Unrecognized file marked as 'Trusted' [Issue: #262]

The bug/issue

  1. What you did:
    I created a brand new exe today which is guaranteed to be totally unique. Logged in as an administrator user I cut and pasted it using explorer from a flash drive to a directory under “program files (x86)” and then rebooted the PC. I then logged in as a limited user and run the program
  2. What actually happened or you actually saw:
    The program was fully trusted and added to the “trusted files list”. I could use it to write a file called aaa.exe to my startup directory.
  3. What you expected to happen or see:
    The program should have been sandboxed.
  4. How you tried to fix it & what happened:
    I removed the file from the trusted file list and next time I ran it it was sandboxed correctly. I repeated the whole procedure the next day with a second different unique program and exactly the same thing happened. I also tried again with a third program but did not reboot. This time it was sandboxed correctly.
  5. Details (exact version) of any software involved with download link:
    See post 5.

Files appended

  1. Screenshots illustrating the bug: No
  2. Screenshots of related event logs or the active processes list: attached
  3. A CIS configuration report: attached
  4. Crash or freeze dump file: N/A

Your set-up

  1. CIS version & configuration used: CIS 5.0.162636.1135 proactive configuration
  2. Whether you imported a configuration, if so from what version: No
  3. Defense+ and Sandbox OR Firewall security level: Defence+ in Safe mode
  4. OS version, service pack, no of bits, UAC setting, & account type: Windows 7 64 bit
    Running as limited user with UAC on maximum
    DEP enabled for all processes.
    Using Applocker as additional security.
  5. Other security and utility software running: None
  6. CIS AV database version: 6097 but this may have updated since.

[attachment deleted by admin]

I have now found my test program under trusted files. How did it get here?

I took it out and it was then sandboxed as expected.

All I did with the test program was copy it of a flash drive onto my computer and it was added to trusted files.

Well an interesting one. Please edit you bug report into the requested format (see stickies), and check you have supplied all requested information.

Please also append the file concerned with instructions (exactly what you did) so I can replicate. You will need to zip it.

Also please append a screenshot of your defense plus logs, and preferrably your full active processes list, with the file running. Did you do a clean install?

Which directory did you write to?

Best wishes

Mouse

I think CIMA did it’s job…

Can you post the SHA1 for that application please?

CIMA is not permitted to declare files ‘trusted’?

Defence + is now protecting the directory correctly as my program is no longer in trusted applications list.

However, I have tried to run a different obscure program (ColorMix.exe) and every time I run it it adds it to trusted application list. This program has been on my PC for years and so could have been seen by Comodo.

I have attached the two programs. MyQuickEdit is my test program ColorMix is the one that is always added to trusted list.

[attachment deleted by admin]

Trusted is not equal Safe from what I remember…

I have now unticked “automatically detect installers/updaters” and “automatically trust files from trusted installers” but this makes no difference.

One more test:

Running PUTTY.exe (in white list) from the same directory is not added to safe list. (it cannot be added to truste files as it is white list).

Running MyQuickEdit.exe from the same directory is added to sandbox

Running ColorMix.exe from same directory is always added to trusted files list even if I add it to unrecognised list.

However, the very first time I ran it MyQuickEdit was added to trusted file list.

ColourMix and MyQuickEdit are being treated differently. Neither is signed.

ColorMix has been analyzed by AVLabs and is considered Safe.
Your tool is unknown to the cloud.

[attachment deleted by admin]

Colormix must have been known in the cloud but not on my PC. I have run it before several months ago and possibly someone else has run it more recently as it is available on the internet. Are uncommon files just in the cloud to reduce the database size?

My program must have been added to trusted files when it should not have been. Between copying it to my PC and running it all I did was reboot.

Well I don’t have that information but maybe they keep the “not in the wild” more or less in the cloud only for that reason, cloud very well be possible…

My program must have been added to trusted files when it should not have been. Between copying it to my PC and running it all I did was reboot.
I'll see if I can test this tomorrow

But there’s no safe files concept in CIS 5, there are just residual alerts that have not had the name changed from safe to trusted file.

So if CIMA says anything is a trusted or safe file, it’s not functioning in the way we were told it was supposed to.

(There are still trusted applications but CIMA does not have anything to do with those?)

Happily though this doesn’t seem to point to CIMA…

‘Rebooted’ suggests maybe an autorun - unlikely but is it an early autorun?

The USB key source is a possible source of complexity…

Was myquickedit dropped by anything CIS could have thought was a trusted installer? Any UA alerts?

Wierd!

Best wishes

Mouse

From what i’ve seen, Trusted files were auto added to the Trusted list as well as all the files tagged as Safe.

I have repeated this with a brand new unique program. I copied the program from my memory stick to c:\programfiles(x86)\misc while logged in as administrator. I then rebooted my PC, logged in as my own limited user and ran the program. Straight away it was in the trusted list and it was allowed to run write to protected files such as my startup folder with no popup.

I then moved the program from “trusted files” to “unrecognised files” and ran it again. This time it ran sandboxed and labelled as unknown.

This must be wrong if files that are unknown are trusted automatically. It was able to save aaa.exe to my startup directory.

Thanks tcarribon

You are not strictly obliged to as this topic predates the new policy, but I would deeply appreciate it if you would edit the first post in the topic to be in the new bug reports format, and include all relevant information.

Could you also include details of how you copied the file - explorer or command line, windows copy or some other software.

Also please append log files and active process list screenshots of the program running if that’s OK.

Incidentally on my machine the last file gets sandboxed, but then it was not on a USB key

Best wishes

Mike

It appears rebooting or at least logging out and in may be important. Without this step the program is just sandboxed. I have edited my first post.

Interesting is cmdagent using quit a lot of cpu at the time? Post boot it can be… I have seen evidence of unusual behaviour under load…

As with the other issue can you try with appblocker & DEP disabled (& reboot)

Excellent bug report again. Which will be the first into verified?

Best wishes

Mouse

Trying with applocker and DEP off the file was sandboxed correctly. This could be a coincidence if the failure has a random element.

My PC has lots of memory and does not suffer from high CPU problems normally but again this is a possibility.

Thanks lets monitor with these off if possible to see if it returns.

Do you have ‘block all requests when the app is closed ticked’?

BTW I have PM’d you - just locked myself out of my copy of CIS - well you can guess why…

Best wishes

Mike