded so far…