Why are Execution Control settings enforced when it is disabled?

I tried to uninstall Easeus ToDo Backup Workstation using the Add/Remove Programs applet. After clicking the Remove button, I go the error:

Unable to execute file in the temporary directory. Setup aborted.
Error 1816: Not enough quota is available to process this command.

After digging around CIS, I found that disabling Execution Control was not sufficient to eliminate its interference with running the uninstaller. Whether Execution Control is enabled or not, I had to disable the:

Treat unrecognized files as: Untrusted (or Blocked)

I selected Untrusted (or Blocked) because, well, if it’s not in Comodo’s safelist and I didn’t elect to add it to the Trusted Programs list, or I elect to Allow in a popup alert from CIS then I want it severely throttled or I don’t want it to run. So I’m running into some problems with CIS:

  • Doesn’t show a popup alert when it finds this unrecognized uninstaller file to ask me what to do. Obviously this file won’t be around after the uninstallation completes, so there is no point in adding it to the Trusted Programs list. But I had expected to get a popup alert asking me what to do so I could pick “Allow” (but not select the “remember” checkbox). If I elect to run untrusted or block programs, why wouldn’t I want to know about that? A new program gets installed or merely copied onto my hard disk and I try to run it. It fails. Why? CIS doesn’t alert me so how do I know why?

  • “Treat unrecognized as” is still applied despite that I disabled Execution Control. Just what is execution control if it doesn’t include the options listed in the Execution Control Panel? If I disable Execution Control then why do ANY of those options still apply? It’s ridiculous to rely on users disabling all options in this panel to actually disable execution control. Why is the slider there if it really doesn’t enable/disable execution control?

Do you have Automatically trust the files from the trusted installers and Show notifications for automatically sandboxed processes disabled?

Having the first one disabled may explain why the uninstaller is not trusted. How did you install Easesus ToDo?

Execution Control prevents shellcode injection.

FWIW I also have been confused by this panel.

As far as I can see, contrary to the help file, when the sandbox is enabled, the slider appears to disable only buffer overflow protection, and possibly guard32/64.dll injection. Not sure what would happen with the sandbox disabled. Have not fully tested this yet, but that is my tentative conclusion.

TBH this panel is a bit confused in other ways. I think the exclusions list only excludes from Buffer Overflow protection and guard32/64 injection, too.

Of course if the slider did exclude from execution control it would be a sort of alternative to trusted files…

Best wishes


The settings were at the defaults EXCEPT for the “Treat unrecognized files” option which I changed from Partially Limited to Untrusted (and had planned later to set to Block). Since this option is in the same configuration panel as for the on-off slider for Execution Control, I figured the on-off setting applied to all the options in that panel; otherwise, just what am I turning on and off? Something has to change in behavior between the on and off states for Execution Control and the only behaviors listed are those in the same config panel as this slider.

Apparently this is a poorly designed config panel. The on-off slider does not apply to all the settings in that config panel but the user has no information as to which ones are and are not affected by the slider’s position. It looks like the “Treat unrecognized files as” setting is not one of those regulated by the on-off state of Execution Control. I only come to this conclusion because that’s the effect that I see: whether Execution Control’s slider is on or off, it has no effect on the “Treat unrecognized files” setting. Poor design misleads the user. Any settings in that panel that aren’t affected by the slider should get moved to a different panel or that panel gets split in half with the slider and shellcode injection in one section and the other settings in another section and the two sections clearly delimited from each other.

So the only good way to run an unrecognized uninstaller looks to be by disabling Defense+ altogether before running the uninstaller and re-enable it afterward.

NOTE: I cannot do further testing since I had to restore my system from a backup image. I was putzing around in the registry after uninstalling a backup program that I was trialing for a couple weeks to see if I was going to switch to it. I fouled it all up so Windows wasn’t bootable at all (normal, safe, or “last known good” didn’t work and I’d get a BSOD). The image was made before I installed Comodo Firewall so the restore meant it wasn’t there. Since I had run into other problems reported by other users (slowed system response, high CPU usage by cfp.exe which still impacted responsiveness after CPU usage dropped, etc), I haven’t decided to experiment with Comodo Firewall again. There were some features that I thought would be in Comodo Firewall by now but apparently they’re on hold for the 6.0 release. I’ll re-trial then. Thanks for your help.

Mouse1 iniated a round of testing behind the scenes and we confirm your findings that disabling Image Execution does not disable sandboxing like the UI seems to suggest.