Signed autorun file from trusted vendor always sandboxed [Issue:#171]

The bug/issue

  1. What you did: N/A

  2. What actually happened or you actually saw:

I have an X-FI sound card and the driver has a helper program Ctxfihlp.exe. This autoruns at startup and is always sandboxed - see attached image.

It is not on the list of applications to always sandbox.

Process monitor verifies it as being signed by Creative Labs Inc which is in my trusted vendors list.

  1. What you expected to happen or see:

It should not be sandboxed

  1. How you tried to fix it & what happened:

If I try to add it to trusted files it says “ctxfihlp.exe is already a trusted file”.

  1. Details (exact version) of any software involved with download link:

Creative Sound Blaster X-Fi series driver 2.18.0013

Download: Creative Worldwide Support >

Files appended

  1. Screenshots illustrating the bug: attached
  2. Screenshots of related event logs or the active processes list: attached
  3. A CIS configuration report: attached
  4. Crash or freeze dump file: N/A

Your set-up

  1. CIS version & configuration used: CIS 5.0.162636.1135 proactive configuration
  2. Whether you imported a configuration, if so from what version: No
  3. Defense+ and Sandbox OR Firewall security level: Defence+ in Safe mode
  4. OS version, service pack, no of bits, UAC setting, & account type: Windows 7 64 bit
    Running as limited user with UAC on maximum
    DEP enabled for all processes.
    Using Applocker as additional security.
  5. Other security and utility software running: None
  6. CIS AV database version: 6097 but this may have updated since.

[attachment deleted by admin]

Hi,

This is probably caused by the early loading stages, please remove all traces in CIS of this executable and make sure it’s only on the Computer Security Policy as “Installer or Updater”.

Please
Review Trusted files
Review Unrecognized files
Review Computer Security policy

And make sure it’s set as predefined “Installer or Updater”.

Setting it to “Installer or Updater” in computer security policy does not help. Every time I reboot it adds it to “unrecognised files”. If I try to add it to trusted files it won’t let me saying it is already safe.

Thanks.

Once again it would really help in tracking down this issue if you could now edit your first post to put it in the new reports format here.

Could you also:

  • say whether you have ‘Block all requests if the application is closed’ ticked.
  • post an Active Processes List view which shows the file that gets sandboxed, also your log entries covering your last boot and the sandboxing event

Many thanks in anticipation

Mike

THanks that’s a really ACE bug report.

One more thing before I move to it to verified. You may be the first!

Could you try it with addblocker out of memory, and DEp disbled please, and report back

Best wishes

Mouse

It is AppLocker, not AddBlocker. It is part of Windows 7 and works like a software restriction policy.

I set it to audit only and turned off DEP and rebooted but this made no difference.

OK you win the race!

“Block all requests” is not ticked have verified from config file

When i make a lookup and is found Unknown, CIS tries to submit it. When i confirm it says “Failed to open file” and red exclamation mark. CIS is trying to process a non existing file supposedly located in C:\Windows\System32\ctxfihlp.exe. However the actual running file is located in C:\Windows\SysWOW64\ctxfihlp.exe

Win Vista 64bit SP2 fully updated, same for CIS5 (1135).

EDIT:
Also, if i open the list of apps running in the sandbox and make a lookup for ctxfihlp.exe it is found safe. CIS says it will add it to the trusted list. However, after that, the file is still running in sandbox and it hasn’t been added to the trusted list. That’s weird…

EDIT2:
Even trying to manually add it to the Trusted list doesn’t add it. It’s just not listed on the Trusted list even if i want to add it there.

[attachment deleted by admin]

We would very much appreciate it if you would submit your bug report in the format requested here. For the reasons why see below.

Many thanks in anticipation

Mouse

WHY YOU SHOULD FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if not well described. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

I think this is the same as the bug I reported https://forums.comodo.com/bug-reports-cis/trusted-file-always-sandboxed-t61834.0.html

Thanks have copied a link into your bug.

Mouse

The second part of this post also seems relevant

https://forums.comodo.com/bug-reports-cis/cis5-failed-to-open-file-ctxfihlpexe-for-submission-t62052.0.html;msg437409#msg437409

Best wishes

Mouse

Hi Rejzor

We would very much appreciate it if you would submit a bug report for this issue in the standard format.

Many thanks and best wishes

Mouse

We have another report of this filed in standard format, so I will merge your report with that one, if that’s OK.

Best wishes

Mouse