"Safe Files" lost, and Trusted Vendors added

I’m running CIS 4.1.150349.920 on Win 7 64 - though I have upgraded versions during the course of this problem. (antivirus is disabled, Defense+ and firewall are active)

A few weeks ago, CIS started losing all the entries in “my own trusted files.” After having painstakingly added my common applications and answered multiple alerts, I had a list of about 100 (guessing) entries. Frequently, when CIS would start up, it would re-ask me about all the same applications, again. When I go into the “My own safe files,” the dialog is completely empty. I would then kill CIS and restart it - usually to find all my safe files back in the list ( and not being prompted )

Yesterday, I got popups for some of my usual applications and I indicated they were ok. I opened CIS/Defense+/My Own Safe Files, and my list was blank, so I restarted the application, as usual, but the list had only the two applications that it asked about in this session. I have not been able to get my previous list back, and all applications are now prompted, again.

To make sure, they had not been moved to the vendors whitelist, I opened that section and found a large number of “User” trusted vendors which I did not recognize ( and a few I did put there, myself). I am now concerned if my CIS has been hacked.

Has anyone seen this, and is there something i should worry about besides the time involved in a reinstall?

Thank you,

It sometimes happens when cmdagent.exe or cfp.exe crashes one looses stuff from lists like My Own Trusted Files, Computer Security Policy and Firewall Security Policy.

In case you loose settings from Computer Security Policy and Firewall Security Policy simply use Windows System Restore to go back to the previous day; CIS stores these in the registry. My Own Trusted Files may be stored in a file in the database folder (in the CIS installation folder).

The Trusted Vendor list comes with a long list of vendors. Only two of them are defined by “Comodo” and the rest as defined by User. That is confusing as the whole list is provided by Comodo. That has changed with v5.

I don’t think your CIS is hacked.

Thank you, Eric, for the information. When things started getting flaky, I got nervous, but it makes sense as you describe it.
I am glad that the list is modified in v5 to correctly represent who added trusted vendors, that’s more intuitive.

I’ve been having the same problems on a 5-yr old laptop running Win XP Home SP3 32bit 512MB RAM. Ran v3.0 for 2 years with no problems, then thoroughly uninstalled it a few weeks ago and installed v4.1.150349.920.

I set “Clean PC” mode as I had in v3 as I knew my system was clean. Have had nothing but problems ever since with the Defense Plus and sandbox components. Comodo goes into periods when it questions many of my old programs, making me approve everything, such as opening Notepad and allowing it access to the keyboard. During these periods it takes forever to do anything because it will ask approval for every little thing that a program does when you open it (maybe a dozen things like accessing registry keys, keyboard, monitor, etc), then not remember my answers though I’ve told it to. I try out of frustation to give the program “Trusted Application” status, but Comodo either ignores me or the option disappears from the dropdown list. The list of files in My Own Safe Files and sometimes also My Pending Files goes blank at these times. Re-booting returns everything back to normal, but after some time Comodo lapses back into this buggy behavior. I’ve never had an outright crash, but become aware that the problem has sneaked back through the many popups that shouldn’t be happening.

Besides this Comodo is always sandboxing apps, the same ones repeatedly despite me telling it to never sandbox the app again. The event log even shows Comodo sandboxing some apps after calling home to its database and it saying the app is safe.

I disabled the sandbox a few days ago, but the buggy behavior still happens. Just today, when this behavior started again, it occurred to me to run the More > Diagnostics feature instead of rebooting. It said it had fixed some problems, and indeed My Own Safe Files reappeared and the buggy behavior stopped (though I don’t know for how long). Interestingly, I had run the diagnostics right after installing and all was OK.

Right now I am trying to decide whether to uninstall v4.1 in favor of v5.0 or “upgrade” to v3.14 if the bugs continue, as the usability of my machine is greatly reduced when this happens.

I would always recommend a clean install of CIS 5.0, which is far superior to 4.1.

I never actually installed version 4, but I recently did a clean uninstall of version 3.14 and installed version 5. I like version 5 quite a bit. I say give version 5 a try, because they’re going to stop supporting 3.14 soon. (November I believe?)

Sorry to take so long to reply. After getting sidetracked on another project a couple of weeks, I did install v5.0 rather than downgrade to v3.14, reasoning that I could always downgrade temporarily if I still had problems similar to v4.1. (As I don’t use the AV component, the loss of support in November for v3 probably would not be a major concern for me, but I would eventually want to update anyway.)

I have been generally pleased with v5.0 and will keep it. I run both the firewall and Defense+ in the default Safe Mode. For me, v4.1 was too buggy to be useable, but its bugs which I detailed in my earlier post have disappeared in v5.0.

There are still some quirks in the sandbox, but though they cause some annoying popups, I can live with them, knowing that these will probably be ironed out as v5 matures. Mostly these have to do with processes that load early during system boot-up being repeatedly sandboxed, even though they have been added to Trusted Files. I suspect they load before Comodo has access to Trusted Files. They get sandboxed and added to Unrecognized Files, then the logs show that within a few minutes they are “scanned online and found safe”, so are unsandboxed. For me these processes are mainly Fences.exe (a desktop organizer that loads very early), SynTPLpr.exe and SynTPEnh.exe (Synaptics touchpad driver and enhancements), and igfxsrvc.exe (a service related to the Intel graphics chip). Sandboxing these causes no problems (indeed only SynTPEnh.exe continues to run when the system is up), so I no longer bother to tell Comodo not to sandbox them again.

Another quirck is that some files can remain in Unrecognized Files for days or weeks, even though Comodo has automatically (or the user has manually) submitted them for analysis. I normally move them to Trusted Files only if I know they are safe and sandboxing is keeping them from working properly.

I would recommend a couple of things to the user regarding the sandbox:

  • Thoroughly read the sandbox sections of the Help or User Guide (specifically for v5.0, not v4.1) to understand the philosophy of what the sandbox does. Get it out of your head immediately that it is Comodo’s equivalent to Sandboxie or similar apps. The “sandbox” nomenclature is unfortunate. A better way of thinking of it is as a “privileges downgrader” that keeps an untrusted process from doing harm to the system. I suspect many user complaints/problems are related to this misconception.
  • Unless a process is being kept from working properly by the sandbox, don’t interfere. Just let it function automatically as intended, scanning sandboxed files online and handling them accordingly. Then you will know what is working properly in Comodo and what is not. Also Comodo’s online database will benefit, which improves the system for everyone. Many processes run fine with the reduced privileges in the sandbox. If not, and you can’t wait, manually submit them in Comodo or use another online scanner to decide whether to add them to Trusted Files.
  • If you select on the sandbox popup “Do not sandbox again”, remember you must re-start the sandboxed process so Comodo will take it out of the sandbox.

Hope this helps.

What happens is that first an automated system tries to determine if the file is safe or not. If it isn’t sure, a real person will check it out. For whatever reason, sometimes it can take a long time to get these looked at, although Comodo has said their goal is 24 hours.

If there are some files you’d like looked at more quickly, you can submit them here on the forum (link below) and they will be considered a priority. I have still had files that have taken over a week to get processed, although I see some applications are dealt with the same day they’re submitted. I don’t know whether it’s an application complexity issue or what…

Submit Applications you want to be made trusted here.

Thanks for the info. I’d wondered why some files sat there while others were scanned sometimes within minutes. Hadn’t taken the human check into account. In my case, most of these I know to be OK, as haven’t reformatted my system since installation 5 years ago and it appears most of the ones sitting there are from lesser used apps. So are older versions, not updated recently like apps I use frequently. Perhaps that is one of the considerations. Also the number of users submitting an older version would be fewer.