OS: Windows XP SP3 32bit updated to the latest post-sp3 Service packs + KB971029
CIS Version: 4.0.644.127486
D+ configuration: Comodo Internet Security Defaults
D+ mode: Safe mode
D+ Image Execution control: Normal
This differs from CIS 3.12.111745.560 and previous versions, which alerts when Rundll32.exe load a DLL even using “Comodo - Internet Security” configuration defaults (image execution control disabled).
Such Rundll32 alerts triggered when a DLL is loaded provided a way to prevent the execution of the code contained in such DLL and a chance to have D+ heuristic Severity rating displayed on the alert to warn about eventual malicious behavior.
It is possible to reproduce a Rundll32 based DLL-execution scenario for testing:
Using Rundl32 (eg: %windir%\System32\RunDll32.exe C:\EventRecorder\MacRcrd.dll,PlayFile) to launch a DLL provided in Screen Event Recorder DLL/Application article (to download it requires registration of account free of charge).
OS: Windows XP SP3 32bit updated to the latest post-sp3 Service packs + KB971029
CIS Version: 4.0.644.127486
D+ configuration: Comodo Internet Security Defaults
D+ mode: Safe mode
[ol]- Some protected paths in My protected files defaults include a leading ?:\ wildcard to specify all drives (C:, D:\ , etc.) though D+ was unable to trigger “Protected File/Folder” access rights alerts for paths that pertained USB removable devices (FAT32 USB-key disk).
All applications policy blocked section of “Run an executable” access right include a ?:\Recycle?* rule though D+ is unable to silently block execution of application launched from paths that pertained USB removable devices (USB-key disk) but will display execution alerts.
Non removable HD are not affected. I’ve not tested if other access rights that apply to USB removable devices paths might be affected
If an USB removable device is assigned a drive letter (eg. I:):
It is possible to use a notepad application to create a new I:\autorun.inf without alerts.
Launching an application whose path is I:\Recycled\app.exe will trigger an alert regarless if a related “All applications” rule is meant to silently block execution from ?:\Recycle?*
A workaround tested only on XP involve the use of \Device\Harddisk?\DP(?)\ to create additional entries with a replaced ?:\ whereas this appear to match only USB Mass storage Devices (eg adding \Device\Harddisk?\DP(?)\autorun.inf to My protected files and \Device\Harddisk?\DP(?)*\Recycle?* to All applications blocked exceptions) and not non-removable HD
No Other Security. No Utility Software Installed that’s running real-time or loading drivers on start up.
Step by step description to reproduce the issue:
-from the main GUI click waiting for you review
-either re-size/stretch the screen enough or maximize it
-the Delete File button doesn’t stay with the rest of its team mates
-this can be repeated as many times as wanted
How I tried to resolve the problem: Click on Delete File button, but that only temporarily removes the it. We want it to stick together with the other buttons.
Fraps does run, but GUI never shows and its takes up massive amounts of CPU, When i close it, it crashes MSN and Windows live mail. This FIX works even IF the sandbox is off.
Same setup as above (CIS without AV installed and Defense+ using predefined Proactive Security config. Left Sandbox settings on default).
This one’s about an audio player I use called AIMP, which isn’t recognized by CIS as safe or trusted.
I launch it and received two alerts. When I either either click Cancel or Block, it still allows the drivers to load.
This was tested with Defense+ in Clean PC mode and then in Safe Mode; and on both occassions, I checked to make sure there were no rules in Defense+ Policy. I also tested with the Remember option enabled on both alerts and manually re-added aimp.exe to the My Pending Files with the same results.
Two other behaviours I noticed:
If aimp.exe is in the pending list, whenever I launch it after 1 second, I can’t move its GUI around. I think the sandbox is what keeps a “hold” on it even though it isn’t when I go inside the Sandbox screen.
After the above step 1) is done, CIS automatically removes aimp.exe from the pending list.
Update:
Figured out the culprit to 1) - with the default Sandbox options enabled, Defense+ did not alert the keyboard access (see 3rd screenshot). I disabled Sandbox and re-tested to notice this missing alert.
The only way it was blocked on my system was to choose Block All Mode in the firewall settings.
–EDIT–
I found the leak. Under Network Security Policy/Application Rules, there was an entry to Allow All Applications Out! I deleted the rule, now the Leak Tester is blocked.
so far ive had to reinstall my intel 3945abg wireless and ultranav drivers…not quite catching the installs, but much better than v3 already…give it time, we’ll all be hounding the devs like crazy…lol
oh…always forget this:
win7 x64
vipre av
scrolling didnt work in firefox with ultranav - reinstalled driver…good now…but possible bug
wireless got the exclamation point 5 minutes after laptop stabilized…cis detected the network though…i think it maybe reacted too late to let me allow the drivers…uninstalled and reinstalled wireless drivers…ok now, but again, possible bug…when i reinstalled the drivers i had to do a few allows…
I am running Windows 7 64bit.
Using the stealth ports wizard I set it to alert me to each connection on a case by case basis. Under this setting it failed.
Where is the windows explorer contextual menu option Comodo Antivirus Scan ???
I have custom policy firewall and defense plus on paranoid and the leak test did not pass through.