1. The full product and its version:
COMODO Internet Security 8.0.332922.4281 BETA 2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
windows 7 x64 in real system 3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Default configuration, Only been changed Viruscope to work inside and outside the sandbox
4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
Clean install 5. Other Security, Sandboxing or Utility Software Installed:
No 6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step: 1: I tested a sample of the Sandbox, but Comodo discovers the sample application as suspicious with local heuristics. 2: CIS blocks the application after a few seconds, although KillSwitch shows that it is still running. 3: Checking the logs shows that although CIS blocks the sample, it is still able to perform some actions after being blocked. A screenshot illustrating this is attached to this post. The actions highlighted in yellow were done after the app was blocked. 4: After the sample is terminated I ran the sample again, but again it was blocked, and some actions were allowed to happen even after it was blocked.
7. What actually happened when you carried out these steps:
If the application runs inside the Sandbox, and CIS detects it as a suspicious application, CIS blocks the application, but the application stays running and is able to perform some actions. 8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
If the application is detected as suspicious, and therefore blocked, it should not be able to perform any actions. All should instantly be terminated. 9. Any other information:
A video showing this behavior is attached to this post.
Did the cloud find this as suspicious, or was it the local heuristics?
Also, what do you mean by saying that “remaining works are not terminated”? Do you mean that other processes which are spawned by that process are not blocked, but that the one flagged as suspicious was blocked?
Also, are you saying that after it was flagged as suspicious and terminated that it was automatically blocked the next time you tried to test it?
Unless I’m wrong isn’t it that the ability to block files from even starting is only available if the HIPS is enabled. Thus, perhaps this is not meant to block the program from ever starting again, but just to block it every time it runs.
Does it correctly prevent it from running every the app is double-clicked on?
Thank you. I just updated the first post, changed the title, and replaced the pic you had attached to the first post with that you just posted. Please let me know if the first post correctly captures this issue.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
The devs have asked me to provide them with the application you used for testing this. Please upload it to a file sharing site and provide me with the download link. Also, in your PM please link to this topic so I don’t confuse this with any other bug reports.