I use the firewall with custom rules,
in latest updates Python script filtering has been improved but unfortunately the rules management doesn’t works fine with some python scripts and Comodo seems unable to save the rules asking continuously if I want to allow the internet access for same scripts, and It makes a new rule for every execution saving in
C:\ProgramData\Comodo\Cis\tempscrpt
tons of different
C_python.exe_somehashcode.cmd
for the same script (one for each execution)
To reproduce the issue: set the Firewall to use custom rules, download qBittorrent x64 and try to use the search torrent feature that is based on Python, for every search CIS will ask you if you want to allow the internet access, despite you have set it to remember the rule.
all these rules have been created for the same script
Cmd can be executed by malware to erase mofificar files in our PCs, before blocking now execution isolated in auto-containment, even so in certain cases cmd can execute malicious commands.
CIS must identify what script has been launched and save the rule according my decision, not creating each time a different rule for the same command. Blocking CMD commands and scripts launch is correct, the inability to save the rule is a bug.
Turn off embedded code detection for python in settings advanced protection > miscellaneous > Do heuristic command-line analysis for certain applications link > switch off under embedded code detection column for python.exe.
This lower security level of the firewall. As I have said the problem isn’t in the detection itself that is correct, but in the way firewall saves the rules that for some python script doesn’t work well probably due to a bug or poor rules management
If you look at the contents of those cmd scripts in the tempscrpt folder you will notice each one is different which is why you have so many because each script has a different name due to the hash being different. Those hex digits represent the hash of the file.
The script is the same, only the argument is different, these cmd are generated by CIS,
and Firewall shouldn’t calculate hash of the whole command, the hash should be based on what script is requiring internet access and rule should list the related script not such temp cmd files. It’s clear that something is wrong and isn’t a correct behavior.
You don’t have to try Torrent software. Windows 10 is already enough to run into these issues.
Scheduled tasks periodically create sets of files running Dismhost and the cleanup manager as part of Windows updates and system checks.
As these activities usually happen when the system is unattended (in the middle of the night), pop-ups won’t be confirmed.
It would be nice to have as part of the heuristic scanning of scripts a component that recognizes safe scripts and allows them to run without further firewall/HIPS pop-ups.
Assuming you are referring to trying to use Python and/or the ‘Search Engine’ feature in qBittorrent that requires python, then as futuretech has already stated, you will need to disable ‘Embedded Code Detection’ for python.exe.
You can try and leave ‘Heuristic Command Line Analysis’ Enabled.