Environment: Win XP Pro SP3, X32, no other security software running, Firefox V3.0.11
CIS: V3.9.95478.509 X32, fresh install (not upgraded), Proactive Security
Defense+ Settings menu: Clean PC Mode, Protected Files/Folders checked under Monitor Settings tab
My Protected Files|Executables group: *.EXE but not *.ZIP
Image Execution Control/Files to Check: Executables group
My Protected Files|Startup Folders: C:\Documents and Settings\username\Start Menu\Programs\Startup*
Computer Security Policy for firefox.exe: Custom Policy, Default Action for Protected Files/Folders = Ask, Allowed Files/Folders = none
Scenario 1:
Firefox|Tools|Options|Main tab|select “Save files to”=C:\Downloads
Download .EXE file.
There is no alert.
This is unexpected because *.EXE is included in Image Execution Control/Files to Check and My Protected Files.
Scenario 2:
Firefox|Tools|Options|Main tab|select “Always ask me where to save files”
Download .EXE file to C:\Downloads\ folder.
There is no alert.
This is unexpected because *.EXE is included in Image Execution Control/Files to Check and My Protected Files.
Scenario 3:
Firefox|Tools|Options|Main tab|select “Always ask me where to save files”
Download .ZIP file to C:\Documents and Settings\username\Start Menu\Programs\Startup\ folder.
Respond to alert with Block.
There is a zero-byte .ZIP file in the folder.
This is unexpected because the folder is included in My Protected Files.
To reproduce these scenarios, the user must remove Allowed Files/Folders in Firefox’s Computer Security Policy between scenarios. This is due to a bug reported here:
https://forums.comodo.com/defense_bugs/protected_folders_not_protected_after_download_of_any_exe_v3995478509_x32-t41327.0.html
I have confirmed that scenarios 1 and 2 are the same if *.part is added to the My Protected Files|Executables group.
This evidence contradicts the theory that adding *.part is a work-around, see https://forums.comodo.com/beta_corner_cis/comodo_internet_security_3975615498_rc2_bug_reports-t38617.0.html;msg283578#msg283578
My current work-around for this bug is to download on a limited-user account (LUA) and use a software restriction policy (SRP) to prevent execution by the limited user. This allows use of D+ Clean PC or Safe Mode while preventing execution by the limited user of downloaded files that are on the Comodo Safe List, which may not be safe for a child.
My thanks to Endymion and tcarrbrion for discussing this bug that was in the RC2 build.
Edit: updated the subject with the latest version where the bug was observed.