A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes, every time.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
Create any executable file, e.g. “test.exe”
Create LNK-file containing a command like this:
%comspec% /c &
E.g.: %comspec% /c %windir%\system32\tcmsetup.exe /Q & test.exe
Take notice: the program “test.exe” is started without alerts and without restrictions.
Open the “Active Process List” and notice that the program “test.exe” is taken for a child process of “tcmsetup.exe” and therefore it has installer’s privileges
One or two sentences explaining what actually happened:
This is a critical fail of “Heur Cmd-Line Analysis”. Through this fail any virus can become trusted and be executed without restrictions.
E.g.: This command adds the file “test.exe” to trusted and executes it:
%comspec% /c %windir%\system32\tcmsetup.exe /Q & copy test.exe test2.exe /y & test2.exe
This command executes the file “arc.exe” several times:
%comspec% /c %windir%\system32\tcmsetup.exe /Q & for /L %n in (1,1,10) do arc.exe -ppassword
When the file “arc.exe” extracts and executes even a known virus, the virus becomes trusted and runs without restrictions
It is the simplest way to bypass Comodo HIPS, Auto-Sandbox and Antivirus together!!!
One or two sentences explaining what you expected to happen:
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Any software except CIS/OS involved? If so - name, & exact version:
Any other information, eg your guess at the cause, how you tried to fix it etc:
I had tried to block LNK-files on removable devices, but Comodo can’t do it.
B. YOUR SETUP
Exact CIS version & configuration:
Configuration: Proactive Security
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
“Do not show antivirus alerts”: disabled
“Create rules for safe applications”: disabled
Auto-Sandbox: Enabled, default rule set
Firewall: Safe Mode
Have you made any other changes to the default config? (egs here.):
Have you updated (without uninstall) from CIS 5 or CIS6?:
Have you imported a config from a previous version of CIS:
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Win7x64SP1 (VMware), Admin, UAC is enabled
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
[attachment deleted by admin]