Regression in the latest version- CIS occasionally trying to access DVD drive

A. THE BUG/ISSUE
Can you reproduce the problem & if so how reliably?
Yes but no longer. Pretty reliably- it happens a few times a minute.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
Simply updated CIS to latest version, and do normal PC activity.
One or two sentences explaining what actually happened:
During normal browsing activity, without having a disc in the DVD drive, the drive makes a ticking sound, and the mouse cursor icon changes (for a moment) to a one that shows a disc, like Windows is trying to read the disc’s contents. This happens randomly, but sometimes a few times a minute.
During the same time I hear the ticking noises from the DVD drive and see the cursor with the disc, I often see a regular loading cursor afterwards.
One or two sentences explaining what you expected to happen:
No unneedingly access to the DVD drive.
If a software compatibility problem have you tried the advice to make programs work with CIS?
Not relevant.
Any software except CIS/OS involved? If so - name, & exact version:
None.
Any other information, eg your guess at the cause, how you tried to fix it etc:
I’m pretty sure I know the case. I’ve been trying to figure this out using Process Monitor, and after unticking the “Process Name - is - System” from the filter, whenever this happens, I see a RegQueryValue operation by System accessing registry keys such as:
HKLM\System\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\Policy\192\DeviceName
and its data is:
D:\Bin\Instv2.exe
and that’s something I launched a very long time ago from a disc I owned.
Right after removing ALL (total of 2) folders under “… CmdAgent\CisConfigs\0\HIPS\Policy” that have a key with "D:" (which is my DVD drive letter), the issue was gone.
Unfortunately I didn’t export these keys before removing, so I can’t try to reproduce the issue if a new build that has a fix will be released (unless I recreate them manually, using the same format of the other keys in the same folder, or if I’ll try to run an executable from the DVD drive, and make sure it’s being added to this registry folder).
A possible reason for why I’m also seeing a normal loading cursor icon right after I see the disc-cursor icon, is because CIS is cycling through all the paths in the Policy folder (including the ones with the D:\ drive in them, so about ~250 paths), which causes a spike in the IO, hence the loading cursor icon.
Not sure about that hypothesis though, as now after removing the 2 keys I’m no longer seeing a regular loading cursor either.

B. YOUR SETUP
Exact CIS version & configuration:
10.2.0.6526. Not sure what configuration means here though.
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Antivirus: Stateful
Firewall: Safe Mode
Auto-Containment: Enabled
HIPS: Safe Mode
VirusScope: Enabled
Website Filtering: Enabled
Have you made any other changes to the default config? (egs here.):
Not sure. I remember I messed with the settings a long time ago, but I think I clean-installed at some point.
Have you updated (without uninstall) from CIS 5, 6 or 7?
Yes. But then removed with the (old) dedicated tool to uninstall COMODO products and reinstalled.
if so, have you tried a a a clean reinstall - if not please do?
Clean install will fix the issue for sure, but can come back if you simply run an EXE from the DVD drive (and make sure it gets added to the registry folder mentioned before).
Have you imported a config from a previous version of CIS:
No.
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10 x86, UAC completely disabled, Administrator account. No VM.
Other security/s’box software
None.

Thanks for all the research :-TU
Let us investigate.

That registry path is where the HIPS rules are stored. Do you happen to have create rules for safe applications enabled under HIPS settings?

Nope. At least not manually through the settings. I see some COMODO popups when I run some unknown applications, but I allow/block from these popups, not from settings.

Has this issue been fixed? (asking as the topic was moved to the Resolved/Outdated Issues)

Issue was never really accepted considering you couldn’t replicate it anymore. I also tried running an executable from a CD and using remember my answer from HIPS alerts. Then after removing CD from drive and kept the rules in place for a few days, I didn’t notice any drive access. If you can reproduce it again then I will gladly submit the bug into the mod tracker.

I’ve actually just found the original disc mentioned in the first post (the one with the executable D:\Bin\Instv2.exe) but now when I insert it into the drive and I run it, I get notifications related to the containment, but not to HIPS.

Update: Now I get no alerts at all, even after removing anything related to this filename/path in COMODO’s settings :frowning:
Any idea how can I force COMODO to do its mojo on this file again and present the HIPS alert, as it was a few years ago?

Thanks.

Remove from file list and disable auto-containment, then turn off cloud lookup in file rating settings, or set HIPS to paranoid mode.

Thanks! Now I have the file on the list, and in the same registry folder as before.
Will monitor this for a while and report back.

Okay, at first I couldn’t reproduce but the moment I unblocked the file for all security components I got the drive access requests. Multiple per minute.
What logs would you like to get to debug this? Autoruns’? Export of CIS reg files?

Nope just exact steps. So you ran an application from a removable media that was blocked by one or more components of CIS, then eject media, then use unblock applications task to unblock for all components correct? Did any error messages pop up from windows or was it just the cursor change to loading a disk?

  1. Run an (preferably unrecognized) app from a disc. Mine is the executable that runs the ASUS drivers installation. As suggested, I set HIPS to paranoid mode as I couldn’d make CIS alert about this file.
  2. When the alert pops up, check the “remember my answer” option and allow the app to run (not sure if I selected one of the “treat as” options).
  3. Close the app.
  4. In the “Unblock Applications” window, right click the file and select unblock for all security components.

I hope these are elaborate enough STR, if you’re still having issues with reproducing it I’ll do the entire thing again and write more accurate steps.

Nope, no error messages. Just cursor changing to the one loading a disc, while you hear the drive making sounds as it tries to read something.

This issue is still present (every minute or so I hear the DVD drive ticking).
Should I let it be for debugging purposes, or can I remove the entry for now?

I guess you can remove it and check issue again with upcoming beta version.

Please check issue again with Comodo Internet Security v11.0.0.6574 - BETA. I can’t seem to replicate it.

Sorry, I can still reproduce it with 11.0.0.6580 :frowning:

Still an issue.
Shouldn’t this be moved out from the Resolved/Outdated Issues forum?

Please check with Comodo Internet Security v11.0.0.6644 - BETA.

Done. The issue is still there.

Still an issue with the latest version.