Malware Quarantined With Only HIPS Enabled Are Still Able To Run [M1021]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Every time.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    1:Make sure AV is set to auto-quarantine detected threats.
    2:Then disable the AV, disable the Behavioral Blocker, and set the HIPS to Safe Mode.
    3:Download Zemana AntiLogger from this page (password is zemana).
    4:Run Zemana AntiLogger by double-clicking it.
    5:Note that now CIS detects it and sends it to quarantine. However, Zemana Antilogger is still allowed to run if HIPS alerts are allowed.
  • If not obvious, what U expected to happen:
    If it is detected as dangerous it should not be able to run from quarantine.
  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version:
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    A video showing this issue, along with other configurations, can be seen here:
    - YouTube

[ol]- Exact CIS version & configuration:
CIS 7.0.317799.4142

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    Antivirus: Disabled
    Auto: Sandbox: Disabled
    Hips: Safe mode.
  • Have U made any other changes to the default config? (egs here.):
    No, it is at default
  • Have U updated (without uninstall) from CIS 5 or CIS6?:
    No, this was a clean install in a clean system.
    [li]if so, have U tried a a clean reinstall - if not please do?:
    Yes, but the same problem was shown
    [/li]- Have U imported a config from a previous version of CIS:
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    8.1 u1 64bit, UAC disabled, administrator, no v.machin
  • Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
    a=None b=None

I’m a little bit confused. Can you please explain in words the issue you are experiencing.


I have CIS installed with this settings:
Antivirus: Stateful
Auto-Sandbox: Full Virtualized
Hips Safe mode.

Then try to run malware, AV module quarantine it and stop execution, this is OK.

Now disable AV, and try to run malware again, malware is quarantine it and stop execution by cloud.

For last i disabled Sandbox, and try to run malware, now comodo detect it and send it to quarantine, BUT MALWARE RUN FROM IT (you can see in video on 0:23).

I think this bug is more dangerous on Firewall (no av module) users.

What happens if you just follow these steps?

1: Disable AV and disable the Behavioral Blocker, leaving the HIPS turned on.
2: Run the malware by double-clicking it.

Does the malware get detected at all? If so, what are the results?


comodo detect it and send it to quarantine, BUT MALWARE RUN FROM IT

Would you agree that this is the same issue as the one reported in this bug report (which was moved to Rejected which caused This Wish)?

Edit: After watching the video again I think they are not the same but maybe related.

This is certainly strange behavior, and I think is worth submitting to the devs for consideration. However, please edit your first post so that it is in the format provided here. Just copy and paste the code into your post. Then replace the question marks with your responses. You can use preview to see what it will look like.

Once I have the information in that format I can better understand this issue. It will also make sure that the devs have enough information to fully replicate this.

Let me know if you have any questions.

Thank you.

Now it’s OK?

Thank you. It looks very good. I made some changes to the first post. Please look it over and make sure that it still accurately reflects this issue.

Also, I had a question. Does this same behavior occur even if you reboot the computer, disable the AV and BB, and then run the malware? I want to make sure that this issue is not specifically related to the way in the video that you first ran with all 3 active, then you disabled the BB, then you disabled the HIPS. I want to make sure that if the devs test by disabling the AV and the BB they will be able to see the behavior.


b152, please see the comments in my previous reply. Is the first post still correct, and can you please comment on my question about whether it replicates just by using the HIPS only from the beginning? I need to clarify this before forwarding this to the devs.


Yes,the issue persist changing settings before reboot.

In that case, just to be very clear as I am ready to forward this to the devs, is everything in the first post (including the steps for reproduction) entirely correct?

Also, and I’m sorry I did not notice its absence earlier, but could you please create and attach a diagnostics report to your first post?


It will not be possible, since I had to uninstall CIS because of stability issues.

  1. Memory drain (like this)
  2. And full system frozen excluding mouse.

I’d rather not forward this yet then, as this issue may be related to the other issue. Let’s first focus on the freeze, and if that can be fixed we’ll come back to this bug report. For the time being I will move this bug report to the Incomplete Issues section, if that’s okay with you.

As for the freeze issue, was that happening the entire time, or did it start after a while?
Also, if you have not already, please try reinstalling by following the advice I give in this topic and let me know if that is able to solve this issue with the freeze.

Let’s continue from there.


My instalation is clean instalation in clean windows.
I never waited more than 5 minutes, but this freeze issue looks like my issue.

I’m sorry, but something seems wrong with your link. Please provide a new link to the bug report which mimics what you are experiencing.


I’m sorry, but that is not a link to a bug report. You had mentioned that there was another bug report which showed the same issues you are having. Could you please provide a link to that?


Does this line also describe the issue you are experiencing?

When it freezes it does sometimes get a little better over time, but this may take about 10 minutes sometimes. However, it is never fully usable.
Also, on your computer does it also happen at random, and not every time?