I’ve noticed that after recent AV database updates the whitelist has been reduced. A lot of *.exe files that were ‘trusted’ become ‘unknown’. This can be seen in active process list. Adding them to unrecognized files list and performing lookup also returns ‘unknown’ status.
This seems to be a bug in CIS somehow. It almost always happens that when i install it everything is fine but after some time, apps just aren’t recognized anymore and i start getting bunch of popups for stuff that was already allowed or verified. Have no clue why this happens.
May be program upgrade or new version of the program not included in the whitelist or whitelisted programs removed from the whitelist for some reasons. And may be a bug too.
Why if a program is trusted/whitelisted its subsequent versions/upgrades are not trusted automatically? Why the upgrade versions of already whitelisted programs still needs to be whitelisted again otherwise you get popups? This way there will always be popups?
In this case it’s not an upgraded version. Its the same exe files. The only thing that was updated is the av database (which as I know also includes the whitelist database). Files that were ‘trusted’ are ‘unknown’ now.
It doesn’t seem to be a local problem as online lookup gives the same ‘unknown’ result.
If it’s safe on the http://file-intelligence.comodo.com/search-sha1.php and ‘unknown’ on your local CIS, it’s probably because the FLS service could not be reached.
If a lookup fails it will also show up as ‘unknown’ afaik then don’t have an ‘FLS Unreachable’ Result (yet).
Wouldn’t it make sense to cache verified results and use that when servers cannot be reached. Otherwise all hell will break loose every time there is some sort of connection problem. Which apparently happens sooner or later…
Well cache is difficult it will introduce an other ‘lag’ in case of status change of a file from bad to good or good to bad.
But atleast they should improve the ‘cloud reachability visibility’ one has to know if cloud is reachable or not, and if not local security should go in to some sort of ‘emergency’ mode.
Is the local TVL & Trusted list intact? I think its a local prob & not cloud prob coz the programs are already installed & whitelisted that means they should be either in TVL whitelisted or Trusted list. Are those programs there & still the probs? or for some reasons they are not there as I mentioned CIS corruption.
As I know there is the third ‘whitelist’ in CIS (not ‘trusted vendors’ or ‘trusted files’ from defence+ section). This is internal whitelist that is updated with AV database. These files (7-zip and others) were in that database and cis gave no alerts. But after av database update things went wrong…