TOPIC TITLE
“Block” advice was overruled by “allow” advice. User security policy “always ask” was overwritten to “alsways allow”.
A. The bug/issue
What you did:
Try blocking an application with whitelisted certificate (skype).
What actually happened or you actually saw:
All security policies were overwritten to “allways allow”.
What you expected to happen or see:
My security policies and Defense+ Windows to aks me how to handle the application (Allow/Block).
How you tried to fix it & what happened:
a. Delete overwritten security policies
b. Delete skype from “trusted applications” right after installation
c. Delete the whitelisted certificates from whitelist (skype and microsoft).
d. Add security policies for skype right after installation before first use.
If its a software compatibility problem have you tried the compatibility fixes (link in format)?:
Doesnt seem to be a compatibility problem. All functions run in expected parameters.
Details & exact version of any software (execpt CIS) involved (with download link unless malware):
CIS-Firewall Version 5.10.228257.2253; (Skype Version 5.5.0.124)
Whether you can make the problem happen again, and if so exact steps to make it happen:
It seems to be a basic problem. It should be possible to recreate this problem on every pc with the CIS Version I used (and skype).
Any other information (eg your guess regarding the cause, with reasons):
Whitelist seems to overrule my descisions. “Allow” seems to have higher priority than “Ask” or “Block”.
B. Files appended. (Please zip unless screenshots).
Screenshots of the Defense plus Active Processes List (Required for all issues):
Screenshots illustrating the bug:
Screenshots of related CIS event logs:
A CIS config report or file.
Crash or freeze dump file:
Screenshot of More~About page. Can be used instead of typed product and AV database version.
C. Your set-up
CIS version, AV database version & configuration used:
CIS-Firewall Version 5.10.228257.225
a) Have you updated (without uninstall) from from a previous version of CIS:
no, installed the 5.10 version right away.
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
a) Have you imported a config from a previous version of CIS:
no.
b) if so, have U tried a standard config (without losing settings - if not please do)?:
Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):
Firewall changed to user policies, D+ changed to paranoid mode.
Defense+, Sandbox, Firewall & AV security levels: D+= paranoid, Sandbox= off, Firewall = user policies, AV = not installed
OS version, service pack, number of bits, UAC setting, & account type:
Win7, 32bits, admin account
Other security and utility software currently installed:
Avira Antivir
Other security software previously installed at any time since Windows was last installed:
Malewarebytes Antimaleware
Virtual machine used (Please do NOT use Virtual box):
no
original post:
I just tried to control the exceution and every attempt failed. “Allow” overrules “Block” and “Ask” settings. To me this is a clear major security issue.
To monitor the installtion was no problem. D+ and Firewall did their job well. After I allowed the setup to start skype.exe no further questions have been asked, but several registry-entries have been alterted and a lot of stuff i would never have had allowed.
My research came up with the whitelisted certificate of skype (and its company microsoft). I deleted the whitelisted certificates, deleted the security policy settings for skype, deleted it from the list of trusted applications and reinstalled, but still the problem remained. Again I delited the security policy settings, deleted it from the list of trusted applications and reinstalled. This time I added Skype manually to the list of programs and added a security policy profile (that mostly says “allways ask”) with no effect on the outcome. I did find skype again in the list of trusted applications what tells me that an “allow” overrules every other setting.
Besides the fact that I dont trust skype, because D+ indicated in the past that it was spying on my actions, a user desicion not to trust an application should NEVER be overruled. Even more: “Block” and “Ask” settings should have a higher priority in general than “Allow” and overrule an “Allow” setting in every case to ensure the protection. Especially with the background of whitelisted maleware.
I just tried to delete Skype after installation from the list of trusted applications. With success. I then created a security policy for skype (mainly says “always ask”). I started skype and i was possitivly supriced that i was now asked if i want to allow skype to use a COM interface. After that security was breached, skype installed registry keys, connected to my laptop camera, etc.
I checked my sercurity policies: Skype was turned from “always aks” to “always allow” even though i have the skype and microsoft certificates deleted and it does not appear in the list of trusted applications.
Either I have a Virus (which is unlikely, because i just did setup my OS new and installed all security means in the very beginning) or
Comodo has a major bug that keeps overriding my restrictions and thereby giving a not trustworthy software access to my computer.
Did you place the ask rule above the all applications rule in D+ rules?
As I understand it, unless behaviour has changed, if you allow an alert with the ‘more options’ box unexpanded it will give the executable full permissions, but with the ‘more options’ box expanded it should grant just the permission requested.
1.) I am not sure if I do understand your question. In the list of Defense+ Rules is an entry called “all applications” which is set to “always ask” (s. attatchment, “Alle Anwendungen”[ger] = all applications [eng], “Fragen” [ger] = ask [eng]). The exceptions in that rules belong only to some windows system applications. If this does not answer your question, than please discribe to me where to find the setting you talk about.
2.) In my understanding the allow button gives only permission to a specific action, unless i grant it with the “more option” expantion the permission of a specific security policy profil.
But the problem is: I am not asked at all. The security policies just get overwritten and skype is free to do everything without any kind of alert.
About the issue that a privious installation and its security policies: I carefully cleaned all traces of the installation (revo uninstaller on advanced mode) and cleared all policies in comodo firewall associated with skype (sercurity policies, trusted application list,…)
Update:
I just noticed that Comodo recognizes the skype setup file (to be more accurate: its certificate) and adds the installation file to the trusted application list. What makes me wonder why Comodo applies my security policy settings on the setup application but not on skype after the installation.
Update 2:
I tried to define security policies for skypesetup.exe. Setting the policies to “always ask” has no effect, with the first start of the application it gets enliseted to the trusted application list again and my settings are overwritten. Setting the policies to “block all” have effect, the application freezes and has to be manually shut down with comodo. So only the “ask” policies are overwritten. It is a good thing, that the “block” rules are not compromised, but the problem stays valid.
Update 3:
Moving the application from the “trusted application list” to the “unrecognized file list” is overwritten by the execution of the application which returns the application to the “trusted application list”.
Update 4:
Just installed several applications (Foxit Reader, Notepad++, Pidgin). All have been automatically added to the trusted application list but alerts were displayed. Even though it seems there is a difference between how many alerts are shown. I got the feeling that i was asked at every action FoxitReader tryed to take, but Pidgin and Notepad++ seemed to untertake some actions without asking my permission. But that might be just a misinterpretation by myself.
If you put a block rule above the all apps rule, trusted file status should not over-ride it. Ask rules are over-ridden (edit: in safe mode but not in paranoid mode). As I understand it, this is intentional. Paranoid node is provided for those who don’t want trusted files to dominate. Unfortunately this does mean that making an ‘ask for this file’ exception to the ‘trust trusted files’ rule [edit: in safe mode] is problematic. See this FAQ for details: Precedence of autosandbox policies and CSP rules.
2.) In my understanding the allow button gives only permission to a specific action, unless i grant it with the "more option" expantion the permission of a specific security policy profil.
But the problem is: I am not asked at all. The security policies just get overwritten and skype is free to do everything without any kind of alert.
About the issue that a privious installation and its security policies: I carefully cleaned all traces of the installation (revo uninstaller on advanced mode) and cleared all policies in comodo firewall associated with skype (sercurity policies, trusted application list,...)
May have misunderstood but from this I though you had been asked: " i was possitivly supriced that i was now asked if i want to allow skype to use a COM interface. After that security was breached, skype installed registry keys, connected to my laptop camera, etc.
I checked my sercurity policies: Skype was turned from “always aks” to “always allow” even though i have the skype and microsoft certificates deleted and it does not appear in the list of trusted applications."
CIS should recognise the installation file as an installer, and grant it unlimited access if it is trusted and if it wants it. An D+ rules ask rule should not over-ride this, as I understand it. Did you remove the vendor from trusted vendors perhaps? N. B. Your COM+ alert can occur in a sandboxed file as well as a file set to ask. NB Also an application file if run from an installer gains installer privs.
Experimenting like this is fun, but you have to be very careful with each experiment to get valid results :). |beeen there, done that, got the teashirt
Update 2:
I tried to define security policies for skypesetup.exe. Setting the policies to "always ask" has no effect, with the first start of the application it gets enliseted to the trusted application list again and my settings are overwritten. Setting the policies to "block all" have effect, the application freezes and has to be manually shut down with comodo. So only the "ask" policies are overwritten. It is a good thing, that the "block" rules are not compromised, but the problem stays valid.
Yes this is consistent with the FAQ
Update 3:
Moving the application from the "trusted application list" to the "unrecognized file list" is overwritten by the execution of the application which returns the application to the "trusted application list".
I assume you mean trusted file list. The trusted application list is the list of all file to which the D+ rules trusted application policy has been applied, this is not the same s the sandbox trusted files policy. Probably what happened here and in some of your other cases is that CIS looked up the file online (check your + logs) or replaced your trusted vendor list when it did a database update.
Update 4:
Just installed several applications (Foxit Reader, Notepad++, Pidgin). All have been automatically added to the trusted application list but alerts were displayed. Even though it seems there is a difference between how many alerts are shown. I got the feeling that i was asked at every action FoxitReader tryed to take, but Pidgin and Notepad++ seemed to untertake some actions without asking my permission. But that might be just a misinterpretation by myself.
When CIS encounters a file that it does not locally recognise it looks it up online. Sometimes there is a delay in this. Unrecognised, sandboxed, files can generate alerts - a request by a sandboxed file is blocked unless CIS thinks blocking it will cause the program to fail, if it does it typically alerts. The number of alerts varies according to the number and nature of requests made by the program.
Hope this helps.
There’s much more in the Introduction to the sandbox (see my signature) or online.
I general I’m inclined to think there is no strict bug here, unless you can replicate your Update 1 behavior with all possibility of online look-ups & vendor list refreshes eliminated.
There is an argument for D+ ask rules over-riding trusted file policies, to add a progressive alternative to paranoid mode. We could regard this as an issue if you like - board rules do permit - and see if anyone can point out a disadvantage of allowing this. (I think maybe there is a complexity argument - everyone with old D+ rules, eg anyone who has experimented with paranoid mode, would start getting alerts from trusted files.
There is an existing program to eliminate alerts for sandboxed files, but this will only likely complete with full virtualisation in 6.0.
The fact that trusted files and apps have such similar names is an issue, but an old and recognised one.
The fact that apps run from setup files get greater privs is perhaps undesirable (though some apps do things on first running that they don’t do later) and I guess is worth raising as an issue, though it would be very difficult to resolve. How would you recognise the main executable reliably?
There is an argument for D+ ask rules over-riding trusted file policies, to add a progressive alternative to paranoid mode. We could regard this as an issue if you like - board rules do permit - and see if anyone can point out a disadvantage of allowing this. (I think maybe there is a complexity argument - everyone with old D+ rules, eg anyone who has experimented with paranoid mode, would start getting alerts from trusted files.
Actually I think I now know why they don't implement this. If they did the D+ all apps rule would cause alerts for all trusted files. Removing the rules would make paranoid mode impossible to operate, thus requiring a different set of default rules in paranoid mode, which in turn would require a D+ redesign.
I guess now what you want to tell me. The “allow” buttom adds the application to the list of trusted applications. So I will try to always use the the “more option” window to prohibit that from happening.
I agree with you, that this behaviour might be intended. I sure makes it way easier for the average user. But especially concidering black sheeps in the whitelist should ad least give the possibility to control although those applications.
I just installed skype very carefully. Before I started the installation I added a user security policy for the setup. The policy contained “block” advices as well as “allow” advices. Even though the setup was added to the trusted application list my user policy was not overwritten and even the “ask” advices have been applied (although I am not able to tell if some rules have been replaced by the trusted application policy). After that I started skype in the same way. Again my ask rules have been applied (although I cant tell if all have been applied). I always used the “more option” menu to allow or block certain actions. Every attempt to keep the application from the trusted list failed.
In summary: I guess I was able to control and monitor the installation of skype, even though it was a very difficult way. The problem remains in my opinion. To me it is a serious problem to overrule user settings in anycase because that makes the software unreliable (I cant rely on that its does it work the way i told it to). But I understand that this might be an intended behaviour and that this might increase the usability for average users.
About the sandbox policy interference: I have the sandbox disabled. But the I got your point of interference of different policy lists.
Thanks a lot for your help so far. I will read through the links you gave me and try to improve my D+ and Firewall a little more to meet my desired behaviour.
One really interesting point is, that without the great transperent actions of comodo, i would have never became so aware of the security issues. In other words: CIS allowes very deep control and monitoring, which makes it my favorite Firewall/Defender for a reason. So keep up the great work. Thanks.
Edit: yes, i do mean “trusted file list” , not “trusted application list”. The error accurs due to translation from german to english.
I guess now what you want to tell me. The "allow" buttom adds the application to the list of trusted applications. So I will try to always use the the "more option" window to prohibit that from happening.
To be exact what happens is that when less options are dispalyed and you say ‘allow’ and ‘remember’ the file gets a custom policy with all access rights except execution of another executable. So it’s the same as a trusted application, but different to the rights allocated to a trusted file. The latter also gets ‘execute a trusted executable’ rights and outgoing firewall rights.
So the trusted application list in this case is notional, made up of all files with these ‘trusted application’ rights.
I just installed skype very carefully. Before I started the installation I added a user security policy for the setup. The policy contained "block" advices as well as "allow" advices. Even though the setup was added to the trusted application list my user policy was not overwritten and even the "ask" advices have been applied (although I am not able to tell if some rules have been replaced by the trusted application policy). After that I started skype in the same way. Again my ask rules have been applied (although I cant tell if all have been applied). I always used the "more option" menu to allow or block certain actions. Every attempt to keep the application from the trusted list failed.
In summary: I guess I was able to control and monitor the installation of skype, even though it was a very difficult way. The problem remains in my opinion. To me it is a serious problem to overrule user settings in anycase because that makes the software unreliable (I cant rely on that its does it work the way i told it to). But I understand that this might be an intended behaviour and that this might increase the usability for average users.
I just installed skype very carefully. Before I started the installation I added a user security policy for the setup. The policy contained "block" advices as well as "allow" advices. Even though the setup was added to the trusted application list my user policy was not overwritten and even the "ask" advices have been applied (although I am not able to tell if some rules have been replaced by the trusted application policy). After that I started skype in the same way. Again my ask rules have been applied (although I cant tell if all have been applied). I always used the "more option" menu to allow or block certain actions. Every attempt to keep the application from the trusted list failed.
In summary: I guess I was able to control and monitor the installation of skype, even though it was a very difficult way. The problem remains in my opinion. To me it is a serious problem to overrule user settings in anycase because that makes the software unreliable (I cant rely on that its does it work the way i told it to). But I understand that this might be an intended behaviour and that this might increase the usability for average users.
THinking about it, any trusted file list entry will be ignored if you are in paranoid mode. Trusted application rules in D+ will be observed though. So this is all expected I think. Safe mode behaviour remains a matter for debate I think.
