HIPS fails to stop program from modifying protected folder even in paranoid mode

Hi,

I’ve been experimenting with Comodo HIPS to detect changes a certain program makes to my system. (The program in this case is Acrylic Wifi Analyzer, not that it matters much)
I noticed that when ran for the first time, this program creates a folder (Acrylic Wi-Fi Professional) under C:\Users<User Name>\AppData\Roaming, and I was trying to use Comodo to block the creation of this folder along with its contents.

However, I just can’t get Comodo to issue any warnings or prompts at all, even after I did the following:

  1. Set HIPS to paranoid mode (Both “Create rules for safe applications” and “Do not show popup alerts” are NOT ticked. See screenshot for other settings)
  2. Make sure there are no rules that allow the program I’m testing (Acrylic.exe) to do anything
  3. Add my entire C drive under Protected Objects>Protected Files (exact entry is C:*)

Supposedly this should cause Comodo to warn me about modifications by an unknown program to any directory under C, and by using paranoid mode the whitelist should be bypassed. However, the program still manages to create the folder under C:\Users<User Name>\AppData\Roaming without any prompts from Comodo. By the way, this was done with the latest version of Comodo Firewall (8.2.0.4792)

What’s strange is that some other operations done by the program such as modifying registries or accessing COM interfaces do get detected and warned by Comodo, but just the operation of writing to AppData\Roaming seems to be completely invisible to Comodo. I double checked using Process Monitor and it is indeed the program itself writing to that directory. I also tried adding C:\Users<User Name>\AppData\Roaming* to the Protected Files list, but that didn’t help.

[attachment deleted by admin]

This is a known bug https://forums.comodo.com/format-verified-issue-reports-cis/hips-does-not-protect-drive-even-tho-being-specified-as-protected-m1459-t109297.0.html that HIPS does not warn or block folder creation, but any file that is created or modified under a folder will warn which can be blocked.

The folder created is NOT empty though.
It contains multiple sub-directories as well as files.

[attachment deleted by admin]

Okay I assumed you where only specifying an issue with folder creation. CIS should warn of creating new files or modification of existing files that fall under a directory that is specified in the protected files section of HIPS. If you are not getting HIPS alert for files under the folder in question, I have to ask does this only happen with this application and/or this specific folder? And when you have the application running, what does CIS rate the application as in the active process list. If the application has Trusted/Installer under the rating tab of active process list, then due to another bug(https://forums.comodo.com/format-verified-issue-reports-cis/disable-detection-of-installer-settings-still-applies-installer-rights-m1488-t111523.0.html), HIPS will not warn of any action carried out by the application that would otherwise generate an alert for even when HIPS is set to paranoid mode. Also what OS are you using and do you have any other security software installed?

The application is listed as Unknown/Installer (see screenshot). I don’t think it’s related to the bug you linked because the option “Detect programs which require elevated privileges” under sandbox settings is enabled. (auto-sandbox is disabled by the way)

I tested with a few other applications and the same thing happens, at other directories as well, though not reliably. For example, when I tested this with an installer of VLC, I was warned about the program trying to write to a temp folder in AppData\Local. But after I allowed that (“remember this” not selected), I got no further warnings when the installer were writing files to Program Files, and this happened while the entire C:\ was in Protected Files list and Comodo running in paranoid mode.

I am running Windows 10 Pro x64 (Build 10586), with no other antivirus or security software installed.
Since I don’t recall this happening when I was still using Windows 7, perhaps this could be a Windows 10 related issue.

[attachment deleted by admin]

Did you upgrade from windows 7 to 10 with CIS installed during the upgrade? If so, did you reinstall CIS since?

Nope, clean install of Windows 10 build 10586.
So no upgrade between Win 7 and Win 10, or between builds of Win 10.

By the way, I got my Comodo installer here (the firewall only one):
https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-8204792-windows-10-version1511-hotfix-is-released-t113688.0.html
since the installer from the official site wouldn’t run on Windows 10.

It could be a Windows 10 specific issue, but I have not experienced such issue myself and it definitely doesn’t happen on Windows 7. So I’m confused on how this is happening to you, but I will do more testing later.

If you run the current VLC x64 installer, does Comodo give you any warning about it writing to Program Files?

You can also test this with Notepad.
I made sure there were no HIPS rules that may give Notepad access. I even went as far as removing all the default rules that came with Comodo to make sure I didn’t miss anything.
After entering paranoid mode, Comodo still didn’t give me any warning when I tried to save a text file anywhere, even in sensitive locations such as Program Files\Comodo.
I also made sure that it’s not labeled as trusted by Comodo (screenshot)
(I can confirm that Notepad is not trusted because I got warnings about it trying to execute explorer.exe and trying to modify registry. But again, no warning about file/folder modification)

[attachment deleted by admin]

I figured it out, you don’t have verbose mode for alerts enabled, which means you will only get 1 alert per application which when answered, will provide global allow or block access. For example, when you use notepad to save a new text file, the first alert will be to allow it to access explorer in memory, when choosing allow will allow all other actions that would otherwise show alerts for including modifying a protected file/folder. If you choose block for access explorer in memory, then you wont be able to save the document at any location and you will get an error message saying you do not have permission to save in the location you choose to save in. You will also notice blocked intrusions for the defense+ event log.

It is highly recommended to switch to the proactive configuration and then make changes that suit your needs from there, such as disabling the sandbox etc. The proactive configuration enables verbose mode for alerts and enables enhanced protection mode which increases protection for x64 version of Windows.

That’s not what verbose mode for alerts are (HIPS Settings, Comodo Internet Security | Comodo Internet Security Help |COMODO scroll down to verbose alerts) I just tried disabling that option and launched an unknown application and I got alert after alert after alert, verbose is simply even more.

Personally I have no idea why this issue is occurring but at the same time I’d recommend enabling Enhanced protection mode.

The help documentation doesn’t truly explain what verbose does other than saying that alerts provide more information but in reality whether or not verbose is enabled, alerts provide the same amount of information and the same available actions to answer the alert. If you get more than one alert with verbose mode disabled, it is because of bug 1677 in the mod tracker the keeps alerts in verbose when ‘remember my answer’ is checked when you answer said alert. But i did test this out using notepad and setting it to unrecognized in the file list and added C:* to the protected files section. When verbose mode is off, attempting to save the document will first generate an alert for notepad accessing windows explorer in memory, clicking allow without setting remember my answer, will not provide any more alerts and will allow saving to any directory. Then turning verbose mode alert on and saving the document again, will generate more alerts for modifying protected files and the registry.

After more testing, I can confirm that not enabling verbose mode seems to be the culprit, as I finally saw warnings regarding writing to protected locations after I enabled that.
However, the application in question was still able to create a nested empty folder in Roaming (screenshot) even after I denied all requests to write to Roaming.
As previously stated, the application is identified as Unrecognized or Unknown/Installer by Comodo, so this could be a new bug.

Also, using paranoid mode doesn’t seem to bypass the whitelist, even though documentation clearly suggests otherwise.
I had to disable “trust application signed by trusted vendors” and make sure that a program is not labeled as “Trusted” in the file rating list in order for paranoid mode to generate any alert.

[attachment deleted by admin]

After further testing I think you’re right although I think I misunderstood you, when I have verbose mode off then I get several alerts for launching other applications as well as one COM alert so in total more than one alert but it never alerts about protected file access, with verbose mode on it alerts about more COM access and also protected file access… My conclusion is that the documentation for this feature is very lacking, I have no idea how it’s supposed to work but it doesn’t seem to be working like the help file says.

Hi,
our QA and devs can’t reproduce the issue ,so we want you export you configuration file about CIS and send us .Of course, if you can provide us a remote environment ,that would be even better.

Very thanks

Best regards

Here is an update of this issue for those who are still interested.
After working with the staff, I was able to make the following observations and conclusions:

  • A trusted installer will not generate any warnings whatsoever, even in paranoid mode. While a trusted (not installer) executable would still be warned in Paranoid mode. As futuretech pointed out this has been reported here as bug before: https://forums.comodo.com/format-verified-issue-reports-cis/disable-detection-of-installer-settings-still-applies-installer-rights-m1488-t111523.0.html. However, I am not sure if this is still considered by the dev as a bug or not.
  • If verbose mode is not enabled, then in most cases CIS would only generate one warning per executable and automatically allow or block most subsequent requests from that executable based on the decision you make for that first warning, even if you didn’t check “Remember my answer”. This is true in all modes, including Paranoid. Apparently this is working as intended, though documentation regarding this behavior is severely lacking.
  • Under all circumstances, a program may still be able to create empty folders or empty files even after the user denies its request to write. This is because CIS only blocks file operations that require access to write or delete, but not operations that involve only creating or reading a file or directory. For example, if a process creates a file first then opens it for writing in two separate operations, CIS would only stop the second operation that involves writing but not the first operation, thus leaving an empty file behind. This is also a known bug pointed out by futuretech here: https://forums.comodo.com/format-verified-issue-reports-cis/hips-does-not-protect-drive-even-tho-being-specified-as-protected-m1459-t109297.0.html, but I’m not sure if the dev will address this anytime soon