To know for sure that a system file is the original file you can use Sigcheck to see if it is digitally signed by Microsoft.
Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.
When this is done navigate to the Windows folder, look up and select the file you want to check, click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.
Sigcheck v1.70 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\explorer.exe:
Verified: Signed
Catalog: C:\Windows\system32\CatRoot{F750E6C3-38EE-11D1-85E5-00C
04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.1
6562.cat
Signers:
Microsoft Windows
Microsoft Windows Verification PCA
Microsoft Root Certificate Authority
Signing date: 08:24 a.m. 04/06/2010
Publisher: Microsoft Corporation
Description: Windows Explorer
Product: Microsoft« Windows« Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
I also checked the file in VirusTotal and found it safe/clean.
Why would explorer access cis.exe memory so many times? it’s really unusual however i remember it had happened before.
As to why it is happening I can only speculate. CIS is protecting its self and that’s what counts. Even Trusted Applications cannot access CIS files in memory.
On a related side note. As wj32 pointed out once it makes no sense for a program when it is not allowed to something like accessing another process in memory to keep on trying.
if explorer (or any process for that matter) is attempting to access a resource, and it is denied for a inexplicable reason (i.e. comodo has intercepted it, and stopped it from doing so), its error handler will probably notice this and make another attempt to access the resource.
and it will probably do so in a loop until a timer expires, and eventually return back to the process with an access is denied error.
it usually does this because not all applications are multi-threaded and often times resources are access in a blocking manner. it needs to loop and try again to mitigate race conditions.
i should also note that i whitelisted my browser, and have explorer.exe permissions “allow” on everything, and comodo is still blocking all sorts of inter process communications. it simply will not comply with my exception lists, or rules.
Even trusted programs are not allowed to access CIS processes in memory.
I strongly advice against allowing memory access by a browser. :P0l Browsers are in the frontline of the web and are an important attack vector for malware. They should not have this type of access to security program’s processes.
That’s an important reason why the sandbox and virtual desktop are so important in Comodo’s strategy; you can run your browser in a secure environment mitigating a a lot of dangers. With allowing memory access you seriously compromise overall security of your system.
it might just be that im doing something wrong (im new to comodo), so ill definitely have to check out that video, and continue reading the help, and these forums (thanks!).
however, the process seems a bit vague and overly complex. after doing some minimal configurations, i set it to training mode to “flesh out” my configuration.
its looking like you have to explicitly define each and every rule by hand. which seems like a daunting process.
anyways, i made a post addressing my issue (in this forum). hopefully some one can clear up a few questions i have.
thanks!
edit: @EricJH
thanks, i undertstand this. good advice, none the less. this was only for testing purposes, as to get a hang of the process of defining rules in the HIPS … i also have been having problems getting the sandbox to work. i outline this in my post
Even trusted programs are not allowed to access CIS processes in memory.
just noticed you said CIS- in my case, it was blocking explorer.exe from accessing dragon.exe, and vice-verse. although i white-listed both, it continued to block until i created “groups” and added explicit exceptions.
i’ll have to double check things in the morning though (this is my first run with comodo’s firewall). like i said, i might be doing something wrong.
i do have a few questions though. like, where is the direct access to the groups manager? only way i could find to access it was through right clicking exceptions in “behavior blocker”. very vague.
i'll have to double check things in the morning though (this is my first run with comodo's firewall). like i said, i might be doing something wrong.
i do have a few questions though. like, where is the direct access to the groups manager? only way i could find to access it was through right clicking exceptions in “behavior blocker”. very vague.
Groups can also be accessed from Protected Objects.
Then how should i interpret D+ logs? explorer attempted to access a CIS folder file memory but failed? even though it’s flagged as memory access? shouldn’t it be flagged as memory access denied or memory access blocked for example?
I’m having a hard time interpreting D+ logs most of time because i’m not sure if HIPS actually blocked(or allowed) xxxx.exe for accessing yyyy.exe memory since it’s flagged as ‘‘memory access’’.
Some days ago i’ve installed a game inside a restricted sandboxie sandbox, when launched HIPS pop-ups appeared and alerted me that randomgame.exe was trying to install a global hook in two system32 dll’s i’ve allowed it since the game is installed inside a sandbox with no Internet access and it can’t modify my real system32 dll’s, then another HIPS pop-up appeared alerting me that randomgame.exe attempted to access the DNS/RPC client, i’ve blocked it and set to remember the answer, i assumed that every action made inside a sandbox wouldn’t touch my real system but i don’t wanted to take my chances. However every time i launch the game i get this ‘‘randomgame.exe DNS/RPC client access \RPC control\DNSResolver’’ message in D+ logs although i’ve set it to block this request, also svchost makes some random connections.
So i’m not sure if HIPS is actually blocking or allowing this request.
If it gets flagged as memory access then it is memory access. I can see how mentioning the path information can be confusing.
Your question makes for a good wish. Please consider making one in Wishlist -CIS.
I'm having a hard time interpreting D+ logs most of time because i'm not sure if HIPS actually blocked(or allowed) xxxx.exe for accessing yyyy.exe memory since it's flagged as ''memory access''.
The D+ logs will log blocking and sandboxing. It does not log what is being allowed.
Some days ago i've installed a game inside a restricted sandboxie sandbox, when launched HIPS pop-ups appeared and alerted me that randomgame.exe was trying to install a global hook in two system32 dll's i've allowed it since the game is installed inside a sandbox with no Internet access and it can't modify my real system32 dll's, then another HIPS pop-up appeared alerting me that randomgame.exe attempted to access the DNS/RPC client, i've blocked it and set to remember the answer, i assumed that every action made inside a sandbox wouldn't touch my real system but i don't wanted to take my chances. However every time i launch the game i get this ''randomgame.exe DNS/RPC client access \RPC control\DNSResolver'' message in D+ logs although i've set it to block this request, also svchost makes some random connections.
So i’m not sure if HIPS is actually blocking or allowing this request.
Are you running those games in the Behaviour Blocker (or automatic sandbox) or did you run them in the Sandbox (which is fully virtualised)? Those are two different types of sandboxes. The first one uses right limitations where the second relies on virtualisation.
So, lets say for instance, i run an unknown program installer and HIPS alerts me that unknowninstaller.exe wants to create a folder in the disk, or wants to modify a registry key. if i allow it, would i get any D+ log event? or the event is logged before i take any action (block/allow)?
I ran Tor installer a couple nights ago, allowed it to install, then three event logs flagged as install hook, direct disc access, and key modify appeared in D+ logs, maybe it got logged before i decided to let Tor installer install the browser.
The same thing happened with an IExplorer activex addon.
It’s worth mentioning that I don’t think BB autosandbox has had nothing to do with those logs, even though the Tor installer got sandboxed before the installation.
Neither, i have installed and launched the game inside a Sandboxie restricted sandbox (no internet access allowed). I don’t use comodo fully virtualization for testing software because i’m not sure if comodo firewall would block fully virtualized applications for accessing internet, and most games wont work with my untrusted autosandbox from BB.
The reason i’m mentioning this is not because Sandboxie may have had a leak( thats not comodo’s business) the reason i’m mentioning this is because i’ve set cis HIPS to block every request from randomgame.exe to access the Windows DNS client and every time i run the game i get this DNS/RPC client access log in D+ logs and svchost starts behaving strangely (accessing network resources).
