Determine rating as soon as network is connected, before cis.exe launch [M1461]

1. The full product and its version:
COMODO Internet Security 8.2.0.4474

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
Windows Home Premium SP1 - x64 (Fully Updated)
This is my real machine.

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Proactive Security Config - I just turned HIPS off…
Attached.

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
It is a clean install of new Beta.

5. Other Security, Sandboxing or Utility Software Installed:
Zemana Free Antilogger ( No conflict with this on this issue)

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1: I restarted my machine, CIS takes some time to load itself
2: You can run any unknown software until CIS GUI is loaded
3: Then, the unknown software can run without sandbox

7. What actually happened when you carried out these steps:
CIS cannot sandbox unknown application whlie it starting…

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
CIS needs to sandbox the unknown application even it cannot load… this looks vulnerable for every user…

9. Any other information:
This is clean install of Windows, there were no other security product before CIS…CIS is the only antivirus software on this windows installation.
Required files are attached.

[attachment deleted by admin]

Confirmed on using CIS7, CIS 8.1, CIS8.2 beta.

Thank you, yigido, for your report. I’ve lost all hope that I will ever see real startup protection again. Over the years, I’ve watch protection being delayed longer and longer. First, this was the fix for driver problems. Windows 8 destroyed startup protection for good because of what it wants to do before logging in and going to the desktop. I now have startup and shutdown scripts to enable and disable my network card, so at least I don’t have to worry about internet connections during boot-time. My present system = Windows 7 (64-bit).

Recently, for about 2 weeks, I installed Windows 7 (32-bit) so that I can use Malware Defender again (from 360.cn, not the virus). This is the startup protection that I am looking for. I disabled learning mode and rebooted. Beautiful. No startup programs will load, not even an anti-virus program. Whatever was blocked shows in the logs, and an allow rule can be created by right-clicking on the log entry. DO NOT try this with Windows 8. You will not be able to get to the login or apps screen.

I have some hope that startup protection will get slightly better with Windows 10, but the good-old days are gone forever.

Thank you Yigido for the report.

We will check and work on how we improve start-up protection

Kind Regards
Buket

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Sorry to hijack but I believe this issue is related in how CIS deals with unknown applications when CIS is not running/loaded. I made a bug report stating the opposite that cis is blocking unknown apps when it shouldn’t unless the option to block all unknown requests when the application(CIS) is not running is enabled. See here https://forums.comodo.com/format-verified-issue-reports-cis/cis-blocks-all-unknown-actions-when-cis-is-closed-m1438-t110021.0.html;msg799181#msg799181 would be nice to get developer feedback on what this option is used for.

I guess there has been a discussion about this already in the tracker. These are the key points that came out of the discussion:

  1. Malware cannot create autoruns
  2. Machine is not pre-infected
  3. User would not start unknown programs until CIS has loaded

Now there is a new wish that came out of this discussion. “Should be a setting for the Behavior-Blocker, for use when computer is infected (eg infected before CIS install), which ensures that unknown early-starting programs (eg Services & other autostarts) are behavior blocked or virtualised. Like that HIPS has.”

These are two different things. On startup HIPS is not working until CIS GUI is loaded, but if you unload GUI after successful system load then HIPS is working by existing rules like settings " Do not show alerts - Block requests".

Hi yigido,

Apparently, this is by design. It was reclassified as enhancement, not a bug because unknown apps are not allowed to add autorun entries. What you are suggesting is a potential mechanism that cmdagent.exe should be able look up unrecognised files on FLS and TFL without relying on CIS.exe. Additionally, it implies that it should not use HIPS (but you may use it against such theory; you are protected anyway).

Moving to Wish board. Changed title-- hope that it’s OK with you. Thanks.