Sandbox/D+ Bug when deleting Untrusted files

The bug/issue

  1. What you did: Copied files back and forth between C and D drives, an untrusted file was added to the trusted files list upon deleting via comodo gui
  2. What actually happened or you actually saw: a file was handled correctly by comodo until it was deleted via the comodo interface. once copied back to the same location, it was added to “trusted files”
  3. What you expected to happen or see: i expected the file to be sandboxed like before
  4. How you tried to fix it & what happened: removed file from “trusted files” and executed again… the file was sandboxed as expected
  5. If its an application compatibility problem have you tried the application fixes here?: No
  6. Details & exact version of any application (execpt CIS) involved with download link: file attached
  7. Whether you can make the problem happen again, and if so exact steps to make it happen: see steps below
  8. Any other information (eg your guess regarding the cause, with reasons): none

Your set-up

  1. CIS version, AV database version & configuration used: 5.8.211697.2124
  2. a) Have you updated (without uninstall) from CIS 3 or 4: no
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: no
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): no
  5. Defense+, Sandbox, Firewall & AV security levels: D+= proactive , Sandbox= enabled/untrusted, Firewall = custom policy , AV = nonexistent
  6. OS version, service pack, number of bits, UAC setting, & account type: Win7 x64 sp1, UAC disabled, Administrator
  7. Other security and utility software installed: MSE, MBAM free
  8. Virtual machine used (Please do NOT use Virtual box): none

I think i’m getting closer to tracking down exactly why autosandboxme.exe from avast is not handled correctly sometimes by the sandbox and D+, here is what i did.

  1. execute autosandboxme.exe from D: drive (it gets sandboxed).
  2. copy autosandboxme.exe from D: drive to desktop on C: drive.
  3. execute autosandboxme.exe from C: drive just for kicks to test it (it gets sandboxed)
  4. open Comodo GUI and view the two autosandboxme.exe processes running in the sandbox (one from D: and one from C:) in the window called “Unrecognized Files” Select the process running from D: drive and choose “DELETE FILE”. The file is deleted.
  5. Copy autosandboxme.exe from the desktop on C: drive back to D: drive (where it was just deleted from) and execute it. it runs with no D+ alert, nor Sandboxing because it has somehow been added to the “Trusted files” list. ???

attached are some screenshots and my exported configuration along with a copy of autosandboxme.exe . I really hope ive given enough info for either someone to tell me what i did wrong to make this happen OR to find out why this file is handled incorrectly

Thanks for reading

[attachment deleted by admin]

I may have waaaaaaaay overcomplicated things. it seems that copying files back and forth between drives populates the trusted file list…

in any event, untrusted files can become trusted erroneously.

Great report thanks.

Transferring to verified.

Mouse

This looks like this bug I submitted over a year ago:

https://forums.comodo.com/empty-t61787.0.html

Just copying a file to a new directory made it trusted.

yep, i think this may be the same issue you reported.

it seems that unticking the sandbox buttons “Automatically detect installers…” and
“automatically trust file from trusted installers…”

and the D+ buttons “perform cloud based behavior…” and
“Automatically scan unrecognized files in the cloud”

seems (so far) to stop the trusted files list to be automatically populated

I seem to have found a solution , at least for me…

i had added some of the non-default entries under ‘protected files and folders’ such as ‘windows updater applications’, ‘windows system applications’, etc… but upon removing those and beginning a new config my problem disappeared.

anyone else with the same problem may give it a try also :-TU