"Treat as installer" & "Safe file runs safe file" changes V3->4

if you install something, and mark a setup temporary as “treat as an installer or updater”, it seems to switch to something like installation mode for more than this setup exe, and longer than installation too.
i noticed it a few times. but today i got the prove.
installed a game, and as i launched it first time right after installation not a single question from comodo. even not if explorer exe should be allowed to start that game exe.

in defense+ there was no rule for the game, but it ran. and the second starting after a while lead to many questions of defense+.

with other words: if you choose in the specific question window “treat (this setup) as an installer, temporary”, everything on your pc can run for a while without any notice.

paranoid mode, everything switched on. if this happens in highest mode, what happens below…

I think what maybe happening here is that your programs are getting auto-sandboxed. This suppresses alerts (it’s intended to).

Please read the “Introduction to the sandbox” in my signature, and see if that helps.

Best wishes

Mouse

the sandbox is disabled.
i will test it in other situations. as far as i can say, it didnt happened each time. its not so obvious to notice something that “doesnt appear” (comodo questions). but if you run these programs again, you remember, that these questions wasnt asked first time.
as i have my routine to get a program running, its not expectable to answer any question after first time succesfull running.
i wrote here, so maybe other users could look if they notice this behaviour of cis too.

the ultimate prove of this behaviour is: as i started the program the second time, it froze my pc. after i answered the first amount of questions while second starting. so there was a question there which wasnt shown in full screen mode. the first running would have had to freeze too, as i didnt used trainingsmode, and the appearing of questions doesnt change in time. but it ran just fine, at once.

Not sure whether this is a bug or by design. I tend to think it is by design as I sometimes see installer start up other executables that are part of the installer package.

Is this, then, the v4 version of the v3 installation mode? You enter it perhaps via the elevated privs alert or by defining a file as an updater. There’s no nag to take CIS out of installation mode any more - just a fixed timeout?

Mike

I am talking about the Updater/Installer policy as I assumed topic starter was.

I just did a little test in Paranoid/Proactive with no sand box. CCleaner installer was allowed to start the Yahoo toolbar installer without alerts. Both the installer and Yahoo toolbar installer were safe files (I disabled to trust digitally signed apps).

I can’t think of an installer right now to test if also unsafe apps are allowed to be run by the Installer policy (I think it is allowed though).

I think the installer/updater policy, if selected from an alert, used to put CIS 3 in ‘installation mode’ for a short while, while the file so designated was running (subject to approval)?

Maybe it’s now doing so automatically (without approval) for a short period - long enough for installation to occur? This would avoid alerts. But according to Egemen (in the CIS4Beta) installation mode has gone.

Maybe it is continuing?

Best wishes

Mouse

clockwork,

I can confirm what you said (SB aside). But tend to think this is by design. I suppose if policy “installer or updater” is chosen for executable (eg game installer) then this executable is granted full access on system, plus can execute any other executables silently AND… same priviledges are granted to child processes of installer (executables called by installer).

So, in case you mentioned, when game is launched it is allowed silently because it is called by executable in “installer or updater” mode (game installer), plus game executable is granted full access on system until it finishes (until you exit the game).
But when you launch the game next time you are given all possible alerts because NOW it is NOT called by executable in “installer or updater” mode.

Messy explanation, i know, but i tried :slight_smile:

P.S.: Much more severe consequences (system destruction or “takeover”) may follow if “installer.exe” contains “virus.exe”. In this case “virus.exe” should do its job silently: see this thread.

With the sandbox enabled you get the Elevated Privileges alert. With the sb disabled you get back the old v3.x style installer/updater policy choice.

Btw, i think it is a right way it is implemented otherwise we would need to choose “installer/updater” for every executable called by original installer :-\

Makes perfect sense to me! So the installation mode is there (not gone as Egemen said) but only if sandbox is disabled.

Thanks for clarifying Eric! Sorry to have you answering in two directions!

Best wishes

Mike

Nay bother…

Agreed. It makes the policy a dangerous one of course when one cannot trust the source the program is downloaded from.

  1. if it was started by the installer, you might be right. but i use to start programs myself, never let the installer start a program after installation. so the first candidate of action would have been explorer.exe.
    as there was no question about “explorer tries to run game exe” (security benefit of paranoid mode is this explorer question), even explorer was allowed to start something.

  2. in version 3 we had the choice. in version 4 we are unknowingly run cis in a “global like” installation mode by answering a “specific question for a specific program”. its comfortable to use, yes, but its more than what we have answered to in that window.

imagine, you would run cis together with “another” antivirus which has the “new version” behaviour to scan after a virus finding. while this scan you can download another virus temporary undetected (its a new program version too, omg, was very surprised while testing). until the short “emergency” scan is finished, and you have installed a program with cis installation mode while/before that, the undetected new virus is allowed to execute.
just a possible scenario of “all goes wrong”.

There would be no need to imagine something like that while the installer itself was manually assigned full privileges (eg: install and start drivers/services, write registry, replace files, inject safe-listed processes, etc…): Running any untrusted installer using the installer policy expose to such risks in general.

Run executable permission do not rely on the policy of the parent application (eg explorer.exe) so in a general scenario it makes sense to have the executables of trusted installers allowed even if it is the user to start them ( such files are added to User safe list by default options).

Paranoid mode could be considered an exception so it would prove useful if you confirm this behaviour with some easily available application installer and have everyone give it a try (please link some app on a well know software repository).

I suppose after game was installed there was a final window “installation is done” and there was a checkmark “launch the game” and finally “finish” button. If so, then by placing checkmark and clicking on “finish” game’s main executable is NOT called by explorer.exe but by game_installer.exe, hence no alert(s).
If checkmark is not placed and “finish” is pressed then game_installer.exe finishes its work and next time you launch game’s main executable, it will be called by explorer.exe, hence producing alert(s).

I get this in all cases, a possible “workaround” would be to not allow installer to launch program just after installation.

i wrote, that i dont use the “start” in installations.

the first times in the past i thought: “maybe i have overlooked something in the process”. so i dont remember older examples instantly.

when it happened while my eyes were wide open to this fact: installation of vietcong1

other examples would have to be found in future.

settings: paranoid mode, sandbox off, all possible question layers activated, no trusted vendors or something like that.
answer simply “yes” to “explorer exe tries to execute setup exe”
then
“treat setup exe as installer” (dont mark remember my answer).

right after installation start the game with the starting icon on desktop.

if you dont have it at home: its too old to play, when you dont like “nostalgic” grafic :smiley: .

i will run the test again. whatever result may appear, for any reason it happened sometimes before. thats what i can say. may it be my fault or something else.

Then… I don’t have an answer, that’s not what i supposed.

test finished:

while installation i noticed, that even if you cancel the installation and try to make a new try, explorer exe is not more asked for further tries. (completely stop the installation from running before new try).
same after installation, with the game icon. i tried two times. when you click the icon on desktop you are never/not asked for explorer. normally it does in both cases with usual programs. (i tested “simultan” with another program).

in this case the clue for the happening that lead to this topic is quiet simple: the normal game start screen looks exact like the installation screen. so, if you press play, the game has the same rights as the installer got.

the result: this installation is somehow a bit different than normal installations. so that explorer does not have to be allowed with each new try. so, as long as the installer lasts (somewhere), even the icon is somehow leading to the allowed screen/installer.
it is clear to a point now. but there are these examples in the past. thats why i will have an eye for it still. i should have make notes, but i didnt know that i could need them one day.

ps: the question from explorer for the GAME exe is missing, because cis “doesnt forget rules for explorer, even if the exe is uninstalled”. i mentioned this thing a while ago. you have to erase some of explorer rules (only for “start other applications”) in a very hidden place, if you want to be up to date with those rules… (erasing of the real game/exe rule is not all)
that far we found one suggestion and some answers.
thx

EDIT: this test was made with the same game. it seems to be alright, and explainable. if i notice something like that again, i will take a closer look too.

Please provide us with something we can test. So we can verify your findings.

Even if not marked to be remembered, D+ alerts will continue to be applied to the parent application (left side of alert) until such (parent application) is terminated.
If not terminated manually (eg using task manager) explorer.exe is terminated only during a reboot/logoff:

Thus even if a run an executable alert is allowed but not marked to be remembered, explorer.exe will be able to run the same application(or installer, or game etc) multiple times as long explorer.exe is running (switching back/forth from safe and paranoid mode seems able to reset/override this)