Repeating Unlimited Access Alerts [Issue:#225]

Thanks ‘C’ and Chiron

This is a known bug, so I will merge with the prior report.

@C. You’ve provided a lot of useful information, many thanks, but please note that there is now a standard format for bug reporting (see Stickies). Does not matter so much in this instance, as there is already a properly formatted report, but in future we would be grateful if you would use the standard format.

Best wishes

Mouse

@ C you can resolve this by making the program an installer/updater in the Computer Security Policy ~ D+ rules and rebooting. Please do not use the prgram to run unrecognised files afterwards, as that would be a security risk

Mouse

The bug/issue

1. What you did: Double clicked clock in my windows system tray, answered to Defense+ Alert “shell32.dll requests unlimited access to your computer” by checking “Always trust this file or package” and pressing OK. Clock dialog opened, i closed it, then double clicked the clock in Windows system tray again.
2. What actually happened or you actually saw: After second double click to clock in system tray Defense+ Alert “shell32.dll requests unlimited access to your computer” appeared again.
3. What you expected to happen or see: After second double click to clock in system tray Defense+ used settings that I made, that is “Always trust this file or package”, and no more Alerts regarding this action.
4. How you tried to fix it & what happened: Double clicked clock in my windows system tray, answered to Defense+ Alert “shell32.dll requests unlimited access to your computer” by checking “Always trust this file or package” and pressing OK. Clock dialog opened, i closed it, then double clicked the clock in Windows system tray again. Defense+ Alert “shell32.dll requests unlimited access to your computer” appeared again. I answered to Defense+ Alert “shell32.dll requests unlimited access to your computer” by checking “Always trust this file or package” and pressing OK. Clock dialog opened, i closed it, then double clicked the clock in Windows system tray again. Defense+ Alert “shell32.dll requests unlimited access to your computer” appeared again. I answered to Defense+ Alert “shell32.dll requests unlimited access to your computer” by checking “Always trust this file or package” and pressing OK. Clock dialog opened, i closed it, then double clicked the clock in Windows system tray again. Defense+ Alert “shell32.dll requests unlimited access to your computer” appeared again. I answered to Defense+ Alert “shell32.dll requests unlimited access to your computer” by checking “Always trust this file or package” and pressing OK. Clock dialog opened, i closed it, then double clicked the clock in Windows system tray again. Defense+ Alert “shell32.dll requests unlimited access to your computer” appeared again. I answered to Defense+ Alert “shell32.dll requests unlimited access to your computer” by checking “Always trust this file or package” and pressing OK. Clock dialog opened. I decided to report a bug here.
5. If its an application compatibility problem have you tried the application fixes?: N/A
6. Details (exact version) of any application involved with download link: Windows standard clock dialog window. Part of OS.
7. Whether you can make the problem happen again, and if so exact steps to make it happen: Double clicked clock in my windows system tray, answered to Defense+ Alert “shell32.dll requests unlimited access to your computer” by checking “Always trust this file or package” and pressing OK. Clock dialog opened, i closed it, then double clicked the clock in Windows system tray again. Defense+ Alert “shell32.dll requests unlimited access to your computer” appeared again.
8. Any other information (eg your guess regarding the cause, with reasons): I guess “Always trust this file or package” settings are not saved or non applied.

Files appended. (Please zip unless screenshots).

1. Screenshots illustrating the bug: http://img824.imageshack.us/img824/7136/44399851.png http://img15.imageshack.us/img15/7306/47504215.png
2. Screenshots of related event logs and the active processes list: Nothing related in system event logs. http://img42.imageshack.us/img42/7808/plist.png
3. A CIS config report or file. attached to post
4. Crash or freeze dump file: N/A

Your set-up

1. CIS version, AV database version & configuration used: http://img816.imageshack.us/img816/6595/aboutc.png
2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?: No
3. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?: No
4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. ): No
5. Defense+ and Sandbox OR Firewall security level: Defence + in training mode. Sandbox Enabled.
6. OS version, service pack, no of bits, UAC setting, & account type: Win XP SP3 5.1 (build 2600.xpsp_sp3_qfe.100216-1510), system admin account
7. Other security and utility software running: USB disk security 5.4.0.6.
8. Virtual machine used (Please do NOT use Virtual box): None

[attachment deleted by admin]

Hi. I’ve used several security solutions for PC and can say that most annoying thing in it is when you use your time to configure it, and setting are just not saved and next time you are asked about the same you already answered. If I don’t resolve it with this product’, I will uninstall it, remode distrib from my disk and not ever recommend this product to anybody.

Kindly asking community for help.
Asking programmers to look at the issue ASAP.

Thanks.

Have you tried Disabling the Sandbox, please do not run Defense+ in Training mode use this mode for short periods only.

Glad to see that my machine configuration doesn’t seem to be causing this behavior and it looks indeed like a bug. You can find my thread about the very same issue here: https://forums.comodo.com/defense-sandbox-help-cis/shell32dll-could-not-be-recognized-t64115.0.html

Thank you for reply.

I turned Sandbox off, it helped. But as I understand, Sandbox is run automatically for unknown applications, and I like this functionality. So I would like software work properly without disabling modules. Is it possible?

What is Defense+ Training mode designed for?
Why do you ask me to not use it for long time?
If it is designed for tiny configuration of software, I’m OK with answering many questions. But I’m very unhappy with answering the same questions more than once.

If it worked with the sandbox disabled this means that shell32.dll was sandbox before you should have had a alert for this.

There should be a entry in Defense+ logs like screenshot.

Training is only used if you problems with certain software or games that you have difficulty running.

In training mode all actions are allow including Malware.

Please use Safe mode or Clean PC mode for the second choice you must be sure that you have no malware on your computer as all applications when you install are treated as safe.

[attachment deleted by admin]

How can I make Comodo not ever ask me of this program? Why checking “Always trust this file or package” and pressing OK is not enough?

Screenshot here: http://img825.imageshack.us/img825/760/40068275.png

On my PC in Training mode I’m asked about all actions, so they are not allowed. Could you please explain what do you mean?

So what is the difference between Training mode and Clean PC if both options make available running any application?

This file is a Windows system file.

Do you have ‘block all unknown requests’ ticked under D+ settings?

Best wishes

Mouse

“This file is a Windows system file”. Yes, I know. So what?

I don’t have such option, but have another, “Block unknown requests if application is closed”, it is unchecked. Does it help to resolution?

So can anybody advise why “Always trust this file or package” doesn’t work and what can I do to make it work?

If unchecked it eliminates a possible cause.

I’m slightly worried here that your copy of shell32 may not be clean. Do you know how to check file signatures? I will try to help if I can.

How can this affect the fact that option “Always trust this file or package” does not work?

I’m sure it is, but anyway I want the application use “Always trust this file or package” option. Comodo doesn’t say “application is suspicious” or “looks similar to virus”, it says that “it could not be recognised”, and I expect that when I check option “Always trust this file or package”, this is enough to recognise it for Comodo and make it always trust this file or package. I want this option to be applied, now it is not.

Sorry should have explained. Two issues here 1) why is shell32 not being trusted 2) why does ‘always trust’ not work.

Could you also post your D+ event logs and active process list please, then we will probably know what is going on.

I'm sure it is, but anyway I want the application use "Always trust this file or package" option. Comodo doesn't say "application is suspicious" or "looks similar to virus", it says that "it could not be recognised", and I expect that when I check option "Always trust this file or package", this is enough to recognise it for Comodo and make it always trust this file or package. I want this option to be applied, now it is not.

Issue 2) is already documented. I am trying to help you by addressing issue 1). Also warning you re possbility of infection. No AV detects everything....

Best wishes

Mouse

D+ logs screen already posted above:

Process list already posted above:

Do you mean documented by me (ivmed) or documented somewhere else? If it is documented somewhere else, please advise a link if you have one, so that I can look and resolve my issue.

Thank you so much for taking care of issue 1, but please don’t, it’s a separate discussion. Let’s concentrate on 2).

Thanks again for all comments.

this happen to me too but im living with it
anyway is annoy to see that popup everytime i ran the program

OK sorry missed this as it was not in the format. If you don’t mind it’s best if you edit the format to include the link to prevent the devs doing the same.

:Process list already posted above:

Actually you posted the Windows task list, not the CIS active process list :)

Do you mean documented by me (ivmed) or documented somewhere else? If it is documented somewhere else, please advise a link if you have one, so that I can look and resolve my issue.

[url=https://forums.comodo.com/format-verified-issue-reports-cis/repeating-unlimited-access-alerts-issue225-t61681.0.html;msg434577#msg434577] Here[/url].

Thank you so much for taking care of issue 1, but please don't, it's a separate discussion. Let's concentrate on 2).

Unfortunately we may need to understand 1 to understand 2, as 2 can have many causes. The fact that shell32.dll is being alerted is very unusual. This should be a signed MS file, so it should be trusted, including with unlimited access.

I would suggest working throgh the FAQ on removing items from the sandbox, but until to have established that this file is a signed MS executable, I would not recommend this.

Best wishes

Mouse

This is annoying enough for me to remove application and forget it if I don’t deal with this issue.

Not sure what you mean. What format of what file do you mean to change to what? Change screenshot file format from .PNG to .JPG? Refomat my post? Reformat tabs in the program and prepare another screenshot? How does this help to programmers?

Actually I posted Windows process list, the second tab of Task manager; Windows task list is the first tab. Why not CIS process list? Because there is form:

2. Screenshots of related event logs and the active processes list:

It's not specified whether Windows process list is neccessary here or D+ process list. For somebody it's obvious that CIS process list is assumed? For me it's not. So thank you for clarifying. Maybe you can update the form to avoid further misunderstanding.

Here.
Thanks a lot. I did what on https://forums.comodo.com/format-verified-issue-reports-cis/repeating-unlimited-access-alerts-issue225-t61681.0.html;msg435248#msg435248 was suggested, that is treating this file as installer, and it worked.

But before I did that, I looked at Trusted files list, and Shell32.dll was there. So why this setting was not used when I double clicked the clock and this file wes executed - I don’t know, and it’s a serious bug, as for me.

I now don’t care of the fact whether this file is signed or not. It should be enough for Comodo that I tell it that is file is trusted - and it should remember it.

Now I had to:

1. Try several ways of resolving this
2. Find this community forum
3. Find proper forum part for making bug reports
4. Register on it
5. Prepare information and fill in a huge form for bug reporting
6. Login
7. Again find the topic for bug reporting, because after login I’m not redirected to the topic I logged on from, but to the main forum page
8. Spend my time and people’s time for resolution (thanks again to all participants)
9. Finally find a solution that the file should be manually treated as installer
10. Apply this setting to Shell32.dll file
11. Keep in mind that I should do the same for any file I want to be treated as safe and do that to avoid questions at every program start.

Instead of that all I expected I could check one, only one checkbox in one, only one dialog box and use 1-2 seconds, not several hours, for it - “Trust this file”.

I found that the similar issue was raised on https://forums.comodo.com/format-verified-issue-reports-cis/repeating-unlimited-access-alerts-issue225-t61681.0.html on September 14, about 2 months ago. And it’s still not processed by programmers team!