Quarantine

I remove my other security vendors
I refresh my windows xp sp2 and use my user that has default admin rights without any change (In default admin rights you can’t go into Comodo’s Quarantine folder or delete it)
I download new CIS , today and I install it

Before I begin main test , I made a test about Comodo’s Quarantine folder

In win default settings I can’t go into Quarantine folder or delete it by Explorer

But MBAM can delete Quarantine files

I test with unlocker and it delete Quarantine folder so easy (Without any alarm)!!!

How is it possible one folder that protected even against Explorer.exe , can deleted by some programs ?

Ok, go to main test … I test CIS in two level : CIS with default settings & CIS with high settings

I try to delete Comodo files one by one

This picture before I delete files (in both settings)
http://img5.imagebanana.com/img/0e5w2hb1/BeforeDeleteFiles.PNG

This picture after I delete files (in both settings)
http://img5.imagebanana.com/img/mfkay7n6/AfterDeleteFiles.PNG

Result (In both settings):
I delete CIS files so easy , without any alarm
Diagnostics doesn’t work anymore
After restart I have problem
I can’t do manual scan
CIS even don’t find that his files are gone!!!

I don’t know I must run that file before CIS files deleted or after that
But I made that before I delete CIS files and the CIS settings was high
http://www.mediafire.com/?yr401dxehxw1ok0

I think you are wrong

We don’t sure after update whole problems can bee solve (I don’t test it)

Even we accept that option, you can find some problems here

1- the user that doesn’t know his CIS has problems because CIS don’t show any alarm:
that user maybe don’t update it right away (Because he don’t know must update)

2- some people that their Internet has problems and temporarily can’t update , What they should do?

3-…

I think you must accept my opinion and should improve Comodo Self-Defense.
(like other antivirus vendors that did this)

It’s a bug/ not a wish

Jake

Thanks , Jake

At first time I said that is bug but others said that is normal!
I said that isn’t normal and show my tests and they said I must open wishlist
I do that and others close my wishlist topic and said maybe it is my wrong
I test again and after all we found that is bug!
What the strange circle !!!

Not a strange circle when you are using Internet Security configuration.

With Internet Security configuration CIS had Explorer set as Windows System Application. That is not the case with Proactive Security configuration

Did you check with both Internet Security and Proactive Security configurations?

I used both options in my tests and same result

I told strange circle because moderators work
One moderator told me make wishlist topic
Other moderator lock my topic
Another moderator found the bug
And you doesn’t accept that and you say it is normal!

If even your above post was correct (that not) Comodo still have problems
You must answer this:
Why in my test we (and other programs) can’t delete any files of avast ?
Why we (and other program) can delete comodo files (even his best settings)?

Wrapping it all together.

CIS monitors how programs interact. It is the nanny of program behaviour. It does not limit user iniated behaviours. It allows users to do stupid things like erasing the CIS folders. It is not the nanny of user behaviours.

If a program would use explorer to erase something I expect that the user has given permission at one point in the chain of events.

I am not sure how Malwarebytes deletes upon boot. It may use direct disk access for example and this is allowed with default settings for Trusted applications if I am not mistaken. Same thing could be true for Unlocker. That being said I don’t know if that could circumvent the administrative limitation that are set on the Quarantine folder and several other files. That would require additional investigation.

That being said I am not immediately shocked by the fact that users can delete Comodo files. Nor by the fact that Trusted applications can delete stuff. It is not necessarily a sign of a breach of CIS for me.

If, however, you can prove that a program without any form of user interaction can compromise CIS then I am all ears. To prove this it is mandatory to run D+ in Proactive/Paranoid because then we see everything and can be assessed if something slips past.

My test warn you that all programs can use windows processes to attack CIS

When I can delete them that means all program that access to windows processes can destroy your guard

After that some files I can’t delete myself (I think for that files, Explorer has not permission)

but other program like MBAM or Unlocker can delete it so easy (like Quarantine folder)

You must accept that it is a bug

Even we accept your opinion , still Comodo has problem

Why Comodo don’t show any message that we have problem?
(Even after deleted most files and restart)

How can other programs delete some files of Comodo and don’t show any message or report?

If you don’t believe it is bug I can go to whole security forums and tell this …
After that you can see how many confirm that

I am here only to help Comodo to be better until it would be best IS

I think you only vindicate of Comodo and don’t want accept any thing

You have 3 option :

Or you accept it is bug and try to solve it

Or you open my wishlist topic and can see how many Comodo users accept my opinion

Or tell me leave this place

I will open my WM machine and test your theory. I am curious to know. If it is a bug then comodo should fix it.

and as person I thank you Fantom that you try to improve CIS.

Regards,
Valentin N

I haven’t seen a malware that describes what your doing

In fact, comodo won’t defend against a user w/ permission to removing stuff. But you could say anything a human can do so can malware. To defend against that, the comodo wouldn’t be user friendly.
Seriously, you have to draw the line somewhere

What this has to do with user friendly?

If those vendors has higher self-defense that means they haven’t user friendly?

And those vendors has awful self-defense has better user friendly ?

If you want to be user friendly you only need to add self-defense option into settings
(Like other vendors)

If user want to change something in Comodo, he can disable self-defense and do his job
(Like other vendors)

It is not good when Comodo self-defense is on ,
everyone or every programs can change or delete Comodo files (Without any report)

It has nothing to do with user friendly

Meanwhile if you didn’t see any malwares that can do this , It is not means it is impossible

At the end Comodo hasn’t any defense again apps mistakes

Nope. As I stated in the above CIS is the nanny of program behavior and the nanny of user behaviour.

To prove it we are making a .bat file that will try to delete eula.rtf in c:\Program Files\Comodo\Comodo Internet Security. Open Notepad and fill in the following:

del "c:\Program Files\Comodo\Comodo Internet Security\eula.rtf"

pause

Save as .bat file with an appropriate name. Change the path when you have CIS installed on a non standard path.

Run the batch file. When you get a sandbox alert tell CIS to not sandbox it again.Then restart the batch file again and see it getting blocked.I must stand corrected here. This was a mistake; I was thinking two things at the same time. It should have said CIS will block both with automatic sandbox enabled and with sandbox disabled. In the scenario of the sandbox disabled D+ alerts will provide the user with the opportunity to block

See attached image for reference. Notice I have the suite installed on a non standard path.

This proves CIS is the nanny of programs and is protecting.

After that some files I can't delete myself (I think for that files, Explorer has not permission)

They are blocked because the user is set to have no such rights. That is done by the installer. Not by CIS.

but other program like MBAM or Unlocker can delete it so easy (like Quarantine folder)

That's interesting. I haven't had time to thoroughly see how this works.

You must accept that it is a bug

Even we accept your opinion , still Comodo has problem

I am still not convinced there is a bug. Malwarebytes is a trusted program and basically has a lot user permissions by the sheer fact the user is using safe mode to make decisions for him. Again CIS is not the nanny of user decisions.

That’s why I want this checked out in Proactive/Paranoid and enable “Block all unknown requests if the application is closed”. Then we really see what is happening under the hood of CIS and if it is really missing something.

Why Comodo don't show any message that we have problem? (Even after deleted most files and restart)

CIS is not your nanny. You are allowed to do stupid things.

How can other programs delete some files of Comodo and don't show any message or report?

That is happening during boot time. During boot time by default unknown programs are allowed to run.

If you don't believe it is bug I can go to whole security forums and tell this ... After that you can see how many confirm that

Are you threatening me? :D

I am here only to help Comodo to be better until it would be best IS

I think you only vindicate of Comodo and don’t want accept any thing

You have 3 option :

Or you accept it is bug and try to solve it

Or you open my wishlist topic and can see how many Comodo users accept my opinion

Or tell me leave this place

First I want more proof because you are clearly not understanding certain basics of CIS. I don’t want to start needless unrest with a wish topic that is founded on false assumptions and lack proof.

[attachment deleted by admin]

Please try the test with the batch file and see how it blocks a program from erasing CIS files.

As stated: CIS is the nanny of program behaviours not of user behaviours. The user is allowed to do stupid things and is not protected against him or her self. CIS has always functioned like that.

I reinstall CIS and try with batch file

You can’t delete eula.rtf with batch file but you can delete these files with that batch
cfplogvw.exe
cfpupdat.exe
cfpconfg.exe
cmdinstall.exe
crashrep.exe
incompatsw.ini
inspect.sys
7za.dll
msica.dll
Comodo - Internet Security.cfgx
Comodo - Proactive Security.cfgx
Comodo - Firewall Security.cfgx

Yo also able to delete these folder with batch file
translations
repair

After delete CIS files with batch file , Diagnostics has been shut down! and other problems

1- Why I can delete those files with batch?

2- Quarantine folder protected against User and Explorer And Patch file but Unlocker delete it so easy (Without any alarm and report) ?

Why unlocker can’t delete some CIS files but can delete CIS Quarantine?

Howdy. I am back. Had to eat and swim.

First thing I did was check my bases. In Safe Mode with and without sandbox the files in the CIS installation folder will not be deleted.

With the sandbox enabled all access to files gets denied. See first attached image
With the sandbox disabled all access to files will be denied if the user choses to block this action. The alerts tels to block the request to delete the file as it is in a protected folder. See second attached image.

CIS works in the above like it is supposed to. It is the successful nanny of program behaviour. In case of the sandbox being disabled D+ will rear its talkative head. Remember that a HIPS like D+, without sandbox or white list, requires user interaction as that is the very nature of the beast.

When you make the batch file a trusted file it will erase some but not all of the files in the CIS installation folder. I have not looked deeper into this.

The conclusion after all of the above is that you are either running the batch file as a trusted file or, when you are running in Paranoid, Safe or in Clean PC mode, there is something going on with your system that is worth investigating.

Can you tell us what configuration you are using (look under More → Manage My Configurations) and what mode you are running D+? Also let us know if you have the batch file running as a trusted file? When the batch file is running as a Trusted file please remove it from the Trusted Applications list and try again.

I will leave the questions about how and why Malwarebytes and Unlocker can delete things from the Quarantine folder upon boot for now unanswered. I think these two phenomenons are not directly related to the issues with deleting files from the CIS installation folders.

[attachment deleted by admin]

Why you change your test?

Fist I said My test warn you that all programs can use windows processes to attack CIS (Some lower & Some higher)

You said nope! & you said that you can prove this with one test … You told this:
Make a batch file to delete Comodo files and run it, When you get a sandbox alert tell CIS to not sandbox it again.Then restart the batch file again

I exactly did that what you said
I enabled sandbox
I tested that with two different settings : Internet Security & Proactive
I used D+ in safe mode and cleaning mode
Result :I can delete many files of CIS with batch file

I test another one that if you make trusted batch , no matter you enable or disable sandbox (to use manual hips)
You can delete CIS files with batch

But you made a different test that no related what you said to me
You run file with sandbox but you said me When you get a sandbox alert tell CIS to not sandbox it again and run it again
You never run it again and in other test you disable sandbox to use manual hips
That is different between your word and your test

My opinion :
All programs that you install it and Trusted files can harm CIS so easy
If we have another security vendors like mbam or anti-spyware vendors ,
CIS will be more in danger
Because If other vendors suspect CIS files can delete it so easy
(like mbam do that with CIS Quarantine)

I think Self-Defense no related with other options
(No matter you change settings & No matter The file is trusted or not)
Self-Defense must do his job in every situation

Your completely right here. You are trusting your findings and conclude righteously I was in the wrong.

I made a mistake when I suggested to run the batch file unsandboxed. I was thinking two things at the same time. That was plain wrong and I apologise for it. It caused needless confusion and frustration. Sorry about that

I edited the post where I advised that. I stroke the advice and added what I should have said (with a reason for the edit)

[b]My opinion :[/b] All programs that you install it and Trusted files can harm CIS so easy If we have another security vendors like mbam or anti-spyware vendors , CIS will be more in danger Because If other vendors suspect CIS files can delete it so easy (like mbam do that with CIS Quarantine)

I think Self-Defense no related with other options
(No matter you change settings & No matter The file is trusted or not)
Self-Defense must do his job in every situation

I dropped a couple of questions that came up in this topic with egemen the head developer for reference.

Here is how it works and explains what is going on.

CIS allows users to do basically anything including deleting files from the CIS installation folders. I introduced the batch file test so show that when a program will try to delete files from the CIS installation folders will get blocked. I caused confusion by giving a faulty test procedure here. But if one follows the procedure you will see programs getting blocked. Either by the sandbox limitations or when automatic sandboxing is disabled because D+ will alert.

It turns out that the Quarantine folder has some mild administrative limitations that prevent the user from accessing it. This is what egemen wrote me:

1 - Quarantine folder is only blocked from user access. It is not like a super secure storage for no app to access. The reason is, the users might accidentally mess with the malware etc.

This explains why the user cannot access the Quarantine folder while programs can.

It was also brought to attention that Malwarebytes and Unlocker can access and delete items from the Quarantine folder. Here is what egemen told about it:

2 - Those tools and itilities are allowed to install drivers because they are trusted apps. They are not bypassing CIS but CIS is allowing them.

That is another reason why these programs can do what they did.

Crux with the above is driver installation. When installing a driver access is given to the kernel. With kernel access a program can then do anything it wants; when the driver is malicious it is basically end of exercise for all security programs.

When installing a driver one urgently needs to make sure the program you are installing is what it is and that it comes from a trusted download source. Trusted programs can install a driver; we implicitly trust Comodo’s judgment when we use non paranoid settings.

I hope the above clears up and puts things in perspective for you. I hope it clears up that

• Comodo protects its self
• allows the user to do stupid things…
• self protection only goes as far as the user installing non malicious drivers; notice that this is true for all security programs

_{And sorry for messing up the batch file test by providing the improper test procedure.}

Thanks EricJH , useful description to explain what happened

But I think we have something that can be vulnerability:

1- Every program that we installed goes the two groups: 1-Trusted 2-Not Trusted

Some of programs that even we don’t trust them we need to get out of sandbox ,
because in sandbox they can’t work they job (like Unlocker or patches)

Those programs we trusted them or we need to run it (even we don’t have trust) ,
Indeed we don’t want to do every thing specially we don’t want change in our security

For example when I install nero I trusted it to do his normal work ,
But I don’t want it do unusual thing that can harm my security vendors

You can see two group of programs have full access to CIS without we want it

It can be dangerous for CIS because of apps mistakes and even malware

For example I download one file that I have trust it but in fact that file changed to be malicious and I don’t know that and I make it trusted file

It is my wrong but I don’t want to loose my security vendor

I think we don’t need to allow full access to other programs (Those programs can read files but can’t right or delete)

That is better option would make CIS stronger