How to prevent this new [to me] issue of Comodo deleting my files? [DemoScene]


Comodo CIS has always hated “DemoScene” productions [“intelligent code alert - TERMINATE!!!”] and I’ve always had to wrestle such from its grasp, but now I have a new issue:-

Comodo is behaving like Mcf** or Nrt*n MALWARE!
[I tried them in ignorance, back in '97, and both tried their utmost to ravage and destroy my OS environment]

Despite the usual idiotic GeekBuddy alert (which I only leave enabled because I don’t trust it to automatically allow ME to deal with MY situation, where I wouldn’t receive the option to choose from the provided buttons) I get the usual Isolation* alert, followed by the option to make a rule and report the false alert.

When returning to the folder, I notice MY files are being deleted without consent.


Where this happens, I must unzip the archive again and, thus naturally (in the order of closing potential loopholes in security),
they are treated as different files and I have to go through the whol procedure again - with Comodo IGNORING MY CHOICES and deleting the file again.

Naturally, I have the resident running anti-virus switched off as I don’t get viruses because I’m not a fool and, thus, I don’t want my system crippled and failing in the name of false-flag “security”.

However, I do leave it installed in case I want to manually scan individual files - which it actually does very poorly, since files I know to extract into something malicious are often not detected - unlike the benign “Scene” prods which prompted this post!

The question is:-

  1. Which option have I ham-fistedly enabled in error?


  1. Did Comodo enable something by default, without my knowledge?
    In which case, I should begin to show concerns about this suite in the manner that I previously did with Mcf** and Nrt*n, and begin to search for alternatives.

It’s bad enough with MS’ increasing “nanny” behaviour, considering all the profiling they attempt (to send to CERN [a larger, much nastier, story]) without user knowledge, WHICH I CONSIDER GENUINE MALICIOUS ATTACKS and do all I know to prevent.

In the meantime (before reasoning is made clear) and in short:-

As an aside:
I did notice that Comodo had reported it looked up a particular file online and found it to be malicious - where I know it is not.
I never used to have a problem with look-ups.

Is this a product of this new VirusScope, as opposed to the previous look-up?
If so, I’ll need to disable VirusScope as well as the resident running AntiVirus.

Sorry if my directness causes negative reaction.
I am an Aries individual: Intelligent, thorough (as currently aware) impatient, and don’t consider emotional reaction when it comes making and stressing a valid point.

TIA, in hope of a prompt solution - for I have a computer to USE.

ps. I do appreciate that the nature of much Scene prod’ coding and compression methods could be used to obfuscate malware - and expect this to cause files to be flagged - what I don’t need is MY CHOICES IGNORED, as that would be deemed by anyone with a still-functioning mind as malicious behaviour in itself.

*I also find an annoyance regarding the isolation process in general:-
Despite being allowed to choose the fate of the file for the future, it’s already too late in this original instance, which, where initially isolated pre-user intervention, has already caused dependency issues - and likely failure to run - of the software which invoked the specific file, requiring that program to be terminated and run again with new rules in place.
I accept that this may be due to unavoidable ordering for (again) genuine closing of potentially exploitatable aspects.

Is anyone listening?
I want to run some prods without them being deleted.
I don’t want ANY files deleted without my authority.
I need to disable this.
It’s preventing MY chosen usage of MY computer.
How did it become enabled, and where is the option to prevent this attack upon me and my system?
R.S.V.P. A.S.A.P.

Please don’t bump your topic in less than 24 hrs. We don’t allow that.

Your style of writing leaves lot’s to be desired. Ranting like you do will put off many people who are normally willing to help. If you would channel all the energy you put in ranting in a smaller and to the point post your chances of being helped will be much bigger.

From what I understand the AV is quarantining a file. Please check that with the AV logs. With default settings CIS will automatically quarantine malicious files. You will have to disable Do not show antivirus alerts and set how to behave when a virus gets detected. It will then start alerting you and give the option to instruct CIS to Ignore and add to exclusions.

You can submit a false positive from the CIS interface but using How to report False Positives - Please read this before submitting ! is a faster route.

Thanks for the reply, but I don’t quite get you…

How would the Comodo AV component be quarantining files when it is disabled?
[the setting you mention is also disabled, though should be overarched by AV being disabled, regardless of its own flag]
AV is only ever an annoyance for guys like me; only ever flagging certain compressed files and flash ROMs.

I explained my insensitive directness, whether you find such undesirable is of no consequence to me.
It was spurred-on by this unrequested debilitating imposition, which is new behaviour for CIS, to me.

Thanks for the alternative online submittal form. [bookmarked and tagged]
Thanks also for the “bump” etiquette heads-up.
For that, I apologise.

I’m not sure I understood the issue correctly but you could try this:

[ol]- Open Advanced Settings

  • Go to Sandbox > Auto-Sandbox
  • Find the one rule which under “Reputation” states “Malicious” and right-click that rule and then click “Edit”
  • Go to “Options” tab and deselect “Quarantine program” then click OK on all windows[/ol]

I assume you mean the one default global rule:-

Target=All Applications

I’d rather leave that be.
My issue is caused by the order in which actions are taken; that CIS takes drastic measures BEFORE heeding my choices via its pop-ups.

Instead of changing that rule, I found another (convoluted) way around it:-

Once the auto-deleted files have once more been re-extracted from their originating archive - or upon the archive itself - I right-click and choose to perform a manual AV scan where, when flagged in error, I then report all instances as false-positives before SandBox has its way with them without me being afforded the opportunity to intervene.

I’ve also now searched the forums and found the option to clear out VTRoot, as it appears to have been automatically proactively imprisoning all sorts in there (likely due to that global setting you mention) and TreeSize [free disk-mapping application] had shown it to have reached over 4GB in size!

I’ll keep monitoring and, if VTRoot gets unnecessarily large again, I’ll reconsider your advice and remove that global setting.


The default operation of CIS is to sandbox unknown applications in a fully-virtualized environment, that data needs to be stored somewhere and that’s where VTRoot comes in, VTRoot is where CIS saves the data.

I never suggested removing the default rule you correctly found, I merely suggested to edit it so that instead of Blocking and Quarantining (Quarantine in this case means moving the executable from its original location to the Comodo Quarantine, it’s not the same as sandboxing) the allegedly malicious applications, it just blocks them.