I’m a long-time user of Comodo Firewall (since version 2 or 3). All I want is a network firewall. Over the years, Comodo has included more “features” enabled by default, and bundled craps like “GeekBuddy”, “Dragon Browser” and what’s not. I could manage to get only the firewall to install, and I thought I would be fine by disabling the HIPS/Sandbox/VirusScope. Apparently I’m wrong.
I keep getting these “Rating Scanner” alerts for some random executable files that I execute, although the “Enable Cloud Lookup” is disabled under File Rating Settings.
The latest such alert was simply for openssl.exe provided with Git-scm. I was running it in a loop, so I let you imagine clicking 100x on “Ignore and Report False Positive”…
All I want is to disable any sort of file rating/cloud stuff. I’m attaching screenshots of (what I think is) the relevant settings. Please let me know if I misconfigured something or of this is a bug. I’m going nuts.
Versions: Windows 8.1 Enterprise. This problem occurred with Comodo 10 or 11 (I don’t recall precisely), and I’m still having it now with 12.0.0.6810.
You may have one point ran a rating scan and it was detected then the rating is remembered each time it is executed. You can reset the rating by removing the file from the file list and re-running the application or you can override the rating by changing it to trusted. But yes you would need to disable cloud lookup to prevent cloud rating being applied to executables when they are launched.
How does one manually run a rating scan? Why do I keep having this problem for several different files over time?
I see in the File List under File Rating that Comodo keeps track of whatever I launch, even scripts. If I empty the list, save settings, run openssl.exe, then go back to the settings, all running processes are back to the list. Many are Unrecognized. But this activity shouldn’t even take place to begin with! I don’t want Comodo to track and rate the executables I’m running.
Cloud Lookup has been disabled for months, still having this issue. It’s as if the setting does not make any effect. I tried re-enabling it, then disabling it again without success.
I also note that in Blocked Applications, openssl.exe shows up as being “Blocked by Antivirus”! Also the “Last blocked” time is set to the last time I actually successfully ran it (just now)… Is this feature completely broken? Why is it blocked by “Antivirus” if HIPS/File Containment/File Rating/VirusScope/Website Filter are turned off?
You’re disabled all the cloud options so CIS is not calling home. CIS will keep a local list of programs. The files that are trusted must be signed by a Trusted Software Vendor of which CIS has a local database. The fact that many unknown files show up means it cannot do a cloud look up to see if individual binaries that don’t have a signature of have a signature of a vendor that is not on the Trusted Software Vendors list are known and rated. Those many unknown files are proof CIS is not phoning home
4. I also note that in Blocked Applications, openssl.exe shows up as being "Blocked by Antivirus"! Also the "Last blocked" time is set to the last time I actually successfully ran it (just now)... Is this feature completely broken? Why is it blocked by "Antivirus" if HIPS/File Containment/File Rating/VirusScope/Website Filter are turned off?
Did you remove openssl.exe from the file list, as futuretech suggested, and launch it again? What happened when you launched it after removing?
Good to know! Then it’s weird the Rating Scanner Alert shows “CloudScanner.Trojan.Gen[at]2[at]1”…
At the time I received all the alerts, I ended up killing Comodo’s processes. After I relaunched Comodo, it did not complain anymore about openssl.exe being run. I removed openssl.exe’s entry from the File List (was marked as Unrecognized), but the entry gets recreated as soon as I run it again (although I get no alerts, but I’ve only run it a couple times).
It seems as if these Rating Scanner alerts are triggered by the behavior of the process. I was running openssl.exe many times, and it only started showing alerts after some time, so this could make sense. The other main scenario when such alerts happen are app installations. Comodo often flags intermediate .tmp files running (it even flags Skype’s update process :-X).
If that’s the case, again, how to disable this annoying “feature”?
At the time I received all the alerts, I ended up killing Comodo's processes. After I relaunched Comodo, it did not complain anymore about openssl.exe being run. I removed openssl.exe's entry from the File List (was marked as Unrecognized), but the entry gets recreated as soon as I run it again (although I get no alerts, but I've only run it a couple times).
Let us know if it shows up again. Comodo will put the verdict of all files it sees in File List. It's how it is made. In your case it won't do cloud lookups in that process.
It seems as if these Rating Scanner alerts are triggered by the behavior of the process. I was running openssl.exe many times, and it only started showing alerts after some time, so this could make sense.
The other main scenario when such alerts happen are app installations. Comodo often flags intermediate .tmp files running (it even flags Skype's update process :-X).
If that's the case, again, how to disable this annoying "feature"?
Thanks.
What do you mean with it flags? Do you get alerts or do you mean they show up in File List?
Yes I get alerts, like the first screenshot I posted. That’s what I don’t get: without cloud lookup, why are files monitored and how can alerts be raised? It sounds more and more like a bug to me :-\
I’m puzzled by it as well and don’t know a way of figuring out if an actual cloud look up gets performed or not. May be a Wireshark wizard could do try to figure it out.
Can you provide exact steps to get the alert when you run openssl from git? Or which installers you use that also generate the cloud scanner alert. I like to try to replicate it.
Actually, I’m keeping a log of all connections thanks to NetLimiter. The alerts started at 2:30 PM, but from 2:00 to 2:35, and if I believe NetLimiter, I only see Comodo making a few connections after the alerts (between 2:33 and 2:36PM). Although it appears that quite some data was sent out (2.94 MB + 2.11 MB), this should not have anything to do with the first alerts. On a side note, I’m curious as to why Comodo was sending so much data out to some apparently random IP and ports. Does it appear legit? (note: I’m in Canada).
Path: c:\program files\comodo\comodo internet security\cmdagent.exe
Location: Canada (Hamilton, Ontario)
IP Address: 69.4.89.246
Port: 35985
Data In: 6.31 KB
Data Out: 2.94 MB
First transfer time: 2019-04-22 2:33:28 PM
Last transfer time: 2019-04-22 2:36:28 PM
Hostname: 246.89.4.69.in-addr.arpa
Path: c:\program files\comodo\comodo internet security\cmdagent.exe
Location: Canada (Hamilton, Ontario)
IP Address: 69.4.89.248
Port: 37796
Data In: 4.46 KB
Data Out: 2.11 MB
First transfer time: 2019-04-22 2:33:28 PM
Last transfer time: 2019-04-22 2:36:28 PM
Hostname: 248.89.4.69.in-addr.arpa
The thing is that it does not happen consistently. I haven’t found a way to reproduce yet. I re-ran the same thing and now it’s fine… I’m trying to trigger the alerts again (!) to find a pattern.
Yes, Git - Downloading Package. Version 2.21.0. But remember it’s not deterministic, you likely won’t have any alert out-of-the-box. I’m trying to trigger Skype updates, as I remember this used to be more consistent (yet today it doesn’t seem to be…). Thanks for investigating.
I’ve made some progress. After a fresh restart (I rarely do so), Comodo systematically triggers an alert for openssl even when I simply do “openssl version”. I was able to see with Wireshark that no connection is made by Comodo at the time of these alerts. If I report a false positive, openssl.exe is listed as Trusted in the File List, after which it doesn’t show alerts anymore. If I remove this entry and rerun openssl, alerts come back right away.
The connections I referred earlier actually correspond to the submission of openssl.exe when I clicked several times on Ignore and Report False Positive. I’ve seen this happen again right after I clicked on that button. So that’s fine.
I tried on a fresh Windows and Comodo installation, imported my Comodo settings, installed Git-scm and executed “openssl version”, and the alerts don’t happen… I tried to run it in the same fashion as on my machine, and I’m still not able to trigger the alerts
Could it be because my actual Comodo installation has been updated several times from older versions and over time inconsistencies can build up? (I know I could simply uninstall, reinstall, restore my config, but if “saving my config” also saves inconsistent settings, that doesn’t help).
Also, I clicked on the “?” button on one of these alerts, which pointed me to Antivirus, Firewall, HIPS, Containment, Internet Security Alerts | Internet Security. This page says that I’m seeing alerts because the ‘Settings > Antivirus > Realtime Scan’ setting in enabled. But wait, I don’t have an “Antivirus” section in the Settings menu!?
I’ve done this (save config, uninstall Comodo, reboot, install Comodo, restore & activate config, reboot), and the problem seems gone… At least I can’t trigger these alerts as simply as by running openssl.exe or launching it many times. Same behavior as on the fresh install I tried separately.
I will see in the long run if this problem is completely solved or not. I guess the lesson here is that ■■■■ builds up.
