Unknown autostart file apparently sometimes BB'd, sometimes not [M218] [v6][Ivd]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- What actually happened or U actually saw: Unknown autostart program, Routerstats.exe sometimes running in explorer context with restriction=disabled according to Killswitch

  • If not obvious, what U expected to happen or see: Routerstats.exe running behavior-blocked
  • Can U reproduce the problem & if so how reliably?: This happens sometimes when Routerstats autostarts on boot. Sometimes it runs sandboxed, sometimes it runs un-sandboxed. Run manually from explorer.exe however the file normally does get sandboxed. Restarted from Killswitch is does not.
  • If you can, precise steps to reproduce it. If not say what you did before it happened:
  1. Uninstalled and Re-installed CIS
    … a few days later
  2. Rebooted machine while in IS config mode (all settings at defaults)
  3. Opened Killswitch from Advanced Tasks / Watch Activity
  4. Noted routerstats rating=unknown and restriction=disabled
  5. Navigated to General Tasks ~ View Logs to view D+ log - no sign of Routerstats being BB’d
    … a few days later
  6. Applied proactive config
  7. Rebooted
  8. Opened Killswitch from Advanced Tasks / Watch Activity
  9. Noted rating=unknown and restriction=partially limited
  10. Rebooted
  11. Opened Killswitch from Advanced Tasks / Watch Activity
  12. Noted rating=unknown and restriction=disabled
  13. Right clicked on routerstats & chose restart. It restarted with rating=unknown and restriction=disabled
    … a few days later
  14. Applied autosandbox as ‘partially limited’ restriction
  15. Rebooted
  16. Opened Killswitch from Advanced Tasks / Watch Activity
  17. Noted rating=unknown and restriction=disabled
  18. Opened help file - that opened sandboxed
  19. Closed Routerstats and re-opened from explorer.exe using double click.
  20. Noted rating=unknown and restriction=limited
  21. Navigated to Advanced settings ~ File Rating ~ Unrecognised files. It is in there.
  • If a software compatibility problem have U tried the conflict FAQ?: N/A
  • Any software except CIS/OS involved? If so - name, exact version, & download link: Routerstats v6.8 from Internet Software (appended)
  • Any other information, eg your guess at the cause, how U tried to fix it etc: Intermittent Behavior-Blocker bug? Routerstats starts from: C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup
  • Always attach: Diagnostics file, Killswitch processes, dump (if freeze/crash). If complex: CIS logs & config, screenshots, video.
    [/ol]

B. YOUR SETUP (Likely the same from issue to issue, users can copy forward)
[ol]- CIS version & configuration: CIS 6.0 Build 2674, Proactive defaults but with HIPS=off. Same thing happens in IS config though

  • Modules enabled & level. Defense+/HIPS, Autosandbox/BBlocker, Firewall, & AV: Proactive defaults except HIPS currently off
  • Have U updated (without uninstall) from a previous version of CIS: No
    [li]if so, have U tried a a clean reinstall - if not please do?: N/A
    [/li]- Have U imported a config from a previous version of CIS: No
    [li]if so, have U tried a standard config - if not please do: N/A
    [/li]- Have U made any other major changes to the default config? (egs here.): autosandbox files as is set to Limited (but same thing happens if set to Partially Lmited)
  • OS version, SP, 32/64 bit, UAC setting, account type, & virtual machine used : Windows 7, SP1, 64bit, UAC=off, Admin, No VM used
  • Other security & sandbox software a) currently installed b) installed since last OS install: a) None b) None
    [/ol]

Link to file on FTP server:

ftp://82.69.43.252/CisReport_v6.0.260739.2674_20130116-222831.zip
ftp://82.69.43.252/routerstats68.zip

[attachment deleted by admin]

How did it originally get added to autostart? Did you install it while CIS was not installed, disable CIS to install it, allow an alert, …?

The reason I ask is that CIS may be assuming that all unknown programs will not be able to create an autostart key and thus have not carefully considered unknown autostarting programs which are already on the disk. However, even if that is the case I think this bug needs to be fixed.

Reasonable query. Installed ages ago, so was there when CIS was installed. As far as I can remember you can add it to start-ups or set it to run periodically from a GUI setting. You unzip rather than installing. But it doesn’t make sense that it is sometimes BB’d and sometimes not?

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

Yesterday on reboot BB’d

Today, not (see appended file)

I installed CBU before rebooting today, so it may be related to how much work the OS is doing on reboot?

Best wishes

Mouse

[attachment deleted by admin]

Later same day, BB’d on reboot again. (No installation before reboot this time).

[attachment deleted by admin]

Can you please check and see if this is fixed with the newest version? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

Not fixed in 2813. Debatable whether invalid (autstarts not BB’d). But inconsistency means this should remain alive until clear that non-autostarts are not similarly effected.

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

It presumably cannot have been fixed as QA judges this to be intended and the bug thus invalid. I’ll try to test on a VM but I may not be able to validate as a heavily loaded machine is needed. Very sorry I cannot test on production until BZ is transferred to Comodo without causing inconvenience to BZ users.

QA believe CIS protects against autostarts by protecting the relevant keys, not by sandboxing early start executables.

However, as Siva has pointed out, this is not much good if you install CIS on an already infected machine, or if CIS’s autostart protection fails which has happened. Siva has reported the same bug against the FV policy.

And it’s worth noting that the reason CIS does not autosandbox early start executables is that it does not sandbox anything until CIS starts. (It does not do that as the main TFL/TVL/Exclusions are not avilable until then). On heavily loaded machines this can take quite a while, which means quite late starting autostarts and manual starts can be affected.

So I think probably:

  • finding some way of successfully sandboxing/BBing autostarts needs to be made a quite high priority wish
  • a new bug is needed - maybe I just create in Bugzilla - relating to manual starts, as I just cannot see that as intended, sorry

On top of that I think we should agitate for a strategic change in CIS, to put more functionality in the service, not the GUI. It would give a framework within which progressive solution of this problem might occur.

And would also have the effect of preventing the need for so much re-coding and hence bugs when the GUI framework is changed. (See my forum post).

Do you agree with the above Chiron?

Best wishes

Mike

Understood.

Thank you for letting me know.

Actually, since they have judged it invalid I will move this to Resolved.

Please create a separate wish for this.

That’s fine, have created one in BZ