Problem description: The appended software generated an ‘Elevated Privs Alert’, and when accepted was run unsandboxed. But it is not an installer. I have had this happen 2-3 times with different software.
CIS version: 4.0.135239.724 x32
Your Operating System (32 or 64 bit, Service Pack revision, and account privs: XP SP3 32 Bit, admin account (on Pentium 4 CPU 3Ghz, 4Gb RAM)
Other Security and Utility Software Installed: See appended config report for details. Usually: Comodo - CIS, CVE, CIV, CLP, CSE, CAS, IVault; Other- Filezilla, Wallwatcher, Sony Ericsson PC software, Actual Window Manager, Routerstats, Revo, Process Explorer, Google Desktop, Process Tamer, Process Explorer, Kiwi Syslog, Idrive, Clipmate, Hotspotshield, Stuffit
Step by step description to reproduce the issue: Just run the software.
How you tried to resolve the problem: N/A
Upload Memory Dumps on crash if you encounter any: N/A
Attach screenshots to your posts to clarify the issue further: Appended
Virus database version: Please see appended config report
Any other information you think that might be useful. CIS settings: See appended config report for details.
I assume it gives the alert for any program that asks for elevated privileges. Windows uses the dumb rule of elevating any program with setup in the name.
When an unrecognized application filename includes specific words (like setup or installer)[/ol]
The latter can be used as workaround in case some unrecognized installer/application cannot trigger D+ elevation prompt (append setup or installer to the name)
Application triggering D+ elevation alerts out of a corresponding elevation manifest can be verified using sigcheck -m and confirming requestedExecutionLevel level=“requireAdministrator” in the console output.
Adding those applications to “My Safe Files” will suppress D+ elevation alert as welll.
My observations suggest that its asking for admin privs that triggers these alerts, at least under XP.
There are alternatives. It would be reasonably feasible to make a list of all widely used installation file creation software, and look for specific signs in the generated installation files.
Seems to me this would be more secure.
Though maybe all that is needed is a change to the elevated privs alert, needs to say “If you did not just ask an installer to run, or run a file that you know requires admin privs you should probably deny this alert!” Plus maybe the ability to choose to allow elevated privs but monitor the software using D+ alerts
The essential problem remains though:
a) CIS is supposed to be designed for Mop and Pop
b) Mop and Pop are not going to know which Elevated Privs alerts to allow.
c) Software masquerading as installers can easily trick them
d) Allow the elevated privs alert and the software has pretty much free access
Ergo : Installer detection needs to be better for Mop and Pop, or some other solution is needed - QED?
Automatic detection of installers could only be done by a white list and allowing signed executables (does it do this already?). Anything else could be mimicked by malware. If the application is unknown it is up to the user to decide.
I would have plenty to say in that regard and I will probably do when a related topic will focus on these aspect for non bugreporting purposes.
To make it short I’ll link one of the article easily available on the net that outline what real (non-masquerading non-fake) installers can be used for:
