[Merged]CIS Auto Submitted Confidential PDF Files to Comodo[Fixed in Build 1236]

Well said panic and I do agree and “this is a fail” indeed Comodo should be able to resolved this issued very quickly because it make the user very comfortable to turn the cloud back on, I believe the option shouldn’t be included in the Firewall Software package this maybe okay for the complete Comodo free version along with FW/D+/SB/CLD. And the user should have this option to either use it or don’t use it the cloud but we want a better options.

panic is always very wise & I hope you’ve read all of the above discussion from the very beginning (important!)

As for “better options” … I can tell you what that may be … but I would rather borrow a helmet from Watasha and in addition will hide in a deep cave :smiley: :smiley: :smiley:
Cheers!

This case indicates that Comodo or at least the development team is not sensitive to user privacy. I also doubt how many current CIS users know this privacy issue.

I can only hope that any pdf documents uploaded have been distroyed and there’s no mishandling of the documents by Comodo.

This issue is currently being discussed at the highest levels.

Please bear with us until we have definitive information.

Ewen :slight_smile:

I think there should be some kind of malformation analysis for PDF and similar documents which will inspect documents on the host machine, if file have some kind of irregularity in its header etc. it should be sent to cloud, if not there is no need for cloud, e.g. here is one of open source analysis application which is capable of analyzing PDFs GitHub - joxeankoret/pyew: Official repository for Pyew.

P.S. maybe Im talking rubbish, I am not a programer, sorry

I raised this very same issue quite awhile ago, when I noted that Comodo’s “Cloud” features could automatically send to the cloud some “hybrid” files that contain both executable code AND sensitive/confidential user data. PDF with embedded Javascript is a perfect example, although the example I used was MS Word .DOC files with their embedded scripts.

By the way, I was labelled a “troll” and was accused of “spreading FUD” for raising this legitimate issue. Good to see I’ve been vindicated.

Also, at the time, somebody assured me that “hybrid” files would only be scanned LOCALLY by CAV, and NOT sent out of the machine. So apparently I was lied to.

In my opinion, turning the cloud off seems the best solution for now, and possibly forever. I love Comodo and CIS, but let’s get this fixed, for the folks who want to leave cloud turned on.

Unfortunately, not even that will help in the current version of Comodo, since it still connects to the internet even without explicit settings not to.

https://forums.comodo.com/format-verified-issue-reports-cis/cmdagent-resolving-dns-for-no-reason-bug-still-not-fixed-t68666.0.html

If disabling cloud isn’t going to be a answer(or a good answer for that matter)

Shouldn’t anything thats a Confidential file or folder be password protected in the first place or use encryption with it too. <---- That would have solve the problem in the first place
Also if it wasn’t, Why was the confidential info not secure ???

just an idea (below)

A PDF can be encrypted to only open when a password is provided, or it can be encrypted so that a password is needed to edit or print the document. This setting can be changed or removed to allow for printing of an encrypted document.

If you won’t do either of them, then how important can they be to you. There is solutions , it just a matter of doing it. There all quick and easy solutions.

Disabling cloud is only an answer if users are well acknowledged that document files may be sent back to Comodo if cloud features is enabled.

It is more secure to have password protected file to prevent data leak. However, it does not mean that Comodo have right to auto submitt private document files without user consent.

Can anyone have right to get your wallet if you don’t lock it up in your safe?

I think you guys are focusing on all of the wrong things, you are concerned that your private docs are going to comodo but what about all those other computers that you come into contact with everyday. At your bank, doctors office, work, etc who are using a less inferior security system and might already be infected with malware. Do you tell them that you don’t want your documents there? Living in today’s world you have to assume that sooner or later your data will be stolen by someone bad, so instead of focusing what comodo is doing with some PDF’s that might be infected be more concerned with the other information that is being leaked everyday that is totally unknown to you or in no way under your control.

Is it the only choice that CIS much submit private user documents back to Comodo without user consent in order to have a secure system?

I don’t think so. If that’s the only choice, I’ll not use CIS and recommend it anymore.

It is more secure to have password protected file to prevent data leak. However, it does not mean that Comodo have right to auto submitt private document files without user consent.
Agreed, but untill there's another option. The only solution I know is to disable the cloud feature and put a password on it. Encryption would be great, but not needed.
Can anyone have right to get your wallet if you don't lock it up in your safe?
I guess going through the airport in the united stated and police, but that's another story. While I generally don't care if a topic starts going off couse(I generally pretty going). I would like to keep this topic DIRECTLY on course because it is a concerned to some people and you. Also I will do my best to make sure this topic doesn't dirft off :-TU

That’s not a good way to look at the situation at hand. It’s just ignoring one problem because another similar “might” occur. What Comodo needs to do is allowing the user to opt out from sending back some file types as a most simplistic solution to the problem. I bet some thinking will yield much more elaborate solutions.

Is it the only choice that CIS much submit private user documents back to Comodo without user consent in order to have a secure system?
You have been offer a couple of solutions until another option comes available. What more do you want, we know what your problem is and it's being discussed.

Hey all :slight_smile:

I have some suggestions how to solve when CIS is sending pdf/documents files. (I do want to people also to understand why pdf files are getting sent. The reason why pdf files are sent is because malware writers take advantage of the pdf and can put their creation as pdf)

I know that sending file can easily be disable by disabling the cloud scanner but some want to have cloud scanner on and here is my suggestion.

Solution

  1. Have a special exclusion box where the user tell comodo this kind of file shouldn’t be send even if they are unknown.

  2. (not that optimal suggestion) Give the user an alert when a file is about to get send and give the user the option to refuse send the current file that is about to get send. (with this option you have to take the consistence if you get 100 pop ups or 10 because CIS doesn’t know the files

If someone has a better/additional idea please write it here and be short if it goes :slight_smile:

Regards,
Valentin N

all I am doing is putting a little perspective on the problem. You all seem fine with putting your credit card info into a website that is secured by a comodo certificate but if some PDF or file that in reality is not some national secret gets submitted everyone has fits.

Hi Guys,

1st, keep in mind that the privacy issues regarding the files sent are not related only to the documents like PDF,
… Those are any type of documents and any type of files that potentially can be infected

Then, please see several notes here from me and puddingpants.
Not only this particular Comodo feature is involved. DACS for example has a big privacy concern.

a side note: [at] puddingpants
I do remember the case. Even without re-reading it again I have no doubts who would completely unjustly accused you of “trolling”.

=======

Hi languy99,

I don’t think so. That’s you who are are shifting the scale.
We are talking about Comodo’s issue here.

If other institutions are using less “inferior security” and that is revealed - you either demand those companies of fixing a problem or stop dealing with them and move your business & private data to another company, that can protect you

… and again that is not PDF’s only…
So, nobody is “focusing on all of the wrong things”, as far as I (and other users) can see it

Hi Jay,

This idea is not workable in the context of what is being discussed here

Sure we can use encryption / passworded documents/ archived-passworded folders wit sensitive data (any type of files).
At the same time few things has to be considered: neither sending such files outside no scanning/analyzing them locally doesn’t make sense.
It is just waste of time and in many cases quite substantial waste. So you need to have a proper technique of exclusion of such data anyway

But what is more important:
If the initially raised issue is not solved - users is back to the same problem as soon as the file/folder is decrypted/“un-passworded” in order to work with that sensitive data

My regards

Goog suggestions :slight_smile:

Some ideas added for both 1) and 2)

  1. Default setting is no submission of these kinds of file but user can select to allow submitting these kinds of files.

  2. Further options can be added in the pop-up
    a. Submit the file
    b. Do not sumbit the file
    c. Submit the file and all future files of the same type without alert
    d. Do not sumbit the file and all future files of the same type

  1. Your perspective is about as useful as saying:

“Gosh, don’t worry about being conned, it’s being mugged that’s the big deal! You should protect yourself from that!”.

Both are important. You can only do so much to stop malware, but Comodo can (and should) change its policy on pdfs.

I don’t see why you should be surprised that people voice massive concern over their pdf’s being uploaded - it’s not for you to decide whether they are national secrets; they are private, and that is enough. A lot of people have private pdf’s on their flash drives, none of which Comodo should posess.

  1. Most bank accounts have departments dealing with theft of identity/money as a form of insurance against this type of risk. Your private pdf’s often don’t have that privelage.

In general I like these ideas. There are a few changes I would make, but then again when aren’t there. :wink:
Please start a wishlist topic.

I believe that Comodo will probably implement something like this. I just hope they do it sooner and not later. This issue will cause some people to stop using CIS, and I assume Comodo doesn’t want that. :wink:

While I personally have no PDF’s that would be a privacy concern, I can imagine situations when it could be. I see the point of this topic as the raising of a legitimate privacy concern. Do I think that Comodo is stealing my personal information? No (well at least probably not >:-D), but I still think there should be some sort of warning, or opt out option, before any files, which could have personal information, are uploaded. It’s just a question of privacy.

This goes for PDF’s, other documents, pictures, audio files, etc…

I hope everyone sees my point and doesn’t just think I’m trolling. ;D