1. What actually happened or you saw:
CIS/CFW/CAV checks the Hash of every application against a Internal Hash Whitelist.
2. What you wanted to happen or see:
I wanted to have an option at File Rating settings to enable/disable such Internal Hash Whitelist in Comodo, even for those running CIS/CAV.
3. Why you think it is desirable:
Users running a Customized Vendor List and Cloud Lookup disabled, may desire more control over what is allowed to run on their computer.
If you would like to only use a custom version of the Vendor List without using the File Cloud Lookup to determine if a file is trusted or not, you can do so by disabling the Cloud Lookup and setting vendors you do not want trusted to Untrusted (not removing them).
For example, if you would like to untrust Baidu software, you can set all instances of vendors with the name of “Baidu” to ‘Untrusted’ in the vendor list.
Thus depending on your Auto-Containment settings, it will contain the software.
Note, if you have run the file before you have made these changes, then the file may be already set as Trusted in your file list. So you should look through your file list and remove (or set as untrusted) any instances of it.
Future executable files by Baidu will then be untrusted.
Yes but there is still a internal hash whitelist check done by CIS/CAV/CFW which is independent from the way Cloud Lookup and the Vendor List are configured, so it might still trust a software that is whitelisted this way. For users wanting to have a better control over what is allowed to run on their system, a option for enabling/disabling such internal hash whitelist might be the best approach.
How do you know that there is a hidden File Hash white list for none CIS/Windows files (separate from what is accessible from the the ‘File List’ option)?
Also the example used with Baidu PC Faster installer. If the cert is not on the Vendor List and Cloud is disabled, it should be treated as Unknown. By using Resource Hacker to change the installer executable’s hash (I just deleted the string related to it’s icon) it was then treated as Unknown, so we can assume CIS trusted it before due to its hash.
When disabling cloud lookup and changing all Baidu vendors to Untrusted, the file was contained.
So was unable to reproduce what you have come across. I can only assume that:
a) Not all instances of Baidu were set to ‘Untrusted’ in the vendor list
and/or
b) Not all instances of files within the setup file, including the setup file, were removed from the ‘File List’ before testing
and/or
c) Your Auto-Containment settings are setup in a way that allowed the file to run
As for the whitelist. Yes, once the Cloud Lookup has been queried once already for a file, that file hash is then placed onto your system for future offline checks. The file can be removed from the ‘File List’. This is why I say you need to also remove it from the ‘File List’ before checking (and follow my previous steps above).
Can you test again without setting the Baidu cert to Untrusted? e.g just removing it from Vendor List and Cloud disabled?
Also the Cloud Lookup of my CIS installation never queued Baidu PC Faster Installer against the Cloud, since disabling Cloud Lookup is something I always do first when installing CIS.
If the cert is removed and Cloud is disabled, the rating should always be Unknown. This is true to CIS/CFW/CAV since way back in older versions.
Also the example provided with Baidu PC Faster happens as far as CIS V7.
I can give you another example.
I removed SurfRight (HitmanPro cert) from Vendor List (without marking it as Untrusted). Removed HitmanPro executable from Comodo File List, with Lookup disabled.
When running HitmanPro, guess what happened? It was treated as Unknown and thus blocked by Containment. So like I said, if you remove a cert from Vendor List with disabled Cloud Lookup, it should always be treated as Unknown.
EDIT: My Auto-containment rules are always the default for Proactive configuration, except that I change Run Virtually for Unknowns to Block Unknowns.
Have you tried the PC Faster Installer from Softonic?
Have you removed the certificates from Vendor List without making them Untrusted?
The Internal Hash Whitelist was already confirmed by Futuretech and also by Staff member Metheni.
The examples provided with HitmanPro and Baidu PC Faster happened with multiple versions of CIS, on multiple computers. Way before the feature to make certificates Untrusted was introduced.
IDK it just looks bad for you to go against what a moderator well known for its knowledge of CIS internals and also a Comodo Staff Member already confirmed on quoted posts.
I feel like you just trying to promote yourself or something like that. Feels bad man. :-TD
You appear to be confusing what is being said by different people.
Yes
They were removed, however they were set as Untrusted before being removed.
Regardless, if setting the Vendor as Untrusted blocks the file, then this is a solution in regards to the PC Faster Installer as was already explained above.
Once again, this is why I have stated that you should remove previous instances of the file from the File List.
As I say, with regards to PC Faster Installer, I have already tested it and it can be contained by using the Trusted Vendor list and disabling Cloud Lookup.
Finally, again when testing PC Faster Installer you should follow the steps I originally included above. It would appear you may not be doing so.
So you are basically confirming You have not done the same steps as I have done, hence why you can’t achieve the same result.
You are afraid of removing the certificates without making them Untrusted, just so you can make your flawed argument valid.
I will stop right there. I don’t need to say anything to prove you wrong anymore, because you are going against what Metheni and Futuretech said, just to make yourself look better in trying to deconstruct my arguments.
“Two things are infinite: the universe and human stupidity. But, as far as the universe is concerned, I’m still not sure … Albert Einstein”
Once again you don’t seem to be understanding what people are telling you.
Metheni has clearly stated that running a file results in a hash and vendor check. Once again, this is why I state that the file should be removed from the local File List before testing and the file in the trusted Vendor List should be set to Untrusted.
I think that it may better serve you if you more carefully read what each person is saying to you as to lower the chance of misunderstanding the context.
If you accept that setting the file in the Trusted Vendor list to Untrusted works, then there is no need to remove the vendor in order for the file to be blocked.
And what? What you said right now is off topic, one could argue that removing unneeded Certs from TVL improves CIS resource consuption, makes the GUI loads faster, etc. I always noticed less impact on my systems when removing unneeded certs.
So you bring something that is entirely off topic just to go against what a moderator and a Comodo Staff member said that in fact there is a internal hash whitelist in Comodo?
I see that you are the one that suggested Comodo to introduce the feature of Untrusting certificates from the List, this alone is proof you trying to make my Wish not be implemented just so people will use the feature you asked Comodo to introduce.
Feels really bad for you. It’s really bad that people can’t voice their opinions here just because Lord Reece thinks he is the owner of Comodo Forums. ;D ;D ;D
Again, you are failing to understand what people are saying.
You appear to want to use the Vendor List whilst Disabling Cloud Lookup because you think that the internal whitelist is not allowing you to block a file per your example given of PC Faster when using the Cloud Lookup disabled and Trusted Vendor list configuration. Therefore I have taken your example application and informed you of how you don’t need to disable any internal whitelist to block the example that you have given in your original post.
I see that you are the one that suggested Comodo to introduce the feature of Untrusting certificates from the List, [i][b]this alone is proof you trying to make my Wish not be implemented just so people will use the feature you asked Comodo to introduce[/b][/i].
Once again, you fail to understand the situation. If you had bothered to read that suggestion topic that I created, you would know that it has now already been introduced into the latest version of CIS. Therefore clearly I am not trying to get people to support it further ha ha.
And who said that I am forced to used the feature you asked for implementation? I see it as entirely unneeded since removing the certificates from Vendor List and disabling Cloud Lookup is enough for making a file to be rated as Unknown.
This alones makes the feature you asked for a moot feature, and a useless one.
I am not forced to use Comodo software the way you want me to use.
The only one here failing to understand what others say is you who tried to go against what a Comodo staff said about CIS internals.
What you said in the quote is also proof that you are nothing more than a Troll, and a really bad one at that. Try to improve. 8)
I like to clear things up here, yes if you remove a vendor from the vendor list and have file lookup disabled, then applications signed by that removed vendor will be considered unrecognized. If you set vendor to unrecognized even with file lookup enabled, then applications will still be rated as unknown that are signed by that vendor.
Now on to the wish itself, it isn’t a file hash but more of a file signature, the same type of signature the AV uses to detect malware and various types of signatures are stored in .cav files. Some examples of cavse signature detection of a trusted file and a malware.
locky malware:
Currently there is no way to disable file signature detection for trusted files, I think before it required to have the AV installed, but it seems to be in effect without installing the anti-virus component.
Also please do not attack each other or be disrespectful, I believe you both in a way are agreeing with each other in how to change file rating behavior by setting CIS in different ways. Also this signature detection is independent of digitally signed applications and the vendor list, as an application that is not digitally signed can be trusted by the whitelist signature.
As for my original question which is still unanswered, how do you know that there is a hidden File Hash white list for none CIS/Windows files.
Have these whitelisted files been cross referenced to be none Windows/CIS?
I originally asked this as I knew there would be confusion going forward as to which files would be referenced in this whitelist thus potentially confusing the issue.
Without knowing which files are in the whitelist, it is potentially more difficult to know if they are interfering with anyone’s Vendor List settings or not, thus if the request is realistically needed or not.
Read the post by Umesh that I linked above, also if you lookup hashes with valkyrie verdict, you will see signature based detection say clean like this example.
He keeps ignoring all evidence that is brought upon him just because it is more convenient to his interests. I gave up in trying to explain already, I am going to ask some friends who are Comodo users to vote for this Wish and also for vote for No in all the Wishes created by this guy, even those created in the future.
EDIT: With that being said, I would like to apologize to YOU Futuretech, all the moderators and Comodo staff for my behavior in this thread. If you feel I need to be punished I will gladly accept it.