General warning about using VirusScope monitoring *all* applications

General warning about using VirusScope monitoring all applications.
The short version is: don’t do this.

I personally don’t like the idea of automatic sandboxing, so I don’t enable “Auto-Containment”. I use far too many programs that will never have a digital signature(such as programs I compile myself), and having them sandboxed is too much hassle. On the other hand, I thought the idea of VirusScope was interesting so as a trial, I enabled it regardless of being “in the container”.

Unfortunately, many critical Windows system components will be detected as “Generic.Infector.5”. It will then offer to quarantine them… but if you’re AFK at the time, after two minutes Quarantine is automatically selected and Comodo asks to reboot for an unspecified reason. The actual reason being that it wants to delete the critical system file while it’s not in use. Unsurprisingly this causes Windows to stop booting in many cases. Even if you figure out why it wants to reboot, Comodo cannot undo the quarantine because the system file still exists. Asking it to restore the file will not stop it from trying to delete the file upon rebooting. Seemingly you’re stuck with the inevitability of a dead system upon rebooting.

I will continue to use Comodo because it offers a huge amount of flexibility in a climate of consumers that don’t actually care what their computer does… but apparently some combinations of settings can cause situations like the above. So… general warning… be careful.

Thanks for the heads up. I too enabled VirusScope system-wide for a while but didn’t ran into any issue. But then I was using Win 7 and it seems you’re using Win 10 (too unstable and intrusive for me personally). I eventually disabled VirusScope completely.

The real issue is somehow those applications are being rated as unrecognized instead of trusted, virusscope recognizers only work on unknown/unrecognized rated applications. The setting to monitor all applications just allows you to see all actions of all applications of any rating by using the view active processes task, right-click on process, and select view activities.

I don’t believe it is that simple. Comodo’s file listing says Explorer is trusted as of two weeks ago…

But there are other settings where you can automatically trust signed applications and trusted installers that I do not use. Would that cause VirusScope to ignore Comodo’s live file rating list or do those settings only give default assignment of a rating for that list?

Those settings control file rating such as do you want to trust files that are signed by a trusted vendor or do you want to trust files that are created by a trusted installer.

I have seen many cases where Windows executables are no longer being trusted after a series of either Windows or CIS program updates. If you use purge from the file list you should see some files being invalid such as some Windows executables, considering those files where changed since the first time they were added to the file list.

Considering if you have restored from a backup after CIS quarantined important Windows applications, and you now look at the file list to see them trusted, you won’t see the files as unrecognized at the time they were being detected by virusscope.

Pretty sure the default is for VirusScope to monitor all applications, at least under Proactive anyway. Never seen this cause problems before, but its probably because

But there are other settings where you can automatically trust signed applications and trusted installers that I do not use.

Which is normally on by default also.

That’s essentially a setting for my afore mentioned group of users that don’t care what their computer is doing. But it’s also the group of users that don’t pay attention to what they’re clicking in installers and get “bundled” adware installed on their system from their so-called “trusted installer”. So I don’t use those settings… because I don’t trust a company not to install random things by being sneaky.

Similarly, just because a program is signed… doesn’t mean I want it to connect to the internet for no reason other than to send telemetry without asking. So I disable Firewall and HIPS from blindly trusting signed components. As I said, Comodo is great at giving you the options to make your own decisions. This isn’t a bug report. This is a warning to be careful about these particular components and what can possibly happen. I think most people would assume that this wouldn’t happen and when it does, it’s not clear why.

I’ve never been confronted with this problem. I don’t belong to any of the groups mentioned above. Not to be off topic but I wonder that you disabled the firewall and HIPS I, for me, never would do that. Do you use MS-Defender, or how do you protect your PC. Nevertheless, your subject isn’t useless because it shows a problem to be aware of. Tanks for your answer!

In the rules of HIPS and firewall I allow or not or restrect programs to connect with the Internet and I trust in comodo’s reports what I want to do: block, enable a.s.o. or comodo warns not to admit because the program is unrecognized, ntrustworthy, … .
As to telemetry, I don’t know or I think nvidia’s telemetry i.e. DOES connect to the internet whether I allow it or not in the rules of firewall or HIPS.

Sorry about my confusing wording. It’s quite the opposite of what you assumed. What I have disabled is their trusting signed programs. HIPS is in “Paranoid Mode” and Firewall is in “Custom Ruleset”. They trust nothing automatically without asking me. But most people wouldn’t do this, I think.

Thank you!

I did it the same way with HIPS except I set to safe mode (too many “alerts” for me to decide, and I didn’t know if to allow or not a.s.o.) and Firewall to application rules. Virusscope and Containmainet are enabled, I disable it if I don’t need it…