Large applications request unlimited access regardless of rating [M1467]

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes. Every time.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1.Download and execute a large application. I’ve used a trusted installer (digitally signed and trusted in the cloud, apparently) :
http://download.wangwang.taobao.com/AliIm_taobao.php?spm=0.0.0.0.njdnTZ
2. Run the trusted installer. Observation : A sandbox alert appears with the following options: ‘Run Isolated (Default)’, ‘Run Unlimited’ and ‘Block’.
3. Select ‘Block’ action.
4. Go to ‘Advanced Settings’ > ‘Security settings’ > ‘File rating’ >‘File List’. And find the installer that you’ve executed earlier.
5. Perform a lookup or manually define the rating to ‘Trusted’. Select ‘OK’ in order to apply actions.
6. Re-execute the installer and notice that same alert appears.

One or two sentences explaining what actually happened:
The sandbox alert appeared and ignored cloud or/and user rating. Every time the installer was ran by user, the alert appeared and this behavior is unwanted.

One or two sentences explaining what you expected to happen:
A trusted application (set by cloud or user) should run without mentioned sandbox alert. The application should run by default with ‘Run unlimited’ action since it’s status is set to ‘Trusted’.

If a software compatibility problem have you tried the advice to make programs work with CIS?:
N/A
Any software except CIS/OS involved? If so - name, & exact version:
N/A
Any other information, eg your guess at the cause, how you tried to fix it etc:
See this thread : https://forums.comodo.com/news-announcements-feedback-cis/a-trusted-file-blocked-by-the-beheavior-blocker-t110593.0.html

B. YOUR SETUP
Exact CIS version & configuration:
CIS version <8.2.0.4508>. Configuration : “Proactive Security”.
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS=Safe Mode, Auto-sandbox=Enabled, Firewall=Safe Mode, AV=not installed.
Have you made any other changes to the default config? (egs here.):
No.
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No.
if so, have you tried a a a clean reinstall - if not please do?:
Yes.
Have you imported a config from a previous version of CIS:
No.
if so, have you tried a standard config - if not please do:
N/A
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 SP1 64-bit, UAC =Disabled, Admin account, No virtual machine used, real system.
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=N/A b=N/A

[attachment deleted by admin]

Please attach a sample.

Thanks.

Installer is to big but can be downloaded from here http://download.wangwang.taobao.com/AliIm_taobao.php?spm=0.0.0.0.njdnTZ

I’ve made some edits. Does everything look correct?

Thank you.

Yes, although I’m not sure if it’s because the application is large or if its digitally signed by a vendor that is not part of the trusted vender list that causes the issue. I noticed that when I created my own installer using NSIS(Nullsoft Scriptable Install System) without a digital signature, it is first detected as the unknown/installer rating, but after defining the installer as trusted in the file list, the rating when executed is changed to trusted/installer.

I’ve used an unsigned application which is ~50 MB and replicated this issue. What was the size of the installer (that you’ve created)? Perhaps the large size is just coincidence?

Thank you.

PS: Edited report title, again.

So far the largest installer that I have created was a little over 13MB.

Also, the sample is over 50 MB so it seems plausible. Oh well, forwarding.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

has a reply of this bug come out?

Nothing new.

Thanks.

I’m also experiencing this issue when trying to run SRware Iron. It’s digitally signed and whitelisted by Comodo, however it’s a large file and for some reason CIS can’t just allow it to run without an alert.

https://www.srware.net/forum/viewtopic.php?f=18&t=8293&sid=bda6f67f4a7a2a4a87c9a04e1ea0dd29

CIS version 8.2.0.4508 on Windows 8.1 64bit

Not fixed in CIS version 8.2.0.4591

Upon further testing it seems to only apply to non-MSI type installers, for example executing the VirtualBox setup installer does not produce an unlimited access alert and same goes for SRware Iron installer which both use the windows installer service.

futuretech
Just increase the value “Set new maximum file size limit to” on the settings pane “Antivirus” > “Realtime Scan”

P.S. Attention! Any trusted file bigger than 40 MB will be granted installer privileges, regardless of that option.

I’ve updated tracker data.
Thank you.

I’ve experienced this bug with many programs. Comodo please fix this for v9!

Not fixed with CIS version 8.2.0.4674 on Windows 7 & 10.

Upon further testing, I want to say this bug is fixed as I have ran installers for firefox(offline installer), google(offline installer), SRWare iron, and Microsoft malicious software removal tool(MRT.exe) and not get an unlimited access alert. However, the installer linked in the original report is the only one that still generates an unlimited access alert when the sandbox is enabled and a HIPS image execution alert (explorer.exe is a safe application. However, the executable AliIM2015_taobao(8.10.21C).exe could not be recognized) even though I have manually defined the installer as trusted in the file list. And the installer is rated as unknown/installer in CIS active process list despite my trusted rating.

If anyone else has issues where an installer they defined as trusted, is digital signed by a trusted vendor, or is white listed by comodo online lookup, and receives an unlimited access sandbox alert when using the sandbox, or an execution alert from defense+/HIPS please report it here.