If CIS Detect as suspicious CIS blocks the app but the app stays running [M1247]

1. The full product and its version:
COMODO Internet Security 8.0.332922.4281 BETA
2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
windows 7 x64 in real system
3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Default configuration, Only been changed Viruscope to work inside and outside the sandbox

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
Clean install
5. Other Security, Sandboxing or Utility Software Installed:
6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1: I tested a sample of the Sandbox, but Comodo discovers the sample application as suspicious with local heuristics.
2: CIS blocks the application after a few seconds, although KillSwitch shows that it is still running.
3: Checking the logs shows that although CIS blocks the sample, it is still able to perform some actions after being blocked. A screenshot illustrating this is attached to this post. The actions highlighted in yellow were done after the app was blocked.
4: After the sample is terminated I ran the sample again, but again it was blocked, and some actions were allowed to happen even after it was blocked.

7. What actually happened when you carried out these steps:
If the application runs inside the Sandbox, and CIS detects it as a suspicious application, CIS blocks the application, but the application stays running and is able to perform some actions.
8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
If the application is detected as suspicious, and therefore blocked, it should not be able to perform any actions. All should instantly be terminated.
9. Any other information:
A video showing this behavior is attached to this post.

[attachment deleted by admin]

Did the cloud find this as suspicious, or was it the local heuristics?

Also, what do you mean by saying that “remaining works are not terminated”? Do you mean that other processes which are spawned by that process are not blocked, but that the one flagged as suspicious was blocked?

Also, are you saying that after it was flagged as suspicious and terminated that it was automatically blocked the next time you tried to test it?



Thank you. I have a question though. If CIS detected the file using the heuristics why wasn’t it automatically moved to quarantine? Shouldn’t a file detected with heuristics be quarantined?

No,just block

[attachment deleted by admin]

Unless I’m wrong isn’t it that the ability to block files from even starting is only available if the HIPS is enabled. Thus, perhaps this is not meant to block the program from ever starting again, but just to block it every time it runs.

Does it correctly prevent it from running every the app is double-clicked on?

in Hips or sandbox CIS 7 the block = Blocking the damage with stay the process is working, but in the log the app has been blocked Not blocked access to system resources, but blocked full application

Maybe the problem of the logs is not clear enough, or that Comodo was not able to blocking the application

I think it would be helpful if you could create a video showing exactly what happens. I also have a feeling the devs may request that after this is forwarded.


[attachment deleted by admin]

Thank you. I just watched that video, and I wasn’t sure about something. Were those actions made by the application made before or after it was blocked by CIS?

After the application is blocked, it remains connection and connection different destinations

So is the main problem that after the application is blocked the connections which were made by it are still able to connect?

In the picture, places shaded in yellow are the events after bloked the Application

[attachment deleted by admin]

Thank you. I just updated the first post, changed the title, and replaced the pic you had attached to the first post with that you just posted. Please let me know if the first post correctly captures this issue.


Thank you to modify the subject, it seems everything is true :-TU

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

The devs have asked me to provide them with the application you used for testing this. Please upload it to a file sharing site and provide me with the download link. Also, in your PM please link to this topic so I don’t confuse this with any other bug reports.

Thank you.

I have received the application and added the download link to the tracker. Thank you.

The issue is not solved, I am starting to doubt if this is issue bugs, or not.
Because the Defense + is blocked from the application.

I have updated the tracker. However, I am uncertain what you mean when you say it’s not a bug. Can you please explain in greater detail why you believe this may not be a bug?