Programs getting around the Behavior Blocker

Some programs are not being intercepted by the behavior blocker at all. The only option I have checked in the file rating settings is the trusted vendors option and my trusted vendors list has only vendors i’ve added manually. But programs that I would expect to be virtualized because they’re unknown are executing as if COMODO doesn’t even exist. A couple examples of these programs are pgcdemux and kega fusion. Neither of these programs are digitally signed, and they are also not on my trusted files list.

Most unknown programs do get intercepted by the behavior blocker, I just can’t figure out why some don’t despite being very uncommon and not digitally signed.

can you post a screenshot of your defense + logs

I can’t at the moment since I just recently cleared them when I was testing something, but it doesn’t show anything about those programs that the behavior blocker ignores anyways. The only defense+ events that are logged are the ones that activate the behavior blocker.

If you’ve made rules for the specific applications prior to disabling the Trusted Vendors List, then these rules are probably still the ones used for the specific applications, if you haven’t made rules for them prior to disabling TVL or even after, then I don’t know.

You probably have the cloud lookup enabled and through that the individual executables may be whitelisted.

Another loophole would be the option to trust executables from Trusted Installers.

Please check Trusted Files for the programs you mentioned and remove them. After disabling the above functions you should have control back.

I actually have trusted vendors list enabled. I’ve removed every application from the trusted files list and restarted my computer and those certain programs still bypass the behavior blocker.

It also can’t be because of the cloud lookup because the only option I have enabled for the trusted files settings is the trusted vendors option, so Trusted Installers is also disabled. Would it matter anyways though, the programs i’m talking about aren’t reallly common plus they don’t even have a digital signature.

Most unknown programs do prompt the behavior blocker, just a few certain programs don’t like the ones i’ve mentioned.

I could be very wrong but it was always my understanding that there was a built in list of non-signed safe files in the database. For instance Winrar is unsigned and CIS recognized v 3.93 as safe but when 4.0 was released I updated that day and it was flagged as unrecognized.

I assumed there was a list of unsigned safe files checked against a md5 checksum or other hash ???

Something is at work somewhere. ;D I just tested around 10 very popular apps (unsigned) and all were allowed. Then I went to and sought out about the same number of old and obscure software. All of those were sandboxed off the bat. I must say It’s surprising Kega Fusion would be one. Then again when was the last time that was updated ? Along time ago I would wager.

I did some testing with this version of PGC Demux and it is only with the cloud lookup enabled where it gets recognised and trusted. It is not on a local database of trusted files.

Please double check your configuration and steps you make.

I’m only looking for knowledge EricJH. If I were trying to pick an argument it would not be with you. There was no contact with servers at all.

Unless it got piggybacked on 443

If your right let me know. If I’m wrong I got a helluva bug . . . . . ;D

I don’t think you were looking for an argument. I tried to reproduce topic starter’s findings but I could not reproduce.

I just did some more testing and when I turned on all the options in the File Rating Settings and restarted my computer, applications like pgcdemux were now listed in the trusted files. So that seems to be expected but when I disabled all of the options except the Trusted Vendors option, then cleared my Trusted Files list and restarted, then it was behaving like before with pgcdemux bypassing the behavior blocker despite not being on the Trusted Files list and not having a digital signature.

This is happening also with programs such as Hashcalc, KProbe2, Mpeg2Schnitt and Kega Fusion. Despite most File Rating Settings being disabled besides the Trusted Vendors option, it seems like the behavior blocker is still doing a cloud lookup on them and allowing them. If that is the case I would expect the files to be added to the Trusted Files list but they’re not. What I also don’t get is why it’s happening with only certain programs.

I noticed with more than one security program that even if you clear your lists or rules, certain things you had previously trusted will still be treated that way. How or why that happens, I have no idea.

I’m not sure. Just one example is I downloaded :

Both portable apps. I tested this on 5.12 and v6.

Disabled the internet and first ran VLC. (which is not signed)

No problems. Not sandboxed on either version. On 5.12 it was added to the safe files list. On v6 it was not but still allowed to run.

Then I ran Kataris Media Player and on both version it was sandboxed.

So somehow it recognizes certain programs as safe and does not recognize others.

I just tried Kega Fusion 3.64 and it was sandboxed here

CIS comes with a hard coded list of trusted application that cannot be viewed. That would explain the differences in your findings between v5 and v6.

There is something peculiar happening on your system.

The first thing to do is to make sure there are no left overs of previously installed programs security programs around. Please run clean up tools for every security program you ever had installed. You can find a list of such tools here: ESET Knowledgebase .

That’s what I thought and was trying to confirm. I got slightly confused on what was being said.

Note to Self : stay out of forum when drinking Rum And Coke. ;D

I just reinstalled CIS and it’s still behaving like it was before. Since Kega Fusion was sandboxed for you maybe it’s just my CIS is corrupted somehow. That’s why I thought reinstalling it would’ve helped but it didn’t. Oh well, as long as it’s still protecting my computer from malicious software then I can deal with it.

Did you try running clean up tools for previously installed security programs? Left over services or drivers can cause all sort of strange problems.