D+ not working properly in CIS 5.8 final?

I was testing the CIS 5.8 like i always did before and noticed something strange. When executing few samples from MDL, many of them never spawned any popup, sandboxed popup never appeared and sandboxed number remained at 0 (zero). I also tested LockEmAll ransomware malware (you can find it on MDL by the same description). It ripped right through CIS 5.8 and installed itself. First i thought it’s the partially Limited rule that isn’t restrictive enough so i switched it to Untrusted. Repeated the test and giess what, problem remained. I did fully update CIS prior testing and also performed one last reboot before actually testing in order to really have it fully enabled and loaded.

Testing environment:

  • Latest version of VMWare Player (currently v4.x, HDD image was created with 3.x)
  • Latest VMWare Toolbox installed inside VMWare
  • Windows XP SP3 32bit, not fully updated (intentionally)

Anyone else experienced similar issue?

on win7 x64 there is a similar problem for some people using avast’s sandbox testing tool. the thread is in the beta section, but the problem persists with the final.

the odd thing is… it seems to only affect an unlucky few. :-[

I have complained here in several occasions about identival problem. yesterday when I tested this again a malware file was even palcen in the trusted files list!

Nice to notice I am not alone in this.

Don’t worry, well don’t mean in that way! Am sure it will be resolved asap as always! :smiley:

Well, in most cases it’s a matter of settings. In my case, Comodo is bypassed entirely. Rasing the settings heavily didn’t change anything. Antivirus worked fine but D+ didn’t at all.

The funny thing is that D+ works couple of minutes after installation, but then it bedomes quiet. Otherwise lack of D? seems to make my computer much faster…
Also having W7 64 bit. Maybe the advanced security meant fot 64-bit systems works the opposite, it disables D+.

Well, i’ve tried with that enahnced thing enabled and disabled (default) and it made no difference. It was dead silent in either case. Good thing that i tested, because blindly relying on otherwise superior D+ would make my systems vulnerable…

Such mistakes should never happen and even if they somehow do, they should be treated with top priority. But so far no one bothered to even comment on this matter. Not exactly a trustworthy sign…

I can’t confirm your findings.
I tested some malware on my real Win 7 x64 (proactive profile, sandbox off) and it seemed there wasn’t any bypass.

Well, it bypassed in my case and i have no intention on using my main system as guinea pig.

I think for the major part of CIS 5.8 users it works, otherwise Comodo would not have released it. Something is different in our systems that prohibit it’s work.
Personally I have never relied very much to this kind of defense systems and I have not been infected in those 20 years I have used pc-computers. Maybe I am just lucky…
But it would anyway be nice to get D+ working.

read this for a change

https://forums.comodo.com/bug-reports-cis/cis-58-bug-that-crashed-cis-and-windows-t77531.0.html

You could try exempting the whole Vmware program directory and any sub-directories from BO protection.

Latest version of Vmware appears to object to this CIS function

Best wishes

Mouse

I’m running CIS inside VMWare, not along with it…

I understand. But CIS 5.8 could be de-stabilising VMware, just possibly. Not likely, I agree, but…

Well, virtualization software shouldn’t work any different than the host. Especially not the one that’s using hardware virtualization.