A. THE BUG/ISSUE (Varies from issue to issue)
Disabling the setting “Detect programs which require elevated privileges” will still detect and apply installer rights to trusted installers. This only applies to installers that are rated as trusted/installer. If an unknown installer is ran with this option disabled, it will be sandboxed like any other unknown executable if the sandbox is enabled, or HIPS will generate alerts for every action performed by the installer if the sandbox is disabled. Can you reproduce the problem & if so how reliably?:
Very reliably If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Uncheck ‘Detect programs which require elevated privileges’ under sandbox settings
2: Set HIPS to paranoid
3: Execute an installer that is trusted
4: Notice no HIPS alerts for any action carried out by the installer One or two sentences explaining what actually happened:
Installer application was granted unlimited access with installer privileges allowing it full control. One or two sentences explaining what you expected to happen:
I expected the installer to be treated as a normal trusted file that would generate HIPS alerts just like other trusted applications. If a software compatibility problem have you tried the advice to make programs work with CIS?:
N/A Any software except CIS/OS involved? If so - name, & exact version:
Any trusted installer Any other information, eg your guess at the cause, how you tried to fix it etc:
In this video - YouTube you’ll will notice that when executing a trusted installer with the setting disabled and HIPS set to Paranoid, no alert is displayed for any action performed by the installer such as modifying a protected file/folder or executing another executable and the active process list shows a rating of Trusted/Installer instead of a normal Trusted rating.
Setting HIPS/Defense+ to Paranoid mode generates alerts for applications regardless of rating, which is what I have set in the video and explained in the bug report. Also when executing an unknown/installer with this setting disabled, the installer will be treated as a normal unknown file and either a) be sandboxed if the sandbox is enabled or b) produce HIPS alerts when the sandbox is disabled just as any other unknown application would when executed. The problem is that no HIPS alert are shown when executing a trusted/installer whether the sandbox is enabled or disabled and with the option to detect installers being disabled as well with HIPS set to Paranoid mode. But running a normal trusted executable with HIPS in paranoid mode will generate alerts.
Disabling the sandbox with this setting enabled or disabled and defense+ set to paranoid mode, running a trusted/installer still does not produce any alerts from defense+. But if I run any other executable that is rated as unknown, trusted, or unknown/installer, defense+ alerts are displayed.
B. YOUR SETUP Exact CIS version & configuration:
CIS version 8.2.0.4581 Proactive configuration Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS=Paranoid, sandbox=disabled, firewall=safe mode, AV=Stateful Have you made any other changes to the default config? (egs here.):
disable detect programs which require elevated privileges. Have you updated (without uninstall) from CIS 5, 6 or 7?:
N/A if so, have you tried a a a clean reinstall - if not please do?:
Yes Have you imported a config from a previous version of CIS:
No if so, have you tried a standard config - if not please do:
Yes OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 SP1 x64, UAC=disabled, admin account, no virtual machine Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=N/A b=N/A
In this video - YouTube you’ll will notice that when executing a trusted installer with the setting disabled and HIPS set to Paranoid, no alert is displayed for any action performed by the installer such as modifying a protected file/folder or executing another executable and the active process list shows a rating of Trusted/Installer instead of a normal Trusted rating.
Detect programs which require elevated privileges:Allows you to instruct the Sandbox to display alerts when an installer or updater requires administrator or elevated privileges to run.
You have cloud lookup enabled, which will classify your file as trusted if it isn’t already, and you disabled installer alerts in sandbox settings–your trusted installer is neither monitored by HIPS nor sandboxed. I’m seeing it is working as intended…?
Setting HIPS/Defense+ to Paranoid mode generates alerts for applications regardless of rating, which is what I have set in the video and explained in the bug report. Also when executing an unknown/installer with this setting disabled, the installer will be treated as a normal unknown file and either a) be sandboxed if the sandbox is enabled or b) produce HIPS alerts when the sandbox is disabled just as any other unknown application would when executed. The problem is that no HIPS alert are shown when executing a trusted/installer whether the sandbox is enabled or disabled and with the option to detect installers being disabled as well with HIPS set to Paranoid mode. But running a normal trusted executable with HIPS in paranoid mode will generate alerts.
Paranoid Mode: This is the highest security level setting and means that Defense+ monitors and controls all executable files [b]apart from those that you have deemed safe[/b].
cf. https://help.comodo.com/topic-72-1-623-7731-HIPS-Settings.html
Twice the manual states HIPS doesn't monitor trusted files, in general and specifically in Paranoid Mode; installer trust setting is irrelevant.
Paranoid Mode: This is the highest security level setting and means that Defense+ monitors and controls all executable files apart from those that you have deemed safe. [b]Comodo Internet Security does not attempt to learn the behavior of any applications - even those applications on the Comodo safe list[/b] and only uses your configuration settings to filter critical system activity.
Although latter in the same description:
Similarly, the Comodo Internet Security does automatically create ‘Allow’ rules for any executables - although you still have the option to treat an application as ‘Trusted’ at the HIPS alert. Choosing this option generates the most amount of HIPS alerts and is recommended for advanced users that require complete awareness of activity on their system.
Which is incorrect and should say: does NOT create ‘Allow’ rules.
Either way the help documentation is wrong in this regard as I know exactly how defense+ operates in each of its modes and I can assure you paranoid will generate alerts for safe/trusted applications unless there is already allow rules defined in HIPS rules. I’ve been using comodo since v3 and anyone else who has ever used paranoid mode can confirm its behavior.
I would like to add that even disabling the sandbox with this setting enabled or disabled and defense+ set to paranoid mode, running a trusted/installer still does not produce any alerts from defense+. But if I run any other executable that is rated as unknown, trusted, or unknown/installer, defense+ alerts are displayed.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.