Ok. I get that opening a PDF from a USB drive could be considered dangerous… I’m posting here because the most recent discussion about CIS and PDF files is a year old. I don’t see any sort of resolution, but neither do I see other posts talking about the problem I’m seeing, so I’m going to assume that there must be something wrong on my end…
Now to the problem. When I open a PDF from a USB drive, I get what must be 30 (40, 50, more?) alerts sayin that “Modifying the user interface of another application…” It does this for EVERY program I have open - IE, Firefox, Chrome, Media Player, Explorer, Powerpoint, RealSched, CCC, AvastUI, ad nauseum. As stated above, I understand that PDFs might be malicious (though these are ones I created myself) but am I really expected to believe that Acrobat Reader is making 22 calls to modify the user interface of Media Player!!!
I have to click “Cancel” over, and over, and over, and over before CIS worrying about it.
At any rate, you brought something home from the lab. The last time my daughter brought something home from the lab she brought a couple virus’s home with her.
I use Microsoft Security Essentials and MSEC did not detect that a virus was trying to ransack my system until I actually ran the exe files from my thumbdrive. However Defense + immediately alerted me to the fact that something strange was trying to modify the interface of almost every process I had running.
Thats remarkably similar to what you reported. I have been a loyal Comodo user since. :SML:
I will say that the malicious files on my daughter’s thumb drive were hidden, and their icons were replicas of the Windows Media Player icon. The exe files were disguised to look like movies so you’d click them. (Of course if you have extensions enabled you can’t be tricked that way) I knew before I clicked them that they had to be malicious. Maybe you want to enable hidden files on your thumb drive and see.
The only other time I have had a program try to modify the interface of numerous programs and Comodo alerted me to it, it was a virus.
The best thing to do is to disable all autoun facility from all removable devices in the first place. That will keep the majority of the majority of the majority of viruses that use that transmission vector at bay.
Finally, all hidden files and extensions should be displayed in folder view. IF you see an autorun.inf appear in the directory listing of your thumdrive you’ve been compromised (unless you put it there). The thumb drive should immediately be scanned by Comodo (as there’s probably something flakey on there).
As far as launching PDF from removable:
I got one sandbox alert, as soon as I said “never isolate this again”, I never got another sandbox alert for any other PDF on the removaable drive. This is probably due to CIS scanning the PDF’s - and finding them safe - in the cloud though (auto add to trusted files).
Each PDF opened on the drive wanted to launch AcroRd32 (and it would create a rule for each specific PDF too if I’d let it).
Then each PDF wanted to modify file:
%windir%\debug\UserMOde\ChkAcc.log
The modify user interface is actually a Windows Message, and only happened when opening multiple PDF’s on removable drive. Most often it wanted to modify user interface for Explorer. ALthough it did hit CFP once too. I never got user interface modifications to any other image that was executing (or PDF that was open though). Probably because my AcroRD32 allows Windows Messages to / from itself.
Those user interface alerts must be fairly benign because CIS sets the resource access level to ‘allow’ if you ‘remember’ one of those alerts. But it never actually ‘remembers’ it just changes the access to ‘allow’ and never asks you again.
I got ‘access COM interface’ alerts for the various PDF’s when I began to close them.
The long and short of it is to copy the thumb drive to a HDD and access the files from there. Saves a lot of hassle and CIS rule generation.
