Defense+ doesn't confer file-group access rights to components of group [306]

The bug/issue

 1a) Created file group 'BOINC scr' containing:

      %appdir%\boincscr.exe
      %windir%\boinc.scr

 1b) established the following access rights for 'BOINC scr' file-group:

      a) ask all
      b) allow DNS Client Service
      c) Protected Files/Folders:
           /Device/Afd/Endpoint

 2a) Comodo alert - %windir%\boinc.scr requests access rights to:

      modify file - \Device\Afd\Endpoint

 2b) Comodo alert - %appdir%\boincscr.exe requests access rights to:

      DNS / RPC client access - target: RPC Control\DNS resolver

 2c) Comodo alert - %appdir%\boincscr.exe requests access rights to:

      modify file - \Device\Afd\Endpoint

 3) I expected no alerts (this secuirty config resulted in no alerts w/Comodo 4.1.[i]final)[/i]

 4) Deleted individual Computer Security rules for:

      %appdir%\boincscr.exe
      %windir%\boinc.scr

      'BOINC scr' file-grup

      re-created 'BOINC scr' file-group w/afforementioned access rights

 5) BOINC v6.10.58 wxWidgets v2.8.10

Files appended:

 None

My set-up:

 1) CIS Premium v5.0.162636.1135 - proactive configuration

 2) imported antivirus, firewall & proactive configs from CIS v4.1.150349.920

 3) Security level:

 3a) Antivirus: stateful

Firewall: custom (no create rule for safe apps; alert: high; all options checked; unchecked: ICS server; advanced: all except both ARP options)
3b) Defense+: paranoid (general options: none; execution control: all options checked; hand unrecognized files as: untrusted)
3c) enabled: all options checked, monitor: all options checked

 4) Win Server 2003 Std. Service Pack 2
 5) Ad-Aware 8.2.6, Spybot 1.6.2, Windows Defender
 6) CIS AV database version a/o 14 Sep 10 (updated to 18 Sep 10 a/o this posting)

Thanks, close enough to the format

It’s easier to copy and paste the format though in the end!

Forwarding now.

Could yu add your OS account type and UAC mode please.

Also if you were willing to try the same test with a clean install, and without the other anti-malware programs running. I would appreciate it. (Not obligatory)

That way the devs know whether its a config import issue, a conflict issue or not.

Best wishes

Mike

I was just wondering whether %appdir% is a valid, standard, environment variable?

Just googled it with little success. Does not exist on my Win XP machine when I type ‘set’.

Maybe this is the problem?

Mouse

Under NT/2K/XP/Vista, nothing related, the closest one would be APPDATA.

But maybe this variable exists under 2K3, and even if not, the user might have created it as to customize (as i do myself) the installation folder of whatever third-party application.

Good point. Dunno if CIS supports user defined environment variables. No reason why it should not, I guess. Better wait for DEv feedback…

%appdir% actually intimates %AppDrive%\BOINC\ - where %AppDrive% is an environmental variable ‘place-holder’ to distinguish it from %ProgramFiles%. In any case, either environmental variable are actually immaterial in and of themselvs in that fully qualified pathnames to the two files are specified in the file-group. That notwithstanding, it appears that environmental vars are used by CIS for default protected files & folders (so that would be strange iIF that was the problem and they were actually being used).

The OS account type is ‘administrator’. I’m unclear what you mean by ‘UAC mode’

There’s something particular about file-group access rights in general. I have another file-group defined:

BOINC Projects consisting of:

%SystemDrive%\BOINC_Data\projects**
%SystemDrive%\BOINC_Data\slots**

Despite the fact that ‘BOINC Projects’ has DNS client access rights, %SystemDrive%\BOINC_Data\projects\boinc.bakerlab.org_rosetta\minirosetta_2.15_windows_intelx86.exe alerts with Defense+ request for DNS / RPC Client access with target being \RPC Control\DNS Resolver. That occurs when the minirosetta_2.15 application bombs and attempts to connect to MS edge cache network for symbols necessary to complete the debug. Since its not anticipated that the BOINC applications have to phone anywhere this generates yet another alert: firewall aaccess to the DNS zone (only the BOINC clients are defined in the DNS file-group - along w/any other application on the system requiring UDP access to the DNS zone on port 53 - and only the DNS file-group has a DNS zone IP access rule defined).

Furthermore, I’m unclear if this has anything to do w/Defense+ paranoid mode. Previously I’d been running in safe mode. However, at this time ALL BOINC applications for projects that I’m participating in have been submitted to Comodo for analysis. They all presently reside in the Trusted Client Files folder.

OK so just to check are you saying that your 1 a) contains an abbreviation. If so could you please post here the paths you actually have typed in to define the file group? And which actually appear on the alerts (screenshots would be great!). This will ensure that developer do not get confused.

Then I can consider a bug tracking system entry

Thanks very much

Mouse

Anything further on this WxMan?

Awaiting further info before giving this a tracking system ID.

Many thanks

Mouse

PM sent

Sorry about the delay, life got in the way. O0

I appologize for the confusion; to be clear, 1a is shorthand for the purposes of my original post (not actually a defined environmental variable). That is:

%appdir%\boincscr.exe
%windir%\boinc.scr

Are explicitely stipulated in the file group as:

E:\BOINC\BOINCscr.exe
C:\Windows\BOINC.scr

Its been running fine with each individual app having its own rules defined in Defense+.

I’ll re-establish the Defense+ rules for the file group and post screenshots of the associated alerts when they occur the next time.

Thanks Wxman I appreciate it.

Mouse

Adding to tracking system