Curious firewall alert related to D+

This is something I’ve never seen before. It’s s firewall alert telling me D+ has identified a potential problem. That’s fine, only I have D+ completely disabled, along with the sanndbox and the options for cloud scanning. I also don’t have the AV installed.

So, bearing that in mind, how is D+ performing malware analysis when it’s completely disabled and prevented from connecting to anything (I have cmdagent completely blocked in the firewall) ?

By the way, the file is clean according to Virustotal…

[attachment deleted by admin]

How did you disable D+? How did you disable the cloud look up?

I use the firewall installer (not that it matters) and only select the firewall component. I always check to ensure all of the additional components are disabled (D+, sandbox, AV, cloud)

[attachment deleted by admin]

Anyone have any thoughts about this?

Did you do a system restart after completely disabling defense+ ?

Numerous times. I’ve had the firewall running since I last imaged this system, that was several weeks ago. Also, D+ has never been enabled, as it wasn’t selected during installation.

You need to disable Defense+ by ticking the box (Requires a System Restart)one in the first screenshot of the last group you posted.

Disabling with the slider is not enough it still functions in some ways.

Dennis

Hi Dennis, as I said in my previous post, D+ has never been enabled. However, Just to test this, I installed the firewall on another PC, again without selecting AV, D+ or the sandbox. I made sure everything was disabled, including having a tick in the box you indicated and ran the program (The Bullguard Installer) and I received the same alert.

Amongst other things, I can’t understand is why I’m getting a D+ alert in the firewall. I’ll see if procmon tells me anything…

As a continuation to this ‘curiosity’, I’ve found this exercise is reproducible always. Steps to reproduce:

  1. Download and install Comodo Firewall Installer (it actually won’t matter which installer is used)
  2. Deselect ‘Geekbuddy’
  3. Select only the firewall
  4. Don’t select Comodo DNS
  5. After installation, reboot
  6. Ensure D+ is disabled and tick box is checked
  7. Run the Bullguard Installer (can be found here http://www.bullguard.com/try.aspx registration required)
  8. Receive Alert pictured in first post
  9. In D+ disable Execution Image Control and deselect any check boxes.
  10. In D+ Make sure Sandbox is disabled ans deselect any check boxes
  11. In D+ deselect any check boxes under Monitor Settings
  12. Reboot
  13. Run the Bullguard Installer, receive Alert
  14. In D+ remove all entries under each tab in Computer Security Policy
  15. Reboot
  16. Run the Bullguard Installer, receive Alert.
  17. Under Network Security Policy (firewall) remove all auto-configured rules and block cmdagent.exe
  18. Run the Bullguard Installer, receive Alert
  19. Under D+ check for entries under Trusted/Unrecognised Files and also D+ logs. All empty.

Conclusion:

Even though D+ and all of it’s associated components are disabled and even though all visible methods of communication between CIS components and the Internet are disabled, CIS still manages to produce D+/Malware alerts, albeit under the firewall context.

Curious…

Interesting findings. Did you reboot after you ticked “Deactivate Defense+ permanently (Requires a system restart)” under point 6?

Hi Eric. The check box is ‘ticked’ by default, when installing the firewall component only. Point 6 is really just a confirmation that this has been done.

Any additional comments on this?

The term “Defense+” used here is a bit misleading…

This is CIS internal “behavior” analyzer. That is used to determine if the action is flagged as “potentially malicious” and thus need to show the “RED” alert screen, or how it determines that it’s a “Safe” application (code-signed or whitelisted) and then shows the “YELLOW” alert window etc.

You can’t disable this analysis it’s not a HIPS decision to determine “malicious” behavior it’s CIS Internals :wink:

Ah! So there’s D+ and Antivirus, which we can disable. Then there’s the ever so secret D+ and Antivirus, that no one knows about, which just keeps on running. Cunning… 8) :-X