Inexplicable permissions of files restored from quarantine

Inexplicable permissions of files restored from quarantine


A. The bug/issue
1. a) Try to execute an infected file (executable).
b) On the virus removal prompt choose the option to clean the infected file.
c) Thereafter restore it from quarantine to the original location.
d) Try to execute the restored infected file (executable).
2. There is no more permission to execute it. You can rename, move or delete it, but cannot execute it. “Windows cannot access the specified device, path, or file. You may not have the appropiate permission to access the item.”
3. I expected a normal behaviour: attempt to execute and virus removal prompt (like in 1.).
4. a) According to file’s “Properties –> Security” that there are no problems with the permissions.
b) The file isn’t listed in Comodo’s “Computer Security Policy –> Blocked Files”.
c) There are no policies to block the access of this file under “Computer Security Policy –> Defense+ Rules”. Even the explorer.exe is a “Trusted Application” without any exclusion policy to block this file.
d) In most cases a system reboot solves the problem, but I encountered random situations when a system reboot hadn’t solved the issue.
5. N/A
6. The used infected files were leak-test executables downloaded from matousec site.
7. The problem is reproducible (with steps described in 1.).

B. Files appended
1. Defense+ active processes list.
4. CIS config file.

C. Set-up
1. CIS version: 5.10.228257.2253; AV database version: 13268.
2. a) CIS no updated; clean CIS install on clean Windows install.
3. No imported config from a previous version of CIS.
4. Configuration: Proactive Security.
5. D+=Safe, Sandbox=Enabled, Firewall=Custom Policy, AV=Stateful.
6. Windows 7, SP1, 64bit, UAC=Always Notify, account type=Administrator.
7. Other security and utility software currently installed: No one.
8. Other security software previously installed at any time since Windows was last installed: No one (clean Windows install).
9. Virtual machine used: No.

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse

Thank you, mouse1! New results: If I change the Anti-Virus “Real Time Scanning” from “Stateful” to “On Access”, some changes can be experienced:
1) File restored from quarantine + Real Time Scanning" - “Stateful” –>
a) “Explorer –> Properties –> Security” cannot show the current owner, and I cannot change ownership;
b) I cannot rename, delet, copy or move the file.
2) File restored from quarantine + Real Time Scanning" - “On Access” –>
a) “Explorer –> Properties –> Security” shows the normal ownership and permissions;
b) the file can be deleted, renamed, moved, copied, BUT cannot be executed or opened, as I reported in the original post.

THanks for the update

Best wishes

Australia-pithicus

This is a video demonstrating the issue:
[b]Blattidának / CIS / CAV - YouTube