A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.
Can U reproduce the problem & if so how reliably?:
Every time.
If U can, exact steps to reproduce. If not, exactly what U did & what happened: 1:Change to Clean-PC-Mode 2:Turn off the option to trust files from trusted installers 3:Make sure heuristic command line analysis is turned on 4:Disable Online lookup 5:Install ClamAV from the following link: Clam AntiVirus download | SourceForge.net
If not obvious, what U expected to happen:
The newly introduced applications should appear in the “unknown files list” as Online lookup was disabled and files from trusted installers is disabled
If a software compatibility problem have U tried the conflict FAQ?:
NA
Any software except CIS/OS involved? If so - name, & exact version:
I used this installation package: ClamAV 0.98.4
Any other information, eg your guess at the cause, how U tried to fix it etc:
CIS V6 did not have this problem. It works correctly. I’m not sure what caused this.
A video showing this bug is attached to this post.
[/ol]
B. YOUR SETUP
[ol]- Exact CIS version & configuration:
CIS 7.0.317799.4142, Modified configuration: See below
Have U made any other changes to the default config? (egs here.):
Change to Clean-PC-Mode
Turn off the option to trust files from trusted installers, make sure heuristic command line analysis on, disable Online lookup
Have U updated (without uninstall) from CIS 5 or CIS6?:
No, I uninstalled CIS6 before installing CIS7
[li]if so, have U tried a a clean reinstall - if not please do?:
NA
[/li]- Have U imported a config from a previous version of CIS:
No
[li]if so, have U tried a standard config - if not please do:
NA
[/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Win 7 SP1 x64 UAC: Prompt for confirmation, admin account, no VM
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=None b=EMET 4.1
[/ol]
Without further information for example in a bug report it is difficult for me to comment exactly why you are experiencing this or if it is a bug.
For the moment please note HIPS still identifies files by path. Therefore all files that are on the same path and share the same filename will be regarded as allowed by HIPS if previously allowed.
Also there is an internal (preinstalled) white list, though this is supposed to be displayed in the TFL now, so I suppose it is hash based.
But you may be experiencing a problem that I think I have seen which is lookups that occasionally occur when Cloud lookups are supposedly switched off.
Yes of course. That why I said ‘if previously allowed’. But sorry I guess for completeness and precision I should have added ‘set as allowed files and remembered’. Also note he’s using Clean PC mode, so I guess files currently on his machine (id’d by path) are being given allowed status?
I said that because I’m not sure what sort of trusting/allowing Big Mike is referring to - people often confuse trusting and allowing. (BTW I think its file rating that does the hash check, not HIPS)
We need a bug report to see if this is a bug. My money is on it getting looked up. Best wishes. Mouse.
If you are willing to do a little more digging, please copy and paste the code from this page into your first post. Then replace the question marks with your responses. This will allow me to forward this issue to the devs for investigation.
I don’t have any HIPS rules for ClamAV executables.
The problem is, that CIS7 doesn’t add the newly installed files to the “unrecognized files list”. CIS6 behaves differently.
Thank you. I have made some small edits to the first post, nothing big. The only major question I have is how you ruled out the possibility that the files themselves were not part of an internal safe list. I do know that the online lookup is used for the majority of safe deliniations, but I also thought that many were saved to the disk, but were always rechecked against the cloud.
Can someone please clarify if I am wrong, and that now it is handled entirely through the cloud?
I can’t rule this out, as I don’t know how to disable the implicit trusting completely. I can only say, that this never happened with CIS6.
As the files themselves are not digitally signed, trusted vendors do not apply on the newly introduced files.
The option to not implicitly trust files from trusted installers (msiexec.exe in this case) and eventually the option to do the heuristic command line analysis should prevent trusting them, in spite of msiexec.exe is trusted.
As online lookup is disabled, only the offline white list may interfere.
The fact, that some newly introduced files are not recognized as “unrecognized files” renders Clean-PC-Mode kind of useless.
In my personal experience with CIS v7, it never adds unrecognized files to the unrecognized files list when using HIPS, for me it only adds to that list when using the auto-sandbox. I don’t know if that is intended behavior or not, never really worried much about it personally.
The “unrecognized files list” existed long before the auto-sandbox was introduced. Please have a look at the help: HIPS-Behaviour. It clearly states, that this behaviour is not intended.
I read through that help page but couldn’t find anything talking about the unrecognized files list, maybe I just missed it, however on help page they do say that when using HIPS, unrecognized files should be added to the list, so you are right, the current behavior in CIS 7 is most likely not intended.
I personally have HIPS set to Safe Mode but anyway, I just wrote my own little application and it’s not signed so there is no way it could be trusted by CIS, I ran it and I get alerts of course, but it wasn’t added to the Unrecognized Files List… It should also have been added to the unrecognized files list, should it not? According to the help file it should.
I’m not sure about files being added to the unrecognized files list in Safe Mode.
In the help page, I mentioned, I was referring to the description of Clean PC Mode.
While for Clean PC Mode, it states, that the ‘unrecognized files list’ is used to decide, what files are monitored, in Safe Mode you should add “your” files to ‘trusted files list’ if you want them not to be monitored anymore.
But reading your mentioned page about unrecognized files, I would say yes, your program should be added to the list also in Safe Mode.
“Every new executable file introduced to the computer, is first scanned against the Comodo certified safe files database. If they are not safe, they are added to the ‘Unrecognized Files’ for users to review and possibly submit to Comodo. Apart from new executables, any executables that are modified are also moved to the ‘Unrecognized Files’ area.”
(Quote from help file - my emphasis)
New means not installed in system when CIS is installed. Though the process from the phrasing seems to be dependent on cloud lookup being enabled.
A valid question would be how does HIPS determine ‘not installed on system when HIPS is installed’. If by path, and HIPS generally works by path apart from when it’s using Trusted Files, that could be an explanation. Though detection of modification suggests by hash.
Sorry, the unrecognized files list NEVER worked via recognition by file path. The policies were using the file path in former versions. If CIS7 behaves differently, this needs either to be fixed or to be announced.
Guessing, what was going on, is quite senseless for me.
The MSI package definitely introduces new files to the computer, while HIPS is active
The files are not digitally signed and pretty new, but I can’t tell if they are on the white list of CIS7
The changelogs for new releases are quite disappointing, but the help definitely states, that CIS7 should behave different
That’s certainly true for the BB, I guess you are saying that is true for file unrecognised by HIPS Clean PC mode too? (That certainly would be what I’d expect).
Which leaves this issue:
New means not installed in system when CIS is installed. Though the process from the phrasing seems to be dependent on cloud lookup being enabled.
The help text phrasing suggests that addition to unrecognised files might be dependent on cloud scanning being enabled. What do you think? Presumable you are saying that in 6.x it was not dependent on this?
(If that is the design IMHO changing it would be a valid wish if not a hybrid wish/bug, if not then there is a valid help bug as well as a CIS bug).
Unrecognized files aren’t added to the Unrecognized Files List when HIPS is ON and BB is OFF even when Cloud Lookup is ON.
It still acts normal and treats them as unrecognized, for example shows alerts and such, but never adds them to the Unrecognized Files List, they should be added to the Unrecognized Files List.
Since CIS 7, when using HIPS instead of BB, it NEVER adds the unrecognized files to the Unrecognized Files List. It ONLY works when BB is ON.
By the way, when I say BB I do mean the Auto-Sandbox and not other things like Viruscope, BB is just easier to type…