What you did:
I created a brand new exe today which is guaranteed to be totally unique. Logged in as an administrator user I cut and pasted it using explorer from a flash drive to a directory under “program files (x86)” and then rebooted the PC. I then logged in as a limited user and run the program
What actually happened or you actually saw:
The program was fully trusted and added to the “trusted files list”. I could use it to write a file called aaa.exe to my startup directory.
What you expected to happen or see:
The program should have been sandboxed.
How you tried to fix it & what happened:
I removed the file from the trusted file list and next time I ran it it was sandboxed correctly. I repeated the whole procedure the next day with a second different unique program and exactly the same thing happened. I also tried again with a third program but did not reboot. This time it was sandboxed correctly.
Details (exact version) of any software involved with download link:
See post 5.
Files appended
Screenshots illustrating the bug: No
Screenshots of related event logs or the active processes list: attached
A CIS configuration report: attached
Crash or freeze dump file: N/A
Your set-up
CIS version & configuration used: CIS 5.0.162636.1135 proactive configuration
Whether you imported a configuration, if so from what version: No
Defense+ and Sandbox OR Firewall security level: Defence+ in Safe mode
OS version, service pack, no of bits, UAC setting, & account type: Windows 7 64 bit
Running as limited user with UAC on maximum
DEP enabled for all processes.
Using Applocker as additional security.
Other security and utility software running: None
CIS AV database version: 6097 but this may have updated since.
Well an interesting one. Please edit you bug report into the requested format (see stickies), and check you have supplied all requested information.
Please also append the file concerned with instructions (exactly what you did) so I can replicate. You will need to zip it.
Also please append a screenshot of your defense plus logs, and preferrably your full active processes list, with the file running. Did you do a clean install?
Defence + is now protecting the directory correctly as my program is no longer in trusted applications list.
However, I have tried to run a different obscure program (ColorMix.exe) and every time I run it it adds it to trusted application list. This program has been on my PC for years and so could have been seen by Comodo.
I have attached the two programs. MyQuickEdit is my test program ColorMix is the one that is always added to trusted list.
Colormix must have been known in the cloud but not on my PC. I have run it before several months ago and possibly someone else has run it more recently as it is available on the internet. Are uncommon files just in the cloud to reduce the database size?
My program must have been added to trusted files when it should not have been. Between copying it to my PC and running it all I did was reboot.
Well I don’t have that information but maybe they keep the “not in the wild” more or less in the cloud only for that reason, cloud very well be possible…
My program must have been added to trusted files when it should not have been. Between copying it to my PC and running it all I did was reboot.
I have repeated this with a brand new unique program. I copied the program from my memory stick to c:\programfiles(x86)\misc while logged in as administrator. I then rebooted my PC, logged in as my own limited user and ran the program. Straight away it was in the trusted list and it was allowed to run write to protected files such as my startup folder with no popup.
I then moved the program from “trusted files” to “unrecognised files” and ran it again. This time it ran sandboxed and labelled as unknown.
This must be wrong if files that are unknown are trusted automatically. It was able to save aaa.exe to my startup directory.
You are not strictly obliged to as this topic predates the new policy, but I would deeply appreciate it if you would edit the first post in the topic to be in the new bug reports format, and include all relevant information.
Could you also include details of how you copied the file - explorer or command line, windows copy or some other software.
Also please append log files and active process list screenshots of the program running if that’s OK.
Incidentally on my machine the last file gets sandboxed, but then it was not on a USB key