whitelist reducing?

I’ve noticed that after recent AV database updates the whitelist has been reduced. A lot of *.exe files that were ‘trusted’ become ‘unknown’. This can be seen in active process list. Adding them to unrecognized files list and performing lookup also returns ‘unknown’ status.

Here are few examples with sha-1

7-zip file archiver 9.20

7z.exe 20fea1314dbed552d5fedee096e2050369172ee1
7zFM.exe f8d409e7ad8c39b344444c95104b69f53f1b8d8c

Ashampoo Burning Studio 2010 Advanced

burningstudio2010adv.exe 91f3c1d3f6f4f1ef9c0dc7751efce15efb6beac7

Some other programs (some drivers etc) are also affected.
With sandbox disabled this increases the number of defence+ alerts.

By the way cheking sha-1 of these files at file-intelligence.comodo.com returns the result ‘safe’, so this is probably the master whitelist failure. I doubt this is an expected behavior.

This seems to be a bug in CIS somehow. It almost always happens that when i install it everything is fine but after some time, apps just aren’t recognized anymore and i start getting bunch of popups for stuff that was already allowed or verified. Have no clue why this happens.

May be program upgrade or new version of the program not included in the whitelist or whitelisted programs removed from the whitelist for some reasons. And may be a bug too.

Why if a program is trusted/whitelisted its subsequent versions/upgrades are not trusted automatically? Why the upgrade versions of already whitelisted programs still needs to be whitelisted again otherwise you get popups? This way there will always be popups?


In this case it’s not an upgraded version. Its the same exe files. The only thing that was updated is the av database (which as I know also includes the whitelist database). Files that were ‘trusted’ are ‘unknown’ now.

It doesn’t seem to be a local problem as online lookup gives the same ‘unknown’ result.

For example, this is 7-zip file manager, part of 7-zip archiver ver. 9.20.
sha-1 f8d409e7ad8c39b344444c95104b69f53f1b8d8c

It was whiteisted before. You can also check its sha-1 at http://file-intelligence.comodo.com/search-sha1.php
it says that the file is safe. But now it’s removed from the whitelist (just like some other programs and even components of device drivers).

It looks like some kind of failure in master whitelist database. I don’t think Comodo want to reduce their whitelist.

[attachment deleted by admin]

Currently I dont have CIS installed. But CCE on my system also says Unknown for 7-Zip 9.20. Previously it use to say Safe. Dont now why.

Everything is fine here…

[attachment deleted by admin]

Can you post the SHA1 of that file?

Did all of you use the ‘official’ download site for 7zip? it seems to be happening more and more that installers are ‘wrapped’ with other ad/■■■■/malware and distributed over unofficial channels.

this is the official download from 7-zip.org (Download 7z920.exe (7-Zip)).
SHA1: 55283ad59439134673fc32fc097bdd9ae920fbc6

Both files have been found safe.
7zFM.exe: 676ff0f6b79cc4fe0747638a25d3e70585dced8b
7zG.exe: d1049fd05c45f40e73a9adda1cad45d039ef83a5

This is from the x64 version:

7zFM = 9d8cfb02122d3a0dfeb23b959909aa89ef0a35d0
7zG = dcbe9f2359d767c370f2ba7385cbb6c69a25ee25

[attachment deleted by admin]

If it’s safe on the http://file-intelligence.comodo.com/search-sha1.php and ‘unknown’ on your local CIS, it’s probably because the FLS service could not be reached.
If a lookup fails it will also show up as ‘unknown’ afaik then don’t have an ‘FLS Unreachable’ Result (yet).

That suggests that is a server side problem

Until further notice I assume like Ronny that it is probably a temporary glitch where the FLS server could not be reached.

Wouldn’t it make sense to cache verified results and use that when servers cannot be reached. Otherwise all hell will break loose every time there is some sort of connection problem. Which apparently happens sooner or later…

Well cache is difficult it will introduce an other ‘lag’ in case of status change of a file from bad to good or good to bad.
But atleast they should improve the ‘cloud reachability visibility’ one has to know if cloud is reachable or not, and if not local security should go in to some sort of ‘emergency’ mode.

To be clear

I guess the post is about the already whitelisted programs were Unknown when reinstalled, right?

& not about the already installed whitelisted programs suddenly became unknown giving popups, right?

No, it’s about the already installed whitelisted programs suddenly became unknown…

It seems that your 7zfm.exe and 7zg.exe are 4.65 version (not 9.20), right?

OK then thats a serious prob.

Might be CIS corruption.

Is the local TVL & Trusted list intact? I think its a local prob & not cloud prob coz the programs are already installed & whitelisted that means they should be either in TVL whitelisted or Trusted list. Are those programs there & still the probs? or for some reasons they are not there as I mentioned CIS corruption.

How did you perform this lookup? If these files are marked ‘safe’ in your local whitelist, then you shouldn’t be able to add them to unrecognized files list. Are you using CIS AV?

As I know there is the third ‘whitelist’ in CIS (not ‘trusted vendors’ or ‘trusted files’ from defence+ section). This is internal whitelist that is updated with AV database. These files (7-zip and others) were in that database and cis gave no alerts. But after av database update things went wrong…