I’m using Windows 7 X86 and Avira Security Suite 10 Beta.
Whenever I access a link from yahoo! messenger (link from status or checking my e-mail) I get the attached error. The webpage loads anyway.
How can I solve it?
[attachment deleted by admin]
In the Summary report, Defence+ shows: 63 suspicious events blocked.
When I clicked to see them it was Yahoo! messenger. See the attached picture.
Yahoo! is in the trusted software list, my Defence+ is set to “Clean PC mode”. Why are these being blocked?!
Or they’re not blocked and it’s a reporting bug?
LE: They are really blocked. I can’t even start many programs as Defence+ blocks them and they are being shown in that list… “Sandboxed as…”.
What’s this? Why is it sandboxing programs by default? They are clean and safe… I thought sandbox should be clever…
[attachment deleted by admin]
OS: Windows XP SP3 32bit updated to the latest post-sp3 Service packs
CIS Version: 4.0.132838.716
D+ configuration: Comodo Proactive Security Defaults
D+ mode: Safe mode
Account type: Administrator
Description:
[ol]- CIS 3.12.111745.560 and previous versions, alerted the user when Rundll32.exe attempted to load any non-safelisted DLLs regardless of their path whereas allowed Rundll32 to run Safelisted DLLs without alerts.
- A seemingly recent design change is meant to allow Rundll32 to lauch ANY unknown DLLs from NON-removable devices but to enable alerts only for DLL loaded from removable devices. Thus superseding the previous Default-Deny with a DEFAULT ALLOW design hard-coded to be path-dependent.
[/ol]
It doesn’t looks there will be any amendment to current design though there might have been other viable alternatives to fulfill a more consistent default deny approach:
[ol]- Provide the old design through an Opt-in setting (disabled by default)
- Sandbox RunDLL instances which launch unrecognized DLLs (enable old design when sandbox is disabled)
- Introduce new config with wildcards to replace [b]?:[/b] (whenever ?: rules are not actually meant to be applied to all drives) and distinguish between removable and NON-removable devices eg: create a RunDLL32 allow-rule for HDs:*.DLL (rule-dependant behaviour)[/ol]
Eh… no. The problem is even safe applications are giving me pop-ups. cmdagent for example. Or Firefox. Or uTorrent. Or QIP. Or anything from Microsoft. The funny things is that it tells me it is safe application.
Regarding my previous two issues reported Comodo started to act normally only after I stopped and started Yahoo! and all other programs again.
I also unchecked “Runs sandboxed automatically all unknown programs”.
A little odd behavior for Yahoo! …
Hi all,
Sorry, but CIS RC allows all outgoing requests.
That can´t be true when firewall level is “custom policy mode”.
I posted it during the beta testing phase.
Andreas
Running great here on XP Pro sp3. :-TU Had about 4 pop-ups after install.
Config - Proactive
Sandbox - Enabled
Defense+ - Safe
Firewall - Safe
AV- Stateful
*Uninstalled previous CIS 4 beta and did clean install.
OS: Windows XP SP3 32bit updated to the latest post-sp3 Service packs
CIS Version: 4.0.132838.716
D+ configuration: Comodo Proactive Security Defaults
D+ mode: Safe mode
General Information:
This issue was reproduced using latest Notepad2 4.0.24-rc2.
Notepad2 4.0.24-rc2 introduces support for a seamless replacement of notepad.exe using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe Debugger option
Previous Notepad2 4.0.23 looks unable to trigger the following issue.
Steps to trigger the atypical COM alerts:
[ol]- Clicking on the Save in combobox of Notepad2 Save As… dialog triggers a Protected COM interface alert with C:\WINDOWS\system32\svchost.exe as target
- Drag&Drop test file on Notepad 2 window triggers a Protected COM interface alert with C:\WINDOWS\explorer.exe as target[/ol]
Issue description:
[ol]- Blocking the above mentioned atypical COM alerts will trigger the same alert again.
- If “Remember my answer” is kept ticked Blocking the above mentioned alert will cause mutiple duplicates entries in “Protected COM interfaces”\Blocked COM interfaces of Notepad2.exe Policy[/ol]
NOTES:
[ol]- Allowing the above mentioned atypical COM alerts won’t cause the alert to be repeated.
- If “Remember my answer” is kept ticked while allowing the above mentioned alert there won’t be any duplicate in Blocked COM interface of Notepad2.exe policy[/ol]
Other Version affected:
Can you please verify if the following files are still available or recoverable?
C:\ProgramData\Comodo\Firewall Pro\cisdata.sdb
C:\ProgramData\Comodo\Firewall Pro\cislogs.sdb
These provide all alerts shown including which application triggered what, this would provide very helpfull information for the dev’s to be able to fix your problem…
Seems you need to move to Pro-active mode to remove the Allow all outgoing requests.
How you can have a default Firewall that allows everything out i think is strange, it may as well not be there!
OS: Windows7 32/64bit updated
CIS Version: 4.0.132838.716
D+ configuration: Comodo Proactive Security Defaults
D+ mode: Safe mode
Description:
Safe surf alert is incompatible with Mozila Firefox 3.6
[attachment deleted by admin]
Arfe you uising a PATCHED version of this yahoo messenger? Can you please compress and upload that file here for me to check?
OS: Windows XP SP3 32bit updated to the latest post-sp3 Service packs
CIS Version: 4.0.132838.716
D+ configuration: Comodo Proactive Security Defaults
D+ mode: Safe mode
Description:
Unrecognized application are silently allowed to write to protected folders or write files with a protected extension in %USERPROFILE%* paths. Such file-writes won’t be trapped by sandbox file-virtualization.
End result: Unrecognized and sandboxed apps will be able to silently write any files in the start menu folders, create Executables files on the desktop, etc. whereas such actions will trigger alerts when sandbox is disabled.
I am afraid i cant reproduce this issue. However i cant seem to notice you reported D+ ain Safe Mode. The application you mentioned is in the safe list and it should not have triggered any alerts at all.
Is this a clean instalaltion of CIS without importing any previous configuration?
Yes. They are allowed to CREATE new files but not modify any existing files in unimportant places. This is by design. Because file system virtualization is not enabled on auto-sandboxed applications by default.
It is a clean install. It looks like the Notepad2 2.1.24-rc3 is safelisted but Notepad2 4.0.24-rc2 is not.
I’ll attach the old version I’ve been using since it doesn’t look it is provided anymore on its developer site.
[attachment deleted by admin]
Now i can reproduce. Thx.
Unrecognized applications are hence allowed to drop a DLL in %USERPROFILE% create few links on the desktop and start menu subfolders to launch such DLL with Rundll32 and even assign an icon of an application whose path is known (maybe also by reading exiting .lnk files).
Dropping files in user profiles, creating malicious link is something already abused whereas in these scenarios would be all it is needed to bypass the automated sandboxing (the chance for the user to start those DLL apps himself or by exploiting %USERPROFILE%\Start Menu\Programs\Startup folder)
Windows XP SP3, 32 bit
ComodoSE.exe is sandboxed over and over, when Thunderbird 3.0.1 is running, and I can’t even find the file. :-\
I have CSE 2.5.0.27, but have renamed ComodoSE.exe to ComodoSE.-exe, and now I have deleted it. It’s still being sandboxed, according to D+ Events. It’s not in My Pending Files… :-\
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
2010-02-17 21:33:43 C:\Program\Comodo\SecureEmail\ComodoSE.exe Körd i sandlåda som Reguljärt
OS: Windows 7 Ultimate 32bit
CIS Version: 4.0.132838.716
D+ configuration: Comodo Proactive Security Defaults
D+ mode: Safe mode
General Information:
Auto AV updates customised to prevent half hourly updates.
Issue description:
Disabled AV updates on all scan types except SCHEDULED. When running a manual scan, it still attempts to to do an AV update. This method worked with the previous BETAs.