V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)
Having installed Firewall only I have noticed for some time that I get file entries in the “UNRECOGNIZED FILES” for files that were not started before and no matter on which partitions those files are located.
Since I have installed Firewall because I didn’t want it to scan my system and files it seems it still does that.
How do I stop this unwanted CIS system / file crawling scanning behavior?
In addition:
Currently I have 4 files listed as unrecognized which were added to the “UNRECOGNIZED FILES” list not earlier then today.
All 4 files have “First Observed” set to 7-apr-21.
All 4 files origin from the same company, 2 files have “Company” name set the 2 other files have a blank “Company” name.
All 4 files have rating unrecognized (of course, otherwise they won’t be on the list).
I’m wondering how the files got on the list as I did not start them today or yesterday or days before.
I don’t know what settings you have on FW but this is what CIS shows under file rating settings.
These are the settings that I use.
I’m still puzzled how the files got on the list recently.
In addition to: “All 4 files origin from the same company, 2 files have “Company” name set the 2 other files have a blank “Company” name.”
The 2 files which have “Company” name set have one valid signature under file properties “Digital Signatures” with a sha1 Digest algorithm.
The 2 files which have “Company” name not set have two valid signatures under file properties “Digital Signatures” with a sha1 and sha256 Digest algorithm.
Since all files have a valid digital signature why are these files listed as unrecognized?
And why have only 2 files “Company” name set?
Some more information.
When tracing back into my saved log files I see the following:
“HIPS Events” (for all 4 files)
Date & Time: 07-apr-21
Application:
Action: Scanned and found safe
Target:
Alert:
“File List Changes” (for all 4 files)
Date & Time: 07-apr-21
Path:
Modifier: COMODO
Action: Added
Property: COMODO rating
Old rating:
New rating: Trusted
“Vendor List Changes” (for the “Company” name)
Date & Time: 07-apr-21 <time somewhere in between the 4 files>
Vendor: Nir Sofer
Modifier: COMODO
Action: Added
Property: COMODO rating
Old Rating:
New Rating: Unrecognized
The old saved log files tell me that all 4 files were rated Trusted when the files were executed for the very first time on 07-apr-21.
Almost at the same time (a time somewhere in the middle of the execution of the 4 files) the Vendor got added to the “Vendor List” with rating “Unrecognized”
When opening the current “File List” I see that all 4 files are rated as “Unrecognized” but when opening the current “View Logs” → “File List Changes” the 4 files are not listed. I would expect to see a “Modifier” change with “Old Rating” Trusted (as they were on 07-apr-21) to “New Rating” Unrecognized.
Also, the older saved log files do not show any rating changes for the 4 files under “File List Changes” other than the one already listed above.
Now just recently all 4 files got rated “Unrecognized”, how come?
Well, since it’s a file rating system, it is going to evaluate files on your system. I’m not sure at this time what the ramifications are if you disable that system. If the FW also has containment, then containment probably needs file rating which is part of file analysis. I just deal with unrecognized files as they come only occasionally. Same thing with HIPS, which can be a royal pain sometimes.
Comodo firewall installation types does not scan files unless you run a file rating scan, otherwise files are added to file list when they are executed in some way. As for unrecognized files that all of sudden appear, they most likely lost their file rating status which seems to be 30 days cache limit.
Thanks for the feedback futuretech.
Yep, files are added to the File List when executed, that’s fine.
While doing the Websites Database update exercise by clicking on the Update button I did hit the Scan button above the Update button by accident a couple of times but I always did stop the scan immediately at a point when the scan was checking the auto-runs entries or some of the very first windows system files. I don’t think that the scan did catch and scanned those 4 files too as the 4 files are located on another partition. Also I have never ran a full scan on my system, that I know for sure.
The 4 files are still on the “UNRECOGNIZED FILES” list. For a test I could remove them from the File List and also remove the Company from the Vendor List and then execute those 4 files again and then wait and see if the same thing happens again and the files reappear as “UNRECOGNIZED FILES” after the 30 days cache limit.
Interesting facts (or bugs).
I removed the Company entry from the “Vendor List” and checked the files on the “UNRECOGNIZED FILES” again. All 4 files are still there (so still in unrecognized state) and all 4 files have now their Company name cleared (2 files had a Company name set the other 2 files had not).
Next, I removed 1 of the 4 files from the “UNRECOGNIZED FILES” and executed the removed file again. Then checked “UNRECOGNIZED FILES” again, now here comes the odd part, the number on the right side of “UNRECOGNIZED FILES” is still 4 but opening “UNRECOGNIZED FILES” only shows 3 unrecognized files. The file that I removed and executed again is on the File List and has Trusted state (like it had on 07-apr).
Now, when opening “View Logs” → “File List Changes” there is no log entry about the file removal, neither a log entry about an Old/New Rating change and neither a log entry about the addition of the file after it got executed again.
When opening “View Logs” → “Vendor List Changes” there is a log entry about the Company(Vendor) removal and a log entry about the addition of the same Company again as a result of the file execution, the rating of the Company is again Unrecognized.
So the above in short:
Next I did remove the Vendor again from the Vendor List, now interestingly
Next I executed the file again and interestingly
In order to try to bring back the Vendor on the list I did
In order to try to let HIPS create a new file application rule I did
Something is going out of sync here.
Question: What do I have to do to bring back the Vendor on the Vendor List and to bring back the auto created HIPS application rule for the file?
EDIT:
The Vendor got added to the Vendor List again automatically after some very long delay.
However HIPS still doesn’t create a new application rule for the file anymore, and a reboot also to no avail.
How to bring back the auto create HIPS rule for the file?
EDIT 2:
HIPS rule is back too.
Apparently just executing and closing the application (the removed file) isn’t enough to trigger HIPS to create a new rule. After executing the application and doing some stuff with it HIPS created a new rule for it.
Anyhow, with the Vendor on the Vendor List again as Unrecognized and the removed file back on the File List as Trusted again I’ll keep an eye on it if it becomes Unrecognized again after a while.
OK, back again . . .
What I suspected is true and I’m at least not happy with this CIS behavior sneakingly scanning my files.
As I’ve explained in my previous posts I had 4 “UNRECOGNIZED FILES” on the list. I removed one of them leaving 3 “UNRECOGNIZED FILES” files on the list. I never ever executed the 4th removed file ever again in the time frame between removal and till now and yet the file returned back on the “UNRECOGNIZED FILES” list resulting again in having 4 “UNRECOGNIZED FILES” on the list.
This test proves to me that CIS for “FW only installations” does scan/read/execute files on the background without user permission or without the user performing any scan Task.
When I remove a file from the “UNRECOGNIZED FILES” list it should stay away and never return until executed again.
Disappointing this.
Hi CISfan,
We are checking this.
Thank you kindly for checking this C.O.M.O.D.O RT.
This is really an issue.
Today another unrecognized application was added by CIS to my “UNRECOGNIZED FILES” list without that particular application being executed by me.
I have now 5 “UNRECOGNIZED FILES” on the list, one more since my last post.
CIS is doing some kind of “scanning files” for FW only installations, please solve.
No its not an issue because it is not doing any scanning despite what you may think. If it was then you would have many unrecognized and safe files added to the file list that were never executed. Files do not get added to the file list unless they get run in some way.
You have a point there, thus far I’ve only seen files reappearing on the file list that have been executed before. One time execution is enough for this odd reappearance to happen. I hope you agree that this reappearance of unrecognized files and maybe also the reappearance of trusted or safe files (I haven’t checked that) should not happen automatically but only after another execution of an untrusted or trusted file, it is most confusing.
Reappearance looks like if files are being “executed” or “scanned” on the background.
For information, I’ve noticed that the time frame between removal and reappearance is exactly 30 days (might depend on the number of days in the one or two months that fall within this time frame).
Also, I’ve checked the CIS AV config settings in the registry (to which I have no access in the GUI) and there is an AV profile (there are three) which has some values set including “ScheduleTime” which divided yields 30 (could be a coincidence).
The other two AV profiles have all their values set to 0 and look disabled to me.
Whether an issue or not, I hope that this reappearance thing will be solved.
probably there’s no such a thing like firewall only install
c(is)fw doing it’s cis things 8)
:P0l
:-TU
there isn’t any issue here
:P0l
Before you edited you post readers (me inclusive) had the impression you had an issue too. :P0l
I just wanna give an example. WinSetupFromUsb is unrecognized app and beside all my efforts to disabling C(is)FW components, CFW not let it just run it’s OK for me I should set it up proper rules for it but I didn’t mind
:P0l
Ok understood.
I think it’s worthwhile noting though not being an issue for you.
Thank you.