Heuristics activates despite being explicitly turned off [NBZ]

The bug/issue:

  1. What you did: Did an install of Comodo on a Windows 7 computer (not a virtual machine) that has never had Comodo installed on it.
  2. What actually happened or you actually saw: I saw an alert asking if I wanted a program to access the Internet. The alert said “Defense+ malware heuristic analysis has detected possible malware behavior in C:\Program Files\VideoLAN\VLC\vlc.exe. However if you are not sure whether or not vlc.exe is a virus, then please submit it to Comodo for analysis.”
  3. What you expected to happen or see: I expected to see an alert without any mention of heuristics, because I already turned off heuristics.
  4. How you tried to fix it & what happened: At the time of the alert, the following boxes were unchecked: 1) Do heuristic command-line analysis for certain applications 2) Perform cloud based behavior analysis of unrecognized files 3) Automatically scan unrecognized files in the cloud. Also, the “Execution Control Level” and “Defense+ Security Level” sliders are set to “Disabled”. Finally, the box “Deactivate the Defense+ permanently (Requires a system restart)” is checked.
  5. If it’s an application compatibility problem have you tried the application fixes here? Not applicable. This is not an application compatibility problem.
  6. Details & exact version of any application (except CIS) involved with download link: VLC media player 1.1.7 The Luggage
    Direct download link: Download vlc-1.1.7-win32.exe (VLC media player)
    Homepage of the application: Official download of VLC media player, the best Open Source player - VideoLAN
  7. Yes, I can make the problem happen again. a) Delete the rule for VLC from “Network Security Policy” b) Open VLC c) Click “Help”, then “Check for Updates…” d) The Comodo alert that I described in step 2 of this bug report comes up.
  8. Any other information (eg your guess regarding the cause, with reasons): The system was barely running anything at the time, and it wasn’t at the time I reproduced the issue in step 7. I believe the most likely cause of this problem is that parts of Defense+ were not properly turned off despite the steps I took in step 4 of this bug report, because the alert describes “heuristic analysis” despite the boxes described above having been unchecked already. More of my settings are detailed below.

Files Appended

  1. Screenshots illustrating the bug: Attached
  2. Only 2 rows show vlc.exe: The “Firewall Events” log shows C:\Program Files\VideoLAN\vlc.exe asking for access, as the screenshot already shows. Under the “Active Process List”, vlc.exe shows a “Sandbox Level” of “Disabled” and a “Verdict” of “Suspicious”.
  3. Crash or freeze dump file: Not applicable; Comodo did not crash or freeze.

Your set-up

  1. CIS version, AV database version & configuration used: 5.3.176757.1236, Comodo antivirus wasn’t installed, Firewall security
  2. a) Have you updated (without uninstall) from CIS 3 or 4: No. I installed version 5.3176757.1236 from an installer. No previous versions of Comodo were installed on this computer.
    b) If so, have you tried reinstalling (if not please do)?: Not applicable; I did not upgrade
  3. a) Have you imported a config from a previous version of CIS: No
    b): If so, have you tried a preset config (if not please do)?: Not applicable. I never imported a config.
  4. Have you made any other major changes to the default config (e.g. ticked "block all unknown requests): Yes, as described below:
    Under the “Firewall” main tab:
    1. “Stealth Ports Wizard” is set to “per-case basis”
    2. Firewall behavior setting is set to “Custom Policy”
    3. Alerts in the firewall behavior settings are kept on screen for 999 seconds.
    4. “Create rules for safe applications” is unchecked
    5. Under “Application Rules” of “Network Security Policy”, I deleted the 3 or so default rules and made some changes:
    svchost.exe is allowed out. All other Windows processes are blocked from being allowed out.
    System is blocked out
    cmdagent.exe and cfpupdat.exe are allowed out
    6. Every other setting in the “Firewall” main tab is untouched from the default configuration
    Under the “Defense+” main tab:
    1. Defense+ Security Level slider is set to “Disabled”
    2. Alert is kept on the screen for 999 seconds
    3. “Block all unknown requests if the application is closed” is unchecked
    4. “Enable adaptive mode under low system resources” is unchecked
    5. “Deactivate the Defense+ permanently (Requires a system restart)” is checked
    6. “Create rules for safe applications” is unchecked
    7. “Execution Control Level” slider is set to disabled
    8. “Treat unrecognized files as” is unchecked
    9. “Do heuristic command-line analysis for certain applications” is unchecked
    10. “Perform cloud based behavior analysis of unrecognized files” is unchecked
    11. “Automatically scan unrecognized files in the cloud” is unchecked
    12. “Detect shellcode injections (i.e. Buffer overflow protection)” is unchecked
    13. “Sandbox security level” slider is set to disabled
    14. All boxes under “Sandbox Settings” are unchecked except “Show notifications for automatically sandboxed processes”
    15. All boxes under “Monitoring Settings” have been unchecked
    16. Under “Computer Security Policy”, all “Trusted Software Vendors” have been removed
    17. Under “Computer Security Policy”, all rules under the tab “Defense+ Rules” have been removed
  5. Defense+, Sandbox, Firewall & AV Security level: Defense+ is disabled, Sandbox is disabled, Firewall is custom policy, Antivirus is not installed
  6. OS version, service pack, number of bits, UAC setting, & account type: Windows 7 Ultimate, 32 bit, UAC is set to “Never notify”, account type is Administrator
  7. Other security and utility software installed: Not applicable
  8. Virtual machine used: None, I didn’t use a virtual machine

[attachment deleted by admin]

Sounds like you need to go to Defense+ Settings → Execution Control Settings and uncheck the options Perform cloud based behavior analysis of unrecognized files, and Automatically scan unrecognized files in the cloud.

But since you’ve posted this on the bug reports board:

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

WHY WE ASK YOU TO FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation

HeffeD

HeffeD, thanks for letting me know your bug reporting guidelines. I have edited my first post as you requested. :smiley:

Could you please post if you did a reboot between disabling slides, tick boxes etc. before you did the final task below.

“Disabled”. Finally, the box “Deactivate the Defense+ permanently (Requires a system restart)” is checked.

Thank you

Dennis

When I first installed Comodo, there were 3 options (I believe they were no Defense+, optimal Defense+, and maximum Defense+). I am pretty sure I chose the first option, because I only need a firewall (not Defense+), so I think the slider was at “Deactivate the Defense+ permanently” to begin with. Even if I am wrong that the slider was already at “Deactivate the Defense+ permanently” right after Comodo was installed, I would have set it that way myself and rebooted many times before making the problem happen again.

As for the remaining tick boxes, sliders, and other configurable options I listed in the “Under the Defense+ main tab” section from #1 to #17, I did not reboot between applying any of them, but I did reboot more than once after applying all of them. I was able to make the problem happen again even after multiple reboots. Also, #1 to #17 are the state of the boxes/buttons/etc after multiple reboots, so even if any options failed to “stick” after a reboot, #1 to #17 is what Comodo is really set to right now. The only exception I can think of that I can’t be sure about is the Stealth Ports Wizard; because this section of the firewall doesn’t give any indication of its current setting, I can’t be sure that my “per-case basis” setting stuck.

If you are interested in the specific order in which I applied the options, I applied them from left to right and from top to bottom. For example, the order in which I went through the tabs were, respectively, Summary, Firewall, Defense+, and More (however, there were some tabs such as Summary in which either there was nothing to change or I didn’t change anything).

Within each tab, I went through the options from top to bottom. For example, in the “Firewall” tab, the order in which I checked for options to configure was: View Firewall Events, View Active Connections, Define A New Trusted Application, Stealth Ports Wizard, Define a New Blocked Application, Firewall Behavior Settings, and Network Security Policy. In some of these sections (such as View Firewall Events), there was nothing to configure, so I just moved on.

The only settings I changed for the entire firewall are listed in #1 to #17 in the “Under the Defense+ main tab” section of my bug report.

Thank you for your bug report in the required format.

Moved to verified.

Thank you

Dennis