I’ve noticed that after recent AV database updates the whitelist has been reduced. A lot of *.exe files that were ‘trusted’ become ‘unknown’. This can be seen in active process list. Adding them to unrecognized files list and performing lookup also returns ‘unknown’ status.
Some other programs (some drivers etc) are also affected.
With sandbox disabled this increases the number of defence+ alerts.
By the way cheking sha-1 of these files at file-intelligence.comodo.com returns the result ‘safe’, so this is probably the master whitelist failure. I doubt this is an expected behavior.
This seems to be a bug in CIS somehow. It almost always happens that when i install it everything is fine but after some time, apps just aren’t recognized anymore and i start getting bunch of popups for stuff that was already allowed or verified. Have no clue why this happens.
May be program upgrade or new version of the program not included in the whitelist or whitelisted programs removed from the whitelist for some reasons. And may be a bug too.
Why if a program is trusted/whitelisted its subsequent versions/upgrades are not trusted automatically? Why the upgrade versions of already whitelisted programs still needs to be whitelisted again otherwise you get popups? This way there will always be popups?
In this case it’s not an upgraded version. Its the same exe files. The only thing that was updated is the av database (which as I know also includes the whitelist database). Files that were ‘trusted’ are ‘unknown’ now.
It doesn’t seem to be a local problem as online lookup gives the same ‘unknown’ result.
For example, this is 7-zip file manager, part of 7-zip archiver ver. 9.20.
sha-1 f8d409e7ad8c39b344444c95104b69f53f1b8d8c
It was whiteisted before. You can also check its sha-1 at http://file-intelligence.comodo.com/search-sha1.php
it says that the file is safe. But now it’s removed from the whitelist (just like some other programs and even components of device drivers).
It looks like some kind of failure in master whitelist database. I don’t think Comodo want to reduce their whitelist.
Did all of you use the ‘official’ download site for 7zip? it seems to be happening more and more that installers are ‘wrapped’ with other ad/■■■■/malware and distributed over unofficial channels.
If it’s safe on the http://file-intelligence.comodo.com/search-sha1.php and ‘unknown’ on your local CIS, it’s probably because the FLS service could not be reached.
If a lookup fails it will also show up as ‘unknown’ afaik then don’t have an ‘FLS Unreachable’ Result (yet).
Wouldn’t it make sense to cache verified results and use that when servers cannot be reached. Otherwise all hell will break loose every time there is some sort of connection problem. Which apparently happens sooner or later…
Well cache is difficult it will introduce an other ‘lag’ in case of status change of a file from bad to good or good to bad.
But atleast they should improve the ‘cloud reachability visibility’ one has to know if cloud is reachable or not, and if not local security should go in to some sort of ‘emergency’ mode.
Is the local TVL & Trusted list intact? I think its a local prob & not cloud prob coz the programs are already installed & whitelisted that means they should be either in TVL whitelisted or Trusted list. Are those programs there & still the probs? or for some reasons they are not there as I mentioned CIS corruption.
How did you perform this lookup? If these files are marked ‘safe’ in your local whitelist, then you shouldn’t be able to add them to unrecognized files list. Are you using CIS AV?
As I know there is the third ‘whitelist’ in CIS (not ‘trusted vendors’ or ‘trusted files’ from defence+ section). This is internal whitelist that is updated with AV database. These files (7-zip and others) were in that database and cis gave no alerts. But after av database update things went wrong…