One of my BOINC projects [Einstein] is running an app [einstein_S5GC1HF_3.06_windows_intelx86__S5GCESSE.exe] where the ‘verdict’ is unknown [active process list]. Another Einstein app [einsteinbinary_BRP3_1.05_windows_intelx86__BRP3SSE.exe] shows as trusted. Both files are listed in the ‘trusted files’ list.
Right-clicking the process and selecting ‘on-line-lookup’ results in an unknown dispostition. It then prompts me to submit the file. Attempting to submit the file to Comdo results in ‘file to large’; the file is 19,914 KB. The option to ‘add to trusted files’ is grayed out.
It looks like all the apps for the Einstein project came down 2 Mar 11. That was probably about the time CIS crapped out on me and forgot ALL of my trusted files; I had to reinstall from scratch. On 16 Apr 11 this happened again. The symptom to that problem is CIS begins sandboxing EVERYTHING - and doesn’t remember ANYTHING as trusted - regardless of auto on-line lookups returning safe app verdicts and auto placement into trusted zone (despite image already being there in the first place).
The fact is that either on the 14 or the 15 Ap 11, I received a Defense+ alert for BOINC.exe wanting to run %windir%\SoftwareDistribution\Download*\update\update.exe, where the wildcard was one of the GUID from wuauservice. First time I ever seen that message: BOINC.exe wanted to run UPDATE.exe A shortcoming of the alerts is that it is difficult to discern what app wants to run what as there is no mechanism for displaying path in Comodo pop-up alerts. Imagine my alarm when looking in the log when I determined BOINC.exe was attempting to run a Windows update hotfix!!! Of course by then it was too late since I’d already approved that.
Neither BOINC, none of the BOINC project apps crashed, nor BOINCMngr hiccuped in the least, and I couldn’t discern any error in the WindowsUpdate logs. In fact I didn’t even know I had updates, until I discerned ‘shutdown’ flagged in the WindowsUpdate log (I’d been waiting since Tue 12 Apr 11 for the Windows Update notification to appear that downloads were ready to install). I went ahead with the shutdown and there wer 15 updates to install prior to shutdown!!!
After rebooting, I immediately was informed there were an additional two updates to download. Which, again: no notification that ANY installation was ready. AGAIN, I noticed the ‘shutdown’ flag in the WindowsUpdate log and when I went to shutdown there were two updates that it installed. About 12 hours after rebooting I got a page-fault-in-non-paged-area BSOD. It was after resolving the fall-out from that BSOD that CIS went belly up on me again.
So I uninstalled the pre-existing CIS v5.3.xxxx (auto-patched) and installed v5.3.181415.1237 right out of the box, imported my configs that I exported prior to uninstalling, and recreated the ‘trusted file list’ based on screen-shots I took prior to uninstalling; then I updated AV defs. Moreover, I created a D+ block-rule for BOINC.EXE explicitely for:
(which, FWIW, is the sole entry in a file-group that has ‘installer / updater’ permissions in D+, and the only thig that should have permissions to run that is SVCHost, which, FWIW, is NOT part of the default Comodo file-group; it has its own permissions entirely). It can execute 9 things, has permissions to write/update 28 registry keys, and 58 system files/folders (and because of that it’ll squawk about writing to and executing from any temp folder).
To bring an even longer story to an abrupt end: I gots this unknown BOINC project app and I don’t know what to do about it. It seems to be running o.k. (it finishes WU & gets mondo credits for 'em).
The file-group ‘BOINC projects’:
has ‘installer/updater’ privileges (due to the dynamic nature of BOINC and its inherent lack of CA issued signature). BOINC.exe has ‘BOINC project’ execute & read/write permissions, BOINCmgr.exe has explict C:\BOINC_Data\projects** (only) execute permission, but can terminate both ‘BOINC projects’ and BOINC.exe
The ‘unknown’ app [einstein_S5GC1HF_3.06_windows_intelx86__S5GCESSE.exe] lives here:
C:\BOINC_Data\projects\einstein.phys.uwm.edu (and full pathname - along w/its partner - exists in trusted files)
This has always worked (since Apr 2010) and I don’t have any bizarre firewall, AV or D+ pop-ups suggesting I’m malware infested. In fact w/SVCHost locked down tight as a drum - it doesn’t move a finger w/out me being aware of something unusual concering it, and w/the ‘Content_IE5’ file-group D+ blocking (any executable contained in C:\Documents and Settings*\Local Settings\Temporary Internet Files\Content.IE5*), I’m protected from all but the most sneaky drive-by-downloads (maybe Windows application DLL - binary planting - vulnerability?). So I’m real skeptical 'bout malware.
What’s changed, then, in Comodo that’s giving me this grief?
Oh, BTW, this is the ONLY ‘unknown’ process listed, and I’ve not had a single pop-up about that since reinstalling and recreating all the trusted files.