I have been using Comodo CIS 18.104.22.16818 for several months now with Windows 10 1809. I have also been using the utorrent BitTorrent client for more than 10 years. Starting 2 days ago, I received 3 different HIPS alerts.
1. utorrent_2.2.1_build_25302.exe could not be recognized and is about to access the DNS/RPC Client Service.
2.utorrent_2.2.1_build_25302.exe could not be recognized and is about to modify the protected registry key HKLM\Software\WOW6432Node\Microsoft\SystemCertificates\Root.
3. utorrent_2.2.1_build_25302.exe could not be recognized and is about to access the keyboard directly.
I have heard of exploits with utorrent where a malicious actor can gain control of a PC through the client’s vulnerabilities. So this combined with these alerts has me spooked. I checked the logs and apparently I clicked accept for number 1 and deny, terminate and reverse for 2 and 3. I’ve been using utorrent with Comodo CIS for some time and this only started happening a couple of days ago. Does this look like a real attack or false positive? And if real, how do I go back and change my response for number 1?
Those are not exploits or attacks.
- the client is requesting use of the DNS services, probably going to be difficult making connections without that access.
- the client is trying loading certificates probably to handle and verify encrypted traffic.
- the client is requesting access to the keyboard, probably won’t response to user inputs without this.
However that is and older version of utorrent and could have unpatched vulnerabilities.
What I don’t understand is why I have never seen these alerts before. All in the same day. Perhaps there was a Comodo update to prompt this? Yes, you are correct in that this is an old version of the software. This version is touted by many as the last “good” version before the developer started adding advertising and other bloatware. I have not had any alerts up until now and I’ve been using Comodo CIS with utorrent for months, and utorrent since about 2006. This incident had me thinking about moving to qbittorent, but I’d like to get some resolution on these utorrent alerts first.
“3. the client is requesting access to the keyboard, probably won’t response to user inputs without this.” I’m trying to understand why utorrent needs access to the keyboard
Sometimes file lookup service is down and if CIS can not reach the lookup server then the rating is set to unrecognized, also check to see if application is digitally signed and if so, check the vendor rating in vendor list it may have been changed to unrecognized.
I’m assuming you are referring to the setting “enable cloud lookup”,which I have checked? Does it behave this way even though I have the vendor in the vendor list and it’s marked as trusted?
The file is digitally signed by BitTorrent Inc on 5/17/2011. I checked the vendor list in Comodo advanced settings (BTW, there doesn’t seem to be an easy search function but we have to scroll through a long list) and found two occurrences of the vendor BitTorrent Inc that appear to be identical. They were both rated as trusted. And all the vendors in the list seem to have the same date and time of 4/28/19.
Given all this information and assuming file lookup service being down was the cause of the 3 alerts, would it be recommended to roll back the changes for the 3 different alerts and see what happens?
I am now using the “CruelComodo” firewall settings and uttorrent was blocked by the firewall as HIPS is disabled in CruelComodo. The uttorrent file was signed and marked as trusted by Comodo; but the signature was old, like 2011 old. Could this make a difference? I went in and unblocked uttorrent and opened up the vendor list and changed the user rating to trusted. So now Comodo and user rating is set to trusted. No more blocks so far.