Defense + || Save changes? NO! Changes Saved! REBOOT AGAIN!!!

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

Hi,
I got a repeated warning so I opened Comodo → advanced settings → defense+ ->hips. Didn’t find anything. canceled. was asked whether I wanted to save changes. I made NO CHANGES. Answered NO to save changes. Comodo replies CHANGES SAVED! REBOOT NOW.

Closed everything and rebooted. Suddenly, every second another alarm from every one of my programs. Access is denied to all of my Perl scripts. I run a daemon which looks for .cmd files in a temp dir, runs them to update my database with new pictures. There are many programs which interact. The .CMD files all get numbered with database ID like exifreq.305801.cmd. I am doing thousands. It asks for every one. They all have unique names based on database table IDs.

I tried to allow a directory, my personal bin directory and the .cmd file directory. I get a bogus error message about not being able to add empty files. They are both directories filled with hundreds of files, not empty files.

I need to tell it to leave my Perl scripts alone and any child process they spawn.

And, for every one of my Perl scripts, I get a separate warning that it is monkeying with the registry. I NEVER, EVER touch that monstrosity.

How do you cancel an unwelcome reboot??? My workstation is unusable.

2

I split your post from another topic. It’s not clear how it had gotten there. Your problem deserves its own topic.

To try to tame the plethora of alerts, did you try rebooting again?

If that does not help can you show us the D+ logs of around the time things started to happen? This will help to learn what repeated warning you were getting.

3

Severe BUG, Program logic contradiction:

Case Trusted file=c:/bin/exif2db.pl. “Trusted by security components and marked SAFE”…

The OTHER file in UNRECOGNIZED FILES: C:/bin/exif2db.pl “Not recognized by security components”

The same file is in 2 places simultaneously, being both TRUSTED and NOT-RECOGNIZED by the same security components.

This program’s left hand has no idea what its right hand is doing.

It also thinks something has been done when nothing has been done. "Do you want to save your changes? Exploring a menu item and hitting CANCEL should NOT cause any change. It’s confused.

“DO YOU WANT TO SAVE YOUR CHANGES”. Its a simple yes or no answer. Here, yes means yes and no means yes. It appears to be impossible to have it forget changes it made up.

I had to reboot. Then I had to turn off HIPS entirely. I trust the programs I wrote.

In writing this, I checked the HIPs settings to be sure I had the terminology right. Hitting SANDBOX, IT just enabled HIPS mode on its own before my very eyes! “Why would you look at a setting if you did not want it ON?”

“You have unrecognized files… would you like to review them?” If I hit NO, it will no doubt let me review them, change HIPS permanently, scramble all file, directory, network, service and system permissions again and demand a reboot. What do you want to bet? Here goes. NO!!!

IT did let me review them when I told it not to. But, it failed to discombobulate the entire system this time. That’s promising.

The program c:/bin/exif2db.pl which periodically scans c:/temp/exif.req for files like exifreq.305668.cmd jumped back onto the UNRECOGNIZED list even though I just moved it from there to the TRUSTED FILES list.

It crashes trying to connect to the database:
DBI connect(‘database=asset;host=127.0.0.1:3306’,‘brianp’,…) failed: Can’t create TCP/IP socket (10013) at c:/bin/Bpbfct.pm line 9740.

How do I tell this program once and for all to leave my programs alone? I need a firewall, not a Keystone cops running amuck within my system. When I tell it a program I wrote is fine, it must not turn around at its next opportunity and block it. I need to have everything in my bin directory and a number of working directory absolutely off limits. No lookey, no touchy, no changy!!! Is this possible???

advanced settings, trusted files, add, folders, select “c:/bin” (in which ls | wc → 134 files), OK. RESULT: COMODO Firewall: “Empty file(s) cannot be added to the Trusted Files Lost. OK”. comodo clearly has no concept of file vs directory, full of 134 files vs empty. Am I reading this wrong or is this program absolutely insane!!!

How does one place a set of programs and directories permanently out of the clutches of a program which shares the concept of boundaries with Vladimir Putin?

4

But Wait! There’s MORE!!

I found the “Define exclusions for blocking behavior” and put in c:/bin/*, NO (X) to EXClude children. Just what I need.
Run C:/bin/exif2db.pl from the “EXCLUDE FROM BLOCKING DIRECTORY”. It crashes immediately.

Log files shows 48 “unknown programs” blocked.
c:/bin/exif2db.pl >> Modify Key >> HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters (( Connecting to DB??))
C:\bin\exif2db.pl >> Modify File >> \Device\Afd\Endpoint (( Redirecting STDOUT to a log file ))
C:\bin\exif2db.pl >> Sandboxed As >> Partially Limited (( SHOT DOWN in FLAMES!!!)

My pet program is “EXCLUDE FROM BLOCKING” as long as it does not use the network or the file system.

And, all of the worker threads are instantly blocked: C:\temp\exifreq\exifreq.305663.cmd These filenames have numbers from the database so they must necessarily change every single time. How do you nail down a set of files which constant has new members added to it?

Do I dare monkey with turning off “Enable enhanced protection mode (RESTART)” or will it reset all permissions again in addition to costing a dreaded reboot??

This stuff worked happily for weeks. Did the engineers over there just add a new, killer feature in the last day or 2??? Can we back it out and never allow it back in again??

5

Try giving c:/bin/exif2db.pl the Trusted Application policy in HIPS rules. In case c:/bin/exif2db.pl spawns new processes give it the Installer/Updater policy.

6

Eric,
Under HIPS behavior blocker → exclusions, I excluded my entire bin directory. Before comodo goes ballistic, it needs to check these exclusions. Why are “EXCLUSIONS FROM BLOCKING BEHAVIOR” options included if they are ignored?

I gave this particular program the full list of Super-Powers and for the moment it is working. I would rather not have to do this for each of dozens of scripts, many of which are edited on a frequent basis.

Looking at the advanced, security settings, only proactive is ACTIVE, firewall is not. All I need is the firewall.

I seem to remember being here before, clicking on one of these and being asked if I wanted to save changes. I answered no. It saved anyway, destroyed all existing settings bouncing me back to maximum-paranoia-hair-on-fire mode and I spent the next hour clicking bogus security false alarms. On this page FIREWALL IS NOT ACTIVE…

On advanced, firewall, firewall settings, the enable firewall box is checked. What is the difference between ACTIVE and ENABLED? Do I have a firewall that will attempt to block internet evildoers? Do I need to ACTIVATE the firewall in addition to ENABLING it to make it work?

From yesterday, I found this program, exif2db.pl, on both the TRUSTED list and on the UNRECOGNIZED list. There appear to be semantic difficulties with the concepts of EXCLUSION, TRUST AND RECOGNITION. What differences between the concepts of ACTIVE and ENABLED do we need to know about?

Am I getting no security popups because the firewall is NOT ACTIVE?

7

Since you have an application rule for a script CIS won’t flag if it was changed.

May be it would be worth to see if you can make a limited set of rules with wildcards and create application rules for them. Use either the Trusted Application or Installer/Updater policy.

Looking at the advanced, security settings, only proactive is ACTIVE, firewall is not. All I need is the firewall.

I seem to remember being here before, clicking on one of these and being asked if I wanted to save changes. I answered no. It saved anyway, destroyed all existing settings bouncing me back to maximum-paranoia-hair-on-fire mode and I spent the next hour clicking bogus security false alarms. On this page FIREWALL IS NOT ACTIVE…

On advanced, firewall, firewall settings, the enable firewall box is checked. What is the difference between ACTIVE and ENABLED? Do I have a firewall that will attempt to block internet evildoers? Do I need to ACTIVATE the firewall in addition to ENABLING it to make it work?

Proactive Security is a configuration setting with certain default settings. It of course has a firewall. It also has Defense + the HIPS activel; that’s one of the points where it differs from the Internet Security configuration.

From yesterday, I found this program, exif2db.pl, on both the TRUSTED list and on the UNRECOGNIZED list. There appear to be semantic difficulties with the concepts of EXCLUSION, TRUST AND RECOGNITION. What differences between the concepts of ACTIVE and ENABLED do we need to know about?
Since that is a changing file it will end up on both lists. These lists work with hash codes and are compared to off line and on line data bases. Since you added it to Trusted Files it is there. And when you later changed it it was unknown and ended up on the Unrecognised Files list. See if purging the list helps to get rid off them.

When using an application rule in HIPS rules the hash check is bypassed. You can if you like remove the file from Trusted and Unrecognised Files list.

Am I getting no security popups because the firewall is NOT ACTIVE?
Your firewall is active. Depending on [url=http://help.comodo.com/topic-72-1-522-6314-Firewall-Behavior-Settings.html]Firewall Behavior Settings[/url] the firewall may be set to not show pop up alerts.