Files in Comodo's Whitelist but not Trusted Thru Part of KillSwitch [M402]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

• Can U reproduce the problem & if so how reliably?:
  Yes, I can reproduce this every time.
• If U can, exact steps to reproduce. If not, exactly what U did & what happened:
  First of all, there are actually more than two files which are in the whitelist, but not trusted by Comodo. However, I singled out two (“locale.nls” and “SortDefault.nls”) as I checked them specifically. Thus, I am concentrating on those two files, although there are also others. I submitted these files to be whitelisted here although I thought they were already in the whitelisted. They were finished being processed here and it was confirmed that they are in the whitelist, and this must therefore be a bug in this post.

To see this bug open up KillSwitch through CIS. Then, go to View and select the option to “Show only the Untrusted Images in Memory”. After they are done being analyzed you will see many files still remaining. I believe that many of these are actually trusted, but affected by this bug. I have attached a screenshot of part of this list. Anyway, of these files, “SortDefault.nls” and “locale.nls” are listed as Unknown, although they have been confirmed to be in the whitelist.

• If not obvious, what U expected to happen:
  If a file is in the whitelist it should be flagged as trusted, not unknown.
• If a software compatibility problem have U tried the conflict FAQ?:
  NA
• Any software except CIS/OS involved? If so - name, & exact version:
  NA
• Any other information, eg your guess at the cause, how U tried to fix it etc:
  I’m not sure. Perhaps it is the file type which is causing the problem. However, regardless of the file type, if it’s in the whitelist it should be flagged as trusted.
• Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
  I have attached the diagnostics and KillSwitch Process dump. Both of these were run while KillSwitch was open and showing the trusted files as untrusted.
  [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS version 6.1.276867.2813
Default Configuration

• Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
  Default
• Have U made any other changes to the default config? (egs here.):
  No, it is default settings.
• Have U updated (without uninstall) from a CIS 5?:
  No, this was a clean install.
  [li]if so, have U tried a a clean reinstall - if not please do?:
  NA
  [/li]- Have U imported a config from a previous version of CIS:
  No
  [li]if so, have U tried a standard config - if not please do:
  NA
  [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
  Windows 7 x64 (fully updated), UAC disabled, Real System, run as administrator.
• Other security/s’box software a) currently installed b) installed since OS: a)None b)None
  [/ol]

[attachment deleted by admin]

Sorry for the delay in giving this a tracker number

Mouse

This is not fixed with CIS version 6.2.282872.2847.

Here are screenshots of the details for both SortDefault.nls and locale.nls.

I never installed any additional language packs, unless one came pre-installed with this ASUS laptop. Also, my KillSwitch Process Dump should show which applications are running on my computer. Please let me know if there is any additional information which could be helpful.

Thanks.

[attachment deleted by admin]

I just checked, and the digital signature for CIS.exe is okay. The digital signature for virtkiosk.exe is okay as well.

I have received feedback from the devs that they have confirmed this bug and that it will be fixed (although there are no promises as to when the fix will be available).

This is not fixed for CIS version 6.3.294583.2937.

I have updated the tracker.

This is not fixed for CIS version 7.0.313494.4115. I have updated the tracker.

hi Chiron

Could you please tell me how to run the NLS file?

Thank you. I have replied in the tracker. If you require any further information, or have anything you would like me to try, please feel free to ask.

Thanks again.

I tried to reproduce the bug, but the result is correct. Could please check the steps I did:
1.Run a program to load the common.dll (Like QQ.exe)
2.Open Killswitch on CIS
3.“Show only the Untrusted Images in Memory”, there are “locale.nls” and “SortDefault.nls”, they are “unknown”
4.Open Advanced setting of CIS->File Rating->Trusted Files->Add “locale.nls” and “SortDefault.nls”
5.Close Killswitch and reopen it, “Show only the Untrusted Images in Memory”
Result: there are no “locale.nls” and “SortDefault.nls”, find the “locale.nls” and “SortDefault.nls” in properties of winit.exe, they are trusted.

Please check the steps and tell me if there is difference compared with your steps, thank you very much

So I didn’t reproduce this bug.

I cannot reproduce this any more either. In previous versions it did not allow me to add the files to the whitelist, but this version allows that. Thus, this is fixed and I will submit the files for whitelisting. I will move this to Resolved.

Thank you.

Hi,

You should re-open this one. Confirmed from my side.

Thanks.

[attachment deleted by admin]

This is indeed the exact same file, shown by comparing SHA1. I just checked, and I am once again seeing the same behavior on my computer as well. Thanks very much for pointing this out.

I have now re-opened this in the tracker and will move this bug report back to format verified.

Thanks.

Additional information,

This issue is not present in the stand-alone version which can be found here:

Thank you for checking this. I have updated the tracker with the new information.

This is not fixed for CIS version 8.0.0.4337. I have updated the tracker.

Should be fixed with CIS 8.2.0.5027 moving to resolved and a separate but related bug has been filed in the tracker.