The issue is easily reproducible, no malicious sample is required. The issue happens also when executing unrecognized (trusted) applications.
I would provide Staff the steps if need be though I consider the team very capable and very smart to check this themselves.
@CISfan
@ZORKAS
@C.O.M.O.D.O RT
Is it possible that the problem only appears with W7 ? This should be checked.
If this is indeed the case, there is no need for Comodo to spend time on this problem.
1- I think
2- Knowing that Win7 is no longer maintained by Microsoft like XP elsewhere
I think issue no.30 is not restricted to Windows 7 only it might also happen on other OS’.
One has to know the exact steps to be able to reproduce this issue and to check if it happens on those OS’ too…
Hi CISfan,
We have checked and couldn’t able to reproduce, whoever added this issue no - 30 in the List of current bugs could please elaborate so that we will check and report this to the team.
Thanks
C.O.M.O.D.O RT
Hello C.O.M.O.D.O RT,
It wasn’t me who reported and added issue no.30 to the list of current bugs. I was just curious if I could reproduce the issue on my end and I managed to reproduce it.
As you say, I think it is best to let whoever added this issue to the list of current bugs elaborate about the issue (may be best via PM).
The only thing I can do ist to confirm this, even your attachtments.
Firewall mode is not applicable for this issue.
I’ve tested only with HIPS Safe mode…
This is only to demonstrate the defense of the firewall with HIPS for an unknown program that activates
So Comodo CIS protects the PC well under the Windows 10 OS
Under Windows 7 is the problem encountered a specific or general case ?
I don’t know because a long time ago I switched to Windows 10 and no problem
Surely, CIS as a whole protects and defends ones PC very well regardless the OS that is being used on that PC.
It is just that the HIPS module on its own has weaknesses…
Allow me to quote cruelsister,
Her statement is not related to a specific OS and it might be the case that issue no. 30 is one of the secret knowledge methods to bypass HIPS…
“Wikipedia”
Disadvantages of HIPS (IPS):
IPS are not miracle software that will allow you to surf the net in peace. Here are some of their drawbacks:
- They block everything that seems infectious to them, but not being 100% reliable, they can therefore inadvertently block legitimate applications or traffic.
- They sometimes allow certain attacks to pass without spotting them.
- They are not very discreet and can be discovered during the attack of a hacker who, once he has discovered the IPS, will hasten to find a fault in the latter to divert it and reach its goal.
However Comodo CIS with its coupling
Firewall
HIPS
Provides a well-defined level of security
Generally the 2 are linked during an alert on an unknown program
This is part of a functional flowchart that activates containment as a last resort to protect the PC
It is for these reasons that it is difficult for me to do without Comodo CIS 8)
I actually had no desire to follow this. ZorKas already did it or showed it.
Still, HIPS+firewall.
Of course it is a good intention to trace vulnerabilities. but many of the problems I do not have.
HIPS events and related alarm.
All Comodo CIS modules (AV, FW, HIPS, Containment, etc.) have their own weaknesses / vulnerabilities. Every self respecting security company would release program security updates asap to fix vulnerabilities like this and others. The level of CIS protection and defense increases with every vulnerability fix.
Why wait with releasing program security updates till vulnerabilities become a real problem?
And in addition to issue no.30. :
HIPS “Create rules for safe applications” doesn’t work when executing a Trusted application elevated as SYSTEM.
Seemingly HIPS doesn’t monitor Trusted or Unrecognized applications at all when they run elevated as SYSTEM…
Call that no problem?
Out of curiosity, have you tried this while unchecking ‘Detect programs which require elevated privileges e.g. installers or updaters’ under Containment settings? (Yes it applies not only to Containment but to HIPS/FW as well)
I’ve tried out your suggestion. The setting was at default (checked) all the time so I’ve tried again and now with unchecked setting.
However the issue still persists and also HIPS “Create rules for safe applications” doesn’t work when executing a Trusted application elevated as SYSTEM.
So, no change…
Try opening up CIS interface > Tasks > Containment tasks > View Active processes > Under ‘Rating’ check if the application running as SYSTEM is rated as either Unknown/Installer or Trusted/Installer.
I think the issue maybe lies within the fact that Installer Detection cannot be turned off (even if disabling the suggested setting) but maybe I am mistaken and this has no relation to the issue you are reporting.
I havn’t activated “Create rules for safe applications”
And of course some more settings to protect my PC as shown in the attechments.
Edit: Forgotten, I deactivated “trust files by trusted installers”.
33. HIPS does not monitor access to COM Interfaces that are of InProcServer32 server type, so even when adding a COM object interface by its ProgID or CLSID to protected COM Interfaces, HIPS will not alert on access to that COM object by an unknown application.Hi all,
Could anyone please elaborate the issue no - 33 as well.
We are checking on issue no -31 & 32.
Thanks
C.O.M.O.D.O RT
Hello C.O.M.O.D.O RT,
Do you confirm issue no. 30 including not working “Create rules for safe applications” as elaborated in previous posts?
Hi CISfan,
We have checked and couldn’t able to reproduce the issue no - 30.
And for the “Create rules for safe application” issue, we did check the option “create rules for safe application” & HIPS in “safemode” and run some trusted application, the rules does created & listed in the hips rules setting as the “Create rules for safe application” is checked.
Or did we missed something to understand ?
May I know your:
1.Win version & system type(32bit/64bit) ?
2.CIS/CFW version ?
Thanks
C.O.M.O.D.O RT