W8.1 Trusted Files Run in SB\VK Generates FW & HIPS Alerts

On W8.1 System When Run Trusted Files Inside Sandbox or Virtual Kiosk CIS Generates both Firewall and HIPS Alerts

Can you reproduce the problem & if so how reliably?:

Yes. Absolutely reproducible - at will - every time run a Trusted app in the sandbox or virtual kiosk.

NOTE: This issue has persisted on my specific system since version 7 and is reproducible with ANY CIS configuration\settings.

Here is e-mail verification from Comodo Support that issue is, indeed, a bug:

Greetings, Welcome to Comodo,
We will help you with your queries,
a) When you run a Trusted application inside the sandbox CIS will not generate alerts, if it is trusted.
b) If you run an application rated as Trusted inside either the sandbox or virtual kiosk, CIS will not generates endless alerts.
c) If you tick “Remember my answer” for any particular application that alone will not ask your request in future.
Kindly check with this link for more information.
Link: HIPS Settings, Comodo Internet Security | Comodo Internet Security Help |COMODO

Kindly let us know your queries we will help you,
Thank you,

Joshua
GeekBuddy Technical Support

Ticket Details

Ticket ID: FBU-513-23455
Department: Internet Security Support
Type: Issue
Status: Closed
Priority: Default
Helpdesk: CONTACT US - Comodo: Cloud Native Cyber Security Platform?

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

1:

Launch a file rated as Trusted to run in the sandbox or virtual kiosk via any of the available CIS methods to run a file in the sandbox; e.g. browser via widget, shortcuts on virtual kiosk desktop, shortcuts in shared space, etc.

2:

Upon execution inside the sandbox\virtual kiosk, CIS generates Firewall and\or HIPS alerts (varies with app).

3:

If tick “Remember my answer” in any of the alerts, then those rules are created permanently on the physical system (outside the sandbox\virtual kiosk).

One or two sentences explaining what actually happened:

In the attached video I demonstrate one of many cases. I execute Internet Explorer by using the widget. When sandboxed, there are endless firewall alerts. (Some apps trigger both firewall and HIPS alerts). Alerts for Trusted apps run inside the virtual kiosk are identical.

In other words, CIS treats any Trusted file as Unrecognized when launched by the user - to run inside either the sandbox and virtual kiosk on my system. The results (alerts always & identical alerts) are the same using all methods of sandbox\virtual kiosk launch.

One or two sentences explaining what you expected to happen:

I did not expect any alerts to be generated for any Trusted file that is executed in the sandbox or virtual kiosk.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

Not Applicable.

Any software except CIS/OS involved? If so - name, & exact version:

Potentially - Windows 8.1 x86-64.

Any other information, eg your guess at the cause, how you tried to fix it etc:

In some instances I can prevent alerts by creating both firewall and HIPS Allow rules, as needed, for every single Trusted app to be run inside either the sandbox or virtual kiosk. (This defeats the purpose of rating a file as Trusted.)

However, CIS does not always “remember” the firewall and HIPS Allow rules when a Trusted app is run inside the sandbox or virtual kiosk - and will continue to generate endless alerts. If, and when, CIS does not “remember” existing Allow rules when Trusted apps are run virtualized is an intermittent event with no discernable pattern or obvious connection to other factors.

B. YOUR SETUP
Version & Configuration:

CIS Pro version 8.2.0.4591 - Proactive Security

NOTE: This issue has persisted on my specific system since version 7 and is reproducible with ANY CIS configuration\settings.

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

AV, Auto-Sandbox, HIPS, Viruscope, and Firewall = All

Have you made any other changes to the default config? (egs here.):

Yes. Enhanced Protection Mode is enabled.

NOTE: This issue has persisted on my specific system since version 7 and is reproducible with ANY CIS configuration\settings.

Have you updated (without uninstall) from CIS 5, 6 or 7?:

No

 [b]if so, have you tried a a clean reinstall - if not please do?[/b]:
 
 I have clean installed the OS many times - and doing so does not fix the issue.

Have you imported a config from a previous version of CIS:

No

NOTE: This issue has persisted on my specific system since version 7 and is reproducible with ANY CIS configuration\settings.

 [b]if so, have you tried a standard config - if not please do[/b]:
 
 Yes

 [b]NOTE:  This issue has persisted on my specific system since version 7 and is reproducible with ANY CIS configuration\settings.[/b]

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows 8.1 x86-64 (OEM or Clean Install), Always notify, Administrator, No Virtual Machine used.

NOTE: This issue has persisted on my specific system since version 7 and is reproducible with ANY configuration\settings. It is also independent of the mfr\CPU\graphics brand and type of unit - e.g. Intel\AMD, i3\i5, A8\A10, desktop\laptop. Finally, the issue is independent of Windows settings.

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

a= None b= None

NOTE: This issue has persisted on my specific system since version 7 and is reproducible with ANY CIS configuration\settings. It is also independent of any other software installed on system.

C. ATTACH REQUIRED FILES (delete this section (section C) after attaching required files)

Vimeo video link: CIS Trusted File in Sandbox on Vimeo

NOTE:

Attached video is in Microsoft AVI Video 1 format; it is viewable using Windows Media Player, VLC Player and\or Classic Media Player. Video is archived as 7z Ultra format.

[attachment deleted by admin]

This thread contains a Comodo Support verified bug.

No comments except from forum Moderators or Comodo Staff please.

Why would that be unwanted?

Documentation does point the finger in case I’m not misunderstanding your issue.

Very High: The firewall shows separate alerts for outgoing and incoming connection requests for both TCP and UDP protocols on specific ports and for specific IP addresses, for an application. This setting provides the highest degree of visibility to inbound and outbound connection attempts but leads to a proliferation of firewall alerts. [b]For example, using a browser to connect to your Internet home-page may generate as many as 5 separate alerts for an outgoing TCP connection alone.[/b]
Safe Mode (Default): While filtering network traffic, the firewall automatically creates rules that allow all traffic for the components of applications certified as 'Safe' by Comodo,[b] if the checkbox Create rules for safe applications is selected. [/b]

Thank you.

Hello qmarius,

CIS should not generate Firewall and HIPS alerts for Trusted files run in the sandbox - since the files are rated as Trusted; CIS generally generates alerts only for Unrecognized or Malicious files.

The only exception is when an Unrecognized file calls a Trusted app. In that case, CIS correctly applies Unrecognized rules to the Trusted app.

CIS generates no alerts for any Trusted applications when run outside the SB\VK - which is per CIS design. However, when run inside the SB\VK there are endless alerts. Plus, when I create Allow rules, CIS very often does not ‘remember’ those rules.

The issue occurs regardless of the Firewall alert frequency setting or HIPS setting.

Comodo Support states this is not how CIS is designed to work. In other words, their specific statements are that Trusted files do not invoke alerts when run inside the SB\VK. On my W8.1 systems, CIS generates endless alerts for any Trusted app when run in the SB\VK.

Basically, on my W8.1 systems, CIS treats all Trusted files as Unrecognized when they are run inside the sandbox or virtual kiosk.

Am I explaining this clearly ?

Best Regards,

HJLBX

Hello qmarius,

Please move this bug report to Resolved\Outdated subforum.

Infos provided by Geek Buddy technicians is incorrect.

Comodo Engineer states that any Trusted application run inside sandbox\virtual kiosk will generate firewall alerts. This is how CIS is designed to function.

HIPS alerts are not\should not be generated when Trusted file is run in sandbox. Error on my part interpreting HIPS alert.

Please remove bug report…

Best Regards,

HJLBX

Thanks for letting us know that this is intended behavior. Moving to resolved by user request.