Removing files from Unrecognized Files makes them safe

The bug/issue

  1. What you did: While in Clean PC mode downloaded a new program, ran it, removed it from Unrecognized Files, then ran it again.
  2. What actually happened or you actually saw: After the first run it was blocked. Removed it from Unrecognized Files. Ran it again. Program appears in Trusted Files and runs.
  3. What you expected to happen or see: Every time it is run it should be blocked. It should not go into Trusted Files unless explicitly done so.
  4. How you tried to fix it & what happened:
  5. If it’s an application compatibility problem have you tried the application fixes here?:
  6. Details & exact version of any application (except CIS) involved with download link: Any application.
  7. Whether you can make the problem happen again, and if so precise steps to make it happen: Yes. a) Set Clean PC mode in D+ b) Download any application c) Run the application d) Application blocked as expected e) Remove application from Unrecognized Files list (use Remove button) f) Run the application g) Application runs h) Application shows in Trusted Files
  8. Any other information (eg your guess regarding the cause, with reasons):

Files appended

  1. Screenshots illustrating the bug:
  2. Screenshots of related CIS event logs or the Defense+ Active Processes List:
  3. A CIS config. report or file:
  4. Crash or freeze dump file:
  5. Screenshot of More~About page:

Your set-up

  1. CIS version, AV database version & configuration used: 5.5.195786, 10265, Internet Security config
  2. a) Have you updated (without uninstall) from CIS 3 or 4: No
    b) if so, have you tried reinstalling (if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: No
    b) if so, have U tried a preset config (if not please do)?:
  4. Have you made any other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here.): Trying to set a mode where all files currently on the PC are trusted and nothing else is.
    Execution Control Level:
  • Treat unrecognized files as Blocked

  • Perform cloud based behavior analysis of unrecognized files=off

  • Automatically scan unrecognized files in the cloud=off

  • Deleted C:\Program Files\COMODO\COMODO Internet Security\database\vendor.n in order to remove Trusted Software Vendor list.

  1. Defense+, Sandbox, Firewall & AV security level: D+=Clean PC, Sandbox=Enabled, Firewall=Safe, AV=Stateful
  2. OS version, service pack, number of bits, UAC setting, & account type: Windows 7, SP1, 32 bit, On, Admin account.
  3. Other security and utility software installed:
  4. Virtual machine used:

Maybe your problem is the fact you set it to Clean Mode? I sugest you change to Safe Mode.

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

WHY WE ASK YOU TO FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation

HeffeD

We really would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format. You can copy and paste the format from this topic.

Thank you

Dennis

It is a while since I have used clean PC mode but the whole point of it was that all files were trusted unless in the unrecognised file list. The unrecognised file list was its way of knowing which files are new on the PC or have been modified. This is the behaviour I would expect.

According to the help:

Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ learns the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ alerts the user whenever a new, unrecognized application is being installed.

This system works the first time because the application does get blocked (my D+ option is to block unrecognized files) and it goes into the Unrecognized Files list but as soon as I remove it from that list and try to run it again, it becomes a Trusted File and it runs.

Note that when I removed it from the Unrecognized Files list it did not go into the Trusted Files list. It seems it went into some kind of hidden list which keeps track of applications removed from the Unrecognized List so that the next time it is run, it goes into the Trusted Files list.

Safe programs go automatically into trusted files when they are run. When a new file is removed from the unrecognised files list it is treated as safe so it gets added to trusted files list next time it is run. There is no hidden list. It keeps track of new or changed files using the untrusted files list.

So to clarify, the files which are considered safe are:

  1. the executables on the disk at the moment Clean PC mode is selected
  2. the executables which are downloaded afterwards, then run (and blocked) and then removed from Unrecognized Files

If an executable is deleted from the disk, whether it be based on action (1) or (2) and then is downloaded again, is it considered unclean again?

Once a executable is in trusted files it will stay safe even if downloaded again provided that it is the same version. Trusted files keeps a hash of the file so it knows it is the same.

If the executable does not make it to trusted files and is downloaded again it will be added to unrecognised files again.

  • I downloaded an application after setting Clean PC mode
  • I ran it and it was blocked
  • I removed the application from the Unrecognized Files list
  • I ran it again and it got executed
  • I removed it from Trusted Files
  • I ran it again and it got executed
  • I removed it from Trusted Files
  • I deleted it from my disk
  • I downloaded it again
  • I ran it again and it got executed and added to the Trusted Files again

How do I remove the hash permanently for this file?

Deleting the file from trusted files should be enough. It could be the cloud scanner as decided that the file is safe.

Thank you for your Issue report.

Moved to verified.

Thank you

Dennis

As mentioned before, cloud scanning is disabled:

Execution Control Level:

  • Treat unrecognized files as Blocked
  • Perform cloud based behavior analysis of unrecognized files=off
  • Automatically scan unrecognized files in the cloud=off

I also disabled the Sandbox.

Hopefully this will be resolved soon, thanks for taking the time to report this. :-TU