No alert for Firefox write to protected files/folders (V3.12.111745.560 X32)

Environment: Win XP Pro SP3, X32, no other security software running, Firefox V3.0.11
CIS: V3.9.95478.509 X32, fresh install (not upgraded), Proactive Security
Defense+ Settings menu: Clean PC Mode, Protected Files/Folders checked under Monitor Settings tab
My Protected Files|Executables group: *.EXE but not *.ZIP
Image Execution Control/Files to Check: Executables group
My Protected Files|Startup Folders: C:\Documents and Settings\username\Start Menu\Programs\Startup*
Computer Security Policy for firefox.exe: Custom Policy, Default Action for Protected Files/Folders = Ask, Allowed Files/Folders = none

Scenario 1:
Firefox|Tools|Options|Main tab|select “Save files to”=C:\Downloads
Download .EXE file.
There is no alert.
This is unexpected because *.EXE is included in Image Execution Control/Files to Check and My Protected Files.

Scenario 2:
Firefox|Tools|Options|Main tab|select “Always ask me where to save files”
Download .EXE file to C:\Downloads\ folder.
There is no alert.
This is unexpected because *.EXE is included in Image Execution Control/Files to Check and My Protected Files.

Scenario 3:
Firefox|Tools|Options|Main tab|select “Always ask me where to save files”
Download .ZIP file to C:\Documents and Settings\username\Start Menu\Programs\Startup\ folder.
Respond to alert with Block.
There is a zero-byte .ZIP file in the folder.
This is unexpected because the folder is included in My Protected Files.

To reproduce these scenarios, the user must remove Allowed Files/Folders in Firefox’s Computer Security Policy between scenarios. This is due to a bug reported here:

I have confirmed that scenarios 1 and 2 are the same if *.part is added to the My Protected Files|Executables group.
This evidence contradicts the theory that adding *.part is a work-around, see;msg283578#msg283578

My current work-around for this bug is to download on a limited-user account (LUA) and use a software restriction policy (SRP) to prevent execution by the limited user. This allows use of D+ Clean PC or Safe Mode while preventing execution by the limited user of downloaded files that are on the Comodo Safe List, which may not be safe for a child.

My thanks to Endymion and tcarrbrion for discussing this bug that was in the RC2 build.

Edit: updated the subject with the latest version where the bug was observed.

I forgot to ask this in the duplicate topic but as you mentioned you are using D+ CleanPC mode can you confirm that firefox.exe was not added (not listed in) to your pending file list?

Testing in D+ Safe mode will provide the same results as described in;msg283578#msg283578 once again.

I guess that before creating other bugreport topics it would be reasonable to confirm your theories and evidences in the help boards.

I confirm that firefox.exe was not in My Pending Files. It was on the PC before installing CIS, and it had a D+ policy.

Please clarify whether you are reporting your experience with CIS V3.9.95478.509 or a theory. Maybe there was a change since the RC2 build.

Adding *.part to My Protected Files may indeed be a work-around for Safe Mode, but my experience above indicates that it is not a general work-around that applies to Clean PC Mode. I am hesitant to test Safe Mode because I don’t understand exactly what happens when switching from Clean PC → Safe → Clean PC Modes.

As a professional software developer, I appreciate the benefit to the developers with having a separate topic for each potential bug. It allows decisions about whether to fix each to be treated separately, and it forces separate descriptions of the steps to reproduce each. For the bug reporter, the benefit of separate topics is the reduced likelihood of a bug not getting fixed, as can occur when lumped in with another bug. Since I spent a lot of time creating reproducible scenarios, and I reported my specific experience rather than unconfirmed theories, I think it is reasonable to post as a bug report for the developers. I suspect that the developers do not have time to review all the help requests. Another reason why I post under the bug board rather than help board is to alert users about my work-around for a CIS vulnerability, assuming that users are less likely to check the help boards.

I would appreciate is others would comment on this topic with their CIS experience, either to confirm mine or to show how the behavior changes with different settings. This will provide a more complete picture for the developers.

As incomplete or inaccurate bugreports can potentially impair developer efforts and time and in some case also put forward unwarranted conjectures, thus as an user I would appreciate if any professional developer that post in these forums would at least reasonably confirm CIS behavior and overall design before filing a bugerport.

It would be more reasonable to address some findings in help topics and eventually open a bugreport at a later time once relevant infos and details are confirmed.;msg283578#msg283578
The above link is a description of what I reproduced not a theory, nor a conjecture. Other users can test and confirm/disconfirm the same settings and steps by themselves.

PS: please confirm you wiped out firefox cache before each firefox session.

A quick test with Firefox 3.5 RC and CleanPC mode testing different download URL with exe above 3mb provides similar results than I had for D+ safe mode.

Although I recall that old version in CleanPC mode with an empty pending file list would learn everything, it is not the case anymore or maybe it never was.

It would help if you as a professional developer analyze firefox and confirm what specific call and arguments is responsible for the exe creation that don’t trigger an alert and in which way it is different from the ones that does.

After spending about 8 hours to experiment with CIS behavior and produce reproducible scenarios that target the issue, and after looking for bug board posts since V3.9.95478.509 was released, I believe I have put a reasonable effort in before submitting a bug report. I have a clear conscience that I acted in the best interest of all concerned.

If I understand you correctly, you propose as a general Comodo forum policy to post a topic in the help board before posting it in the bug board. I propose that we move further discussion of forum policies to another thread, as this is off topic.

I have Firefox configured to clear its cache when exiting.

I am a professional developer for embedded software. PC software and Mozilla software are different specialties. However, there are a lot of similarities in debug methodologies. I brought up the fact that I am a professional software developer to help explain why I empathize with the perspective of the developers, and why I try to support their efforts.

Indeed since you created two similar topic (eg scenario 3 would be more appropriate if those two topics will be merged ) already there would have been no point either in claiming you are a professional developer (although apparently restricted to non windows embedded systems and thus not including windows mobile or windows xp embedded) to motivate the duplicate topic.

Although if the bugreport board ought to contain accurate bugreports and and less bug lookalikes it would help everybody.

It would make a great difference to read a topic that summarize all salient aspects reproducible by everybody without having to read multiple posts/topics.

Then assuming that there is no conflict involved there ought to be an explanation to address the different behaviors we have described and this means that there is something that is neglected in both our testcases.

But indeed at least testing different Firefox download configurations is no negligible detail as it could provide different results…;msg283578#msg283578

I retested with CIS v3.12.111745.560 today, and the same issue still exists.