Trstd installer runs as I/U when its pvgs must be only path-determined [M1245]

1. The full product and its version:
CIS beta 8.0.332922.4281

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
WinXPSP3 x32, VMware

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Config: Proactive Security
Antivirus: disabled
HIPS: Paranoid mode
“adaptive mode under low system resources”: enabled
“enchanced protection mode”: disabled
Auto-Sandbox: disabled
Viruscope: disabled
Firewall: disabled
Cloud Lookup: disabled
Trust application signed by trusted vendors: enabled
Trust files installed by trusted installers: enabled
Detect potentially unwanted applications: disabled

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
No

5. Other Security, Sandboxing or Utility Software Installed:
No

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1: Set configuration: HIPS is on (Paranoid mode), Auto-Sandbox is off
2: Add file “a.exe” (from the attachment) to trusted
3: Run it
4: Allow “exporer.exe” to run “a.exe”

7. What actually happened when you carried out these steps:
The program “a.exe” will create and execute the program “b.exe”. Both programs will execute with no restrictions, and the file “b.exe” will be added to trusted.

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
Because HIPS works in Paranoid mode and Auto-Sandbox is disabled, any action by programs “a.exe” and “b.exe” must call HIPS alerts, regardless of theirs rating. The file “b.exe” must not be added to trusted.

9. Any other information:
It was the typical behaviour of CIS7:
when the privileges of an application are determined by its path, the application will not be granted as “Installer or Updader”.
E.g.: the path of an application is excluded from Auto-Sandbox and it has a full determined HIPS ruleset (without action “Ask”, e.g. “Windows System Application”).

But the behaviour of CIS8b is changed. Imho it is not correct.
With V7, with the same configuration described in this bug report, V7 would have created HIPS popups for both a.exe and b.exe, even though a.exe was manually added to the Trusted Files List.
I have attached video to compare behaviour of versions (the configuration on the video differs from the mentioned)

The heart of the problem: with CIS7 I had a method to suppress privileges of trusted installers, in case they are undesirable. But with CIS8b I cann’t do it.

[attachment deleted by admin]

Thank you for reporting this. Is your system 32 bit or 64 bit?

Also, do you mean that with the same configuration that V7 would have created HIPS popups for both a.exe and b.exe, even though a.exe was manually added to the Trusted Files List? Is that correct?

Is your system 32 bit or 64 bit?

Yes. When Auto-Sandbox is disabled and HIPS is in Paranoid mode.

Sorry, I’ve forgotten to attach the file “a.exe”. It is here

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

Thank you too. Attach my forgotten file to the post please.

I had missed that. Thanks for pointing it out. It’s now attached.

The devs have responded that apparently this is expected behavior with the new way the Auto-Sandbox works.

In CIS 8 the Behavior Blocker was replaced by the Auto - Sandbox. In order to make application ‘a’ be launched without any restrictions, and have application ‘b’ launched in Fully virtualized mode, please follow the next steps:
1.Open ASE > Security Settings > File rating Settings > Disable ‘Enable Cloud Lookup’, ‘Trust files installed by trusted installers’ checkboxes.
2.Add application ‘a’ to Trusted Files > save settings.
3.Open ASE > Security Settings > Sandbox > Auto-Sandbox.
4.Add new Sandbox rule with the following parameters:
Action - Ignore
Target - path where the application ‘a’ is present.
Open Options tab > enable ‘Don’t apply the selected action to child processes’ checkbox.
5.Save changes.
6.Launch application ‘a’.

This is the advice I got from the devs. Thus, it looks like things just work a little different than we had thought. I will now move this to Resolved. Please let me know if this is still not working for you, or if you have any questions.

Thank you.

Hi Chiron!
It doesn’t works.
The file ‘b.exe’ doesn’t adds to trusted. That is ok.
But the other undesirable privileges have remained.
I’ve attached the video.
And besides, I prefer to receive HIPS alerts about applications activity and to enable option ‘Trust files installed by trusted installers’.
Thank you.

[attachment deleted by admin]

Thank you for testing this. I have re-opened this in the tracker, moved this bug report back to format verified, and passed your information into the tracker.

I’ll let you know if there are any further developments.

Thanks again.

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.

Thank you.

This is not fixed with the version 8.0.0.4337.

But I would agree that this is not a bug when I had another method to suppress trusted installer privileges. I have purposed one in the wish request.

Sorry : )

• I have proposed one in the wish request.

Thank you for checking this. I’ve updated the tracker.

Also, in terms of whether this should be a bug or a Wish, as this has already been submitted as a bug we will make whatever changes are necessary internally in the tracker if the devs respond that it’s not a bug but a wish. There is no need for an extra topic for the same issue.

Thanks.

I don’t quite understand you. Do you mean my wish request is unnecessary?

If the issue you reported in this topic were fixed would your wish still be needed? If the answer is yes then please do keep the Wish Request as a separate topic. However, if the answer is no then there is no need for the extra Wish Request.

Thanks.

Yes, it would be needed. My wich request is waiting for your approval.

Thanks, no problem then. However, I am very busy at the moment and I’m not sure when, or by whom, your wish will be processed. However, we’re currently working on it.

Hello,

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.1.0.4426) and let me know if this is fixed on your computer with that version.

Thank you.

Hello

This is not fixed.

CIS 8.1.0.4426
Configuration: Proactive Security
Win7x64SP1 (VMware), Admin, UAC is enabled

[attachment deleted by admin]