Programs started from Windows-Network cannot use TCP/IP

A. THE BUG/ISSUE: Programs started from a network share or connected network drive cannot use TCP/IP when CIS is installed (even without activated modules). For details see A7.

  1. What you did: Install CIS. Reboot. Switch off all modules (AV, FW, D+). Try to start a program from a network share.
  2. What actually happened or you actually saw: The program did no longer work properly/have network access.
  3. What you expected to happen or see: Firewall Alerts or allowed access with disabled firewall module
  4. How you tried to fix it & what happened: disabling all modules, disabling Defense+ permanently
  5. If a software compatibility problem have you tried the compatibility fixes (link in format)?: no
  6. Details & exact version of any software (execpt CIS) involved (with download link unless malware): software affected does not seem to matter. For testing I have used Windows’ own: ftp.exe and nslookup.exe found in Windows’ system32 directory. Of course there is no download link for that.
  7. Whether you can make the problem happen again, and if so precise steps to make it happen: Steps to reproduce: Use any software with network features that works when installed locally (ex. FTP Client) and copy it to a network path \server\share\ftp.exe. It will then either crash or error. “Could not open socket”.

EDIT: reproduce like this:

prerequisites: Administrator access to another computer on the network (in this exaple \server).

Expected output (CIS not installed):

C:>\server\c$\windows\system32\nslookup comodo.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: comodo.com
Address: 91.199.212.176

CIS installed:

C:>\server\c$\windows\system32\nslookup comodo.com 8.8.8.8
(null) UnKnown
Address: 8.8.8.8

This also happens on completely fresh installation of Windows & CIS.

EDIT2:
even easier way to reproduce (no need for LAN or a second PC):

works:
C:>c:\Windows\system32\nslookup google.com

fails:
C:>\localhost\c$\windows\system32\nslookup.exe google.com

I have tried this on 3 PCs and it fails everytime when CIS is installed. Please can someone verify this on different Operating Systems. I tried this only on Win7 x64.

  1. Any other information (eg your guess regarding the cause, with reasons): some bug in CIS’ base modules.

B. FILES APPENDED. (Please zip unless screenshots).:

  1. Screenshots of the Defense plus Active Processes List (Required for all issues): I am sorry, our company policy does not allow this.
  2. Screenshots illustrating the bug: I could post a screenshot of an empty cmd window when trying to start ftp.exe but that would not be really useful.
  3. Screenshots of related CIS event logs: No events are logged, all modules are turned off.
  4. A CIS config report or file:
  5. Crash or freeze dump file:
  6. Screenshot of More~About page. Can be used instead of typed product and AV database version: 5.9.219863.2196 AV: 11236

C. YOUR SETUP:

  1. CIS version, AV database version & configuration: 5.9.219863.2196 AV: 11236, tried all configs, did not matter.
  2. a) Have you updated (without uninstall) from a previous version of CIS: no
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?: yes
  3. a) Have you imported a config from a previous version of CIS: no
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): no, all default
  5. Defense+, Sandbox, Firewall & AV security levels: all disabled
  6. OS version, service pack, number of bits, UAC setting, & account type: Win7 x64 SP1, UAC on, Domain Admin account
  7. Other security and utility software currently installed: none
  8. Other security software previously installed at any time since Windows was last installed: none
  9. Virtual machine used (Please do NOT use Virtual box): none

If a screenshot of the active processes is really required I can provide one, if I close all company processes first. Can someone else please try the reproduce steps to see if this is just PCs at our company? I tried different PCs and all had the same problem.

Another good test program is nslookup.exe It just does not resolve any DNS address when started from the network share.
Output:
(null) UnKnown
Address:

Thank you very much for your bug report in standard format. We appreciate the effort you have put into this.

Unfortunately there are several items of required information missing from your post. Mostly we need these for replication purposes.

A.1 Please describe what you were doing when the bug showed itself when you used the software in A.6
A. Please describe exactly how the bug showed itself in this field
A.6 Please describe one peice of software that demonstrates this bug in this field, with download link
A.7 Please describe exact steps with this software to replicate this bug
B.2 Active Process List. I’m sorry but this is needed to eliminate complex softare interactions - you can do as you suggest so long as the bug still occurs when the propriatory software is not running. (Please say this in the bug report)
C.1 Please identify the configs you tried and your AV databse version, CIS and Proactive?

I have added an even easier way to replicate the bug. See EDIT2 in the first post.
To elaborate: Enter this command in a command prompt.

C:>\localhost\c$\windows\system32\nslookup.exe google.com

this should show the IP-Address of google.com and it works without CIS. If CIS is installed there are NO ALERTS and the command fails. The use configuration does not matter. You can only fix this by completely uninstalling CIS. I have found no way to allow this to execute normally while any part (even only the AV) of CIS is installed.

As you have tried on a completely clean PC I will waive APL this once :slight_smile:

My mistake re AV DB version.

Forwarding.

Mouse

Thank you. You could easily verify this bug, if you run the command line I posted (assuming you also have CIS installed). I am a little curious because no one else reported this problem. Perhaps it really is me doing something wrong after all. :stuck_out_tongue:

Thanks may do that on my return. Now away for a few days.

This may be a consquence of the fact that CIS does not properly recognise network paths, and so either cannot make network files trusted or forgets on server reboot, cannot remember which. I’ve oftem wondered if you could get round this by using environments variables to hold the network path then using the environment variable in CIS, but never tried. Signing off few a few days now.

Best wishes

Mouse

Hi,

is there any news on this issue? I would really like to recommend CIS use in our company, but before this is fixed we cannot use it.

It would be really cool to have Endpoint Security Manager after CIS is running properly :slight_smile:

I’m guessing that CIS 6.0 may fix this - its fairly architectural, probably not a point release thing. Not received any promises though, just a ‘yes it would make sense to remove the network limitation now we have hash-based trusted files’. So I’m crossing my fingers.

Any devs like to comment?

Best wishes

Mouse