Current CIS 10 vs Comodo Leaktest

devilbat66 · January 28, 2018, 2:19am

Running Comodo Leaktest against current CIS 10.1.0.6476 and CLT.exe seems to be trusted by Comodo Cloud. But when disabling the cloud and removing CLT.exe from file list, it will still show up as trusted upon another execution. I have to change CLT.exe rating to Unknown 2 times for it to be treated as unknown and HIPS needs to be in paranoid mode to block all tests and then get 340/340 score (with Auto-Containment disabled).

Is it happening with anyone else? Is it a bug or some internal component of CIS is classifying CLT.exe either as Trusted or an Installer? I’ve tested also with Spyshelter’s Antitest.exe and despite Antitest.exe being trusted by Cloud, once Cloud is disabled CIS passes every test just fine.

umesh · January 28, 2018, 10:56pm

will check.

devilbat66 · January 29, 2018, 7:13am

Thank you Umesh. I think I discovered what is happening: I modified CLT.exe with ResourceHacker (removed CLT.exe icon) and re-launched it, all tests passed while in Safe Mode. I think CLT.exe hash was being somehow trusted by CIS. I will inform the whitelisting guys about this. Thanks.

futuretech · January 29, 2018, 3:23pm

Yes CLT is trusted in FLS. And if you remove it from the list and disabled cloud lookup then run clt again you won’t get any HIPS alerts despite file list indicating it is unrecognized. Umesh does this have to do with file rating cache logic?

umesh · January 29, 2018, 3:38pm

Hi Guys,

Seems we have couple of versions of CLT.exe, may you please share SHA-1 of the file you used?

May you please provide the SHA-1 of the file to comment further?

Thanks
-umesh

futuretech · January 29, 2018, 3:44pm

519C595797B293F4977654C8C61AE80DC735B703

umesh · January 29, 2018, 4:18pm

Thanks, safe sign has been removed from file now, so you should see CIS treating it unknown. Seems it was whitelisted by mistake

Regarding following:

In case application is executed and found Safe, unless you exclusively go to File Rating section and change rating to “Unrecognized”, it will be in cache and in quite possible we may have Safe sign in AV bases also.

So best is to change file rating if you want CIS to treat it in specific manner.

Thanks
-umesh

devilbat66 · January 29, 2018, 5:25pm

at umesh and futuretech,

The hash of the CLT.exe I used first was 519c595797b293f4977654c8c61ae80dc735b703 the same one mentioned by futuretech. It is showing up as unknown on my end, but its actions are only blocked while in Paranoid Mode. I think it has something to do with file rating caching like futuretech said. But I am satisfied because when I changed CLT.exe’s icon (for its hash to be changed) then CIS passed all tests while in Safe Mode, so all good now. :-TU