A. THE BUG/ISSUE Can you reproduce the problem & if so how reliably?
Yes but no longer. Pretty reliably- it happens a few times a minute. If you can, exact steps to reproduce. If not, exactly what you did & what happened:
Simply updated CIS to latest version, and do normal PC activity. One or two sentences explaining what actually happened:
During normal browsing activity, without having a disc in the DVD drive, the drive makes a ticking sound, and the mouse cursor icon changes (for a moment) to a one that shows a disc, like Windows is trying to read the disc’s contents. This happens randomly, but sometimes a few times a minute.
During the same time I hear the ticking noises from the DVD drive and see the cursor with the disc, I often see a regular loading cursor afterwards. One or two sentences explaining what you expected to happen:
No unneedingly access to the DVD drive. If a software compatibility problem have you tried the advice to make programs work with CIS?
Not relevant. Any software except CIS/OS involved? If so - name, & exact version:
None. Any other information, eg your guess at the cause, how you tried to fix it etc:
I’m pretty sure I know the case. I’ve been trying to figure this out using Process Monitor, and after unticking the “Process Name - is - System” from the filter, whenever this happens, I see a RegQueryValue operation by System accessing registry keys such as:
and its data is:
and that’s something I launched a very long time ago from a disc I owned.
Right after removing ALL (total of 2) folders under “… CmdAgent\CisConfigs\0\HIPS\Policy” that have a key with "D:" (which is my DVD drive letter), the issue was gone.
Unfortunately I didn’t export these keys before removing, so I can’t try to reproduce the issue if a new build that has a fix will be released (unless I recreate them manually, using the same format of the other keys in the same folder, or if I’ll try to run an executable from the DVD drive, and make sure it’s being added to this registry folder).
A possible reason for why I’m also seeing a normal loading cursor icon right after I see the disc-cursor icon, is because CIS is cycling through all the paths in the Policy folder (including the ones with the D:\ drive in them, so about ~250 paths), which causes a spike in the IO, hence the loading cursor icon.
Not sure about that hypothesis though, as now after removing the 2 keys I’m no longer seeing a regular loading cursor either.
B. YOUR SETUP Exact CIS version & configuration:
10.2.0.6526. Not sure what configuration means here though. Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Firewall: Safe Mode
HIPS: Safe Mode
Website Filtering: Enabled Have you made any other changes to the default config? (egs here.):
Not sure. I remember I messed with the settings a long time ago, but I think I clean-installed at some point. Have you updated (without uninstall) from CIS 5, 6 or 7?
Yes. But then removed with the (old) dedicated tool to uninstall COMODO products and reinstalled. if so, have you tried a a a clean reinstall - if not please do?
Clean install will fix the issue for sure, but can come back if you simply run an EXE from the DVD drive (and make sure it gets added to the registry folder mentioned before). Have you imported a config from a previous version of CIS:
No. OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10 x86, UAC completely disabled, Administrator account. No VM. Other security/s’box software
Issue was never really accepted considering you couldn’t replicate it anymore. I also tried running an executable from a CD and using remember my answer from HIPS alerts. Then after removing CD from drive and kept the rules in place for a few days, I didn’t notice any drive access. If you can reproduce it again then I will gladly submit the bug into the mod tracker.
I’ve actually just found the original disc mentioned in the first post (the one with the executable D:\Bin\Instv2.exe) but now when I insert it into the drive and I run it, I get notifications related to the containment, but not to HIPS.
Update: Now I get no alerts at all, even after removing anything related to this filename/path in COMODO’s settings
Any idea how can I force COMODO to do its mojo on this file again and present the HIPS alert, as it was a few years ago?
Okay, at first I couldn’t reproduce but the moment I unblocked the file for all security components I got the drive access requests. Multiple per minute.
What logs would you like to get to debug this? Autoruns’? Export of CIS reg files?
Nope just exact steps. So you ran an application from a removable media that was blocked by one or more components of CIS, then eject media, then use unblock applications task to unblock for all components correct? Did any error messages pop up from windows or was it just the cursor change to loading a disk?
Run an (preferably unrecognized) app from a disc. Mine is the executable that runs the ASUS drivers installation. As suggested, I set HIPS to paranoid mode as I couldn’d make CIS alert about this file.
When the alert pops up, check the “remember my answer” option and allow the app to run (not sure if I selected one of the “treat as” options).
Close the app.
In the “Unblock Applications” window, right click the file and select unblock for all security components.
I hope these are elaborate enough STR, if you’re still having issues with reproducing it I’ll do the entire thing again and write more accurate steps.
Nope, no error messages. Just cursor changing to the one loading a disc, while you hear the drive making sounds as it tries to read something.