Problems with explorer.exe, can anyone reproduce/confirm?

Can anyone reproduce this problem?

basically what i did was install comodo, all settings at default. Then i doubleclicked on a pre-installed program and i got the popup: Explorer.exe is trying to do X, it can be considered safe.

I should not be getting this popup

I get it in both Safe-PC and clean PC mode

1.CPU (32 bit or 64 bit): Both 2.Operating System information (including Service Pack Version): ALL 3.Actively-running security and utility applications (Optional if you post a Comodo Firewall Pro Configuration Report): only comodo firewall pro 4.Specific symptoms of the bug, and steps you can take to reproduce it (step by step).: symptoms: There are 2 parts to this bug-report 1. Eventhough Explorer.exe should be on the trusted list by default it shows pop-up dialogues anyway in both clean-pc and safe mode 2. If i accidentaly choose "isolated" application, the computer will get locked down and become unusable. to reproduce: Although explorer.exe should already be in the trusted list is pops up with a question. "from the pop-up select "isolated application" 5.Specific steps you have taken to try to resolve it.: Reboot into safe mode, try to change it there, or remove and reinstall comodo from safe mode 6.Brief description of your Defense+ and Firewall+ mode (Custom, Train with safe) plus mention if you modified any setting in ADVANCED section of D+ and F+ (Optional if you post a Comodo Firewall Pro Configuration Report): Cleanpc. Safe mode 7.If you pc reboots or you have a BSOD post in BSODs: Please add your minidump files here: n\a 8.Report if you are using an Administrator account Or a Limited User account. Vista users please Report if you have UAC Disabled or Enabled (Optional if you post a Comodo Firewall Pro Configuration Report) : doesn't matter, always same result

explorer.exe is treated as Trusted app by default.

[code=Trusted Application]Policy [Trusted Application] is defined as

Access Right 0: { Interprocess Memory Access } Default Action: Allow
Access Right 1: { Process Terminations } Default Action: Allow
Access Right 2: { Windows Messages } Default Action: Allow
Access Right 3: { Windows/WinEvents Hooks } Default Action: Allow
Access Right 4: { Protected COM Interfaces } Default Action: Allow
Access Right 5: { Phyisical Memory } Default Action: Allow
Access Right 6: { Disk } Default Action: Allow
Access Right 7: { Keyboard } Default Action: Allow
Access Right 8: { Computer Monitor } Default Action: Allow
Access Right 9: { Protected Files/Folders } Default Action: Allow
Access Right 10: { Protected Registry Keys } Default Action: Allow
Access Right 11: { DNS Client Services } Default Action: Allow
Access Right 12: {Device Drivers Installations} Default Action: Allow
Access Right 13: { Loopback Networking } Default Action: Allow



This policy will trigger an altert when the assigned app start an executable.

The policy to remove these alerts is Windows System Application

[code=Windows System Application]Policy  [Windows System Application] is defined as
-----------------------------------------------------------------------------------------

Access Right 0: {      Run an Executable     }	Default Action: Ask
[0]  Allowed:	*

Access Right 1: { Interprocess Memory Access }	Default Action: Allow
Access Right 2: {    Process Terminations    }	Default Action: Allow
Access Right 3: {      Windows Messages      }	Default Action: Allow
Access Right 4: {   Windows/WinEvents Hooks  }	Default Action: Allow
Access Right 5: {   Protected COM Interfaces }	Default Action: Allow
Access Right 6: {      Phyisical Memory      }	Default Action: Allow
Access Right 7: {            Disk            }	Default Action: Allow
Access Right 8: {          Keyboard          }	Default Action: Allow
Access Right 9: {      Computer Monitor      }	Default Action: Allow
Access Right 10: {   Protected Files/Folders  }	Default Action: Allow
Access Right 11: {   Protected Registry Keys  }	Default Action: Allow
Access Right 12: {     DNS Client Services    }	Default Action: Allow
Access Right 13: {Device Drivers Installations}	Default Action: Allow
Access Right 14: {     Loopback Networking    }	Default Action: Allow

Every alert offer the chance to change the policy of the triggering app.
explorer.exe execute aletrs are no exception.

If you wish to submit further feedback on this design PM a mod to move this topic in the Feedback board.
If you wish to suggest a specific alternate desiggn please submit your suggestion to CFP wishlist topic.

[attachment deleted by admin]

ahh that clears some things up.

thanks!

Do you have any idea how comodo decides which options to show?

As you can see in Gibrans post, Explorer.exe must ask you whether to allow it to run another executable.

If you want to change this, Make explorer.exe custom access rights. I don’t recommend you do this though…

Predefined policies in treat as dropdown boxes are filtered to show only the ones that can allow or block the required action.

eg: if the action is execute only policies that allow or block execute action will be displayed in treat as.

I wouldn’t touch that setting with a 10 foot pole :stuck_out_tongue:

So this pop-up is normal when executing a .exe that comodo has not seen yet. regardless of setting clean-pc/safe/training?

I understand

Training wont, Clean pc won’t if it’s a file that was on your computer before you switched to clean pc mode.

Update will, Paranoid will, safe will,

You could find all of these answers in the help manual (:HUG)

Edit:: You can also have a look in the predefined policy what the access rights are.

Comodo → Defense+ → Advanced → Predefined; Double click Policy, Access rights.

I’ve not tested this and this behaviour could be slightly changed among CFP releases but IIRC microsoft digitally signed apps could not trigger an execute alert.
I guess safelisted apps could do the same (eg notepad). Anyway this design could be changed in future.

The trusted application policy will changed to a custom one as soon the user add an application to explorer.exe execute list.

This way it would be possible to enable CFP parental contol and prevent other users to run unspecified apps.

Parental control offers an option to silently block any alert by default.
Thus in that mode only previously allowed app can be executed.

Changing explorer.exe default to Windows System Application will prevent this chance if CFP Parental control is enabled.

Yeah i read the manual before posting.

Can anyone reproduce this:

-Clean pc
-Install comodo, dont do the malware scan
-Pc should be in clean mode
-Switch to safe mode,and open a previously un-opened program
-Swith back to clean mode and open a previously un-opened program

Does the pop-up show up now? IIRC it does.

You might have hit the nail on the hammer there.

The applications i was testing are 100% NOT pre-trusted/safe. These where basically compiled 5 minutes before installing comodo.
Yes they where on the PC, No comodo does not know they exist