Why no execution warning given for these 3 programs (in Paranoid mode!)?

Hello Comodo, all,

I am seeking the advice of any of the developers or highly technical co-users…

Although I have CIS running in Proactive mode, and Defense+ in Paranoid mode, and in Computer Security Policy the 3 below mentioned programs do not appear, I seem to get no execution warning for the following 3 programs, and I would like to know the reason. Image Execution settings are at Agressive, with exe, com, bat. In the Trusted Vendors only Comodo is left. ALso, in the Defense+ settings, i unticked the ‘Trust the apps signed by Trusted Software vendors’…

The programs are:

  • stopbuddy.exe (installer: stopbuddysetup.msi) (an application helping you to try to stop smoking)
  • jarte.exe (the word processor, not the installed version but the portable version)
    -Kalender.exe (UKCalendar) (installer: setupUKkalendar.exe)

Although at time of install of Stopbuddy, i get warning ‘explorer.exe is trying to execute misexec.exe’, after the install I do not get warned (neither for Jarte, and UKKalendar) that an .exe application is trying to be executed.

How can this be, taking into consideration the above mentioned setup of CIS where I should get warned of any exe execution, and any use of Whitelist should not be applicable (if any of the above 3 applications would be in there, which I think not, as I have not added them myself, nor are their Vendor names in the Trusted list)
ALso, in the Computer Security Policy overview, none of these 3 apps is mentioned, so I would imagine they are ‘fresh and new apps’ at any time of execution…

Security setup: I have CIS 3.8…471 lastest version installed.

Thanks for any technical feedback,

Brgds,
mack

Hi Mack,

I have seen some of this behavior also, however “Trusted/Signed” applications is something else the internal whitelisted applications, you can’t see and or move/remove them, it’s an internal db for CIS.

I see only 2 reasons for this behavior, 1) it’s on the whitelist or 2) it’s a bug.

Did you happen to notice “Defense+ is learning” tray messages ?
Beware that CIS caches this behavior for the process, so it could be you need a reboot every time you test.

Hello Ronny,

No, i do not see any learning balloons (and i have balloons showing set to ON).

I suspected as much as internal whitelist as well, but even then, in Paranoid mode, with TRUSTED oFF, and not in Safe or Learning mode, should I not get pop ups then?

Also, if i would be in SAFE or Learning, are the learned apps not taken up in the Computer Security Policy list then?

I can imagine we are not getting to see the list of 1 Mio whitelisted apps, but i would appreciate to get the on my system recognised ones, to be identified and listed in the Comp Sec Pol list then
,so i know what CIS is allowing on my system…

Brgds,
Mack

Yes, if in Paranoid Mode, you should be getting alerts even if it was in the white list.

hello Fazio93,

Thanks, should i then move my question to the bug section of the forum?

Brgds,
Mack

That’s not my call, but to me, it looks like a bug. I agree with Ronny; the only two reasons I can see is because of the white list or a bug. Even if it was the white list, it would still be a bug because you should get alerts in paranoid mode anyway.

Moved to the bug section.

I believe this is not a bug. Rather, it’s a consequence of msiexec.exe having the policy ‘Updater or Installer’ by default. Msiexec.exe is the Windows installer.

By the way, I don’t use the default policy for msiexec.exe, to avoid situations such as this ;).

Surely the “installer or updater” of msiexec.exe only makes a difference if the programs in question are run during installation so it inherits the trusted status and produces allowed rules.

I was thinking

I was thinking maybe msiexec.exe ran explorer.exe during installation? If so, wouldn’t that result in explorer.exe temporarily also having ‘Installer or Updater’ policy?

I wanna know what programs you have already allowed to be run by explorer.exe?

Hello,

You can find this by opening the GUI to to Defense+ Select Advanced and click on Computer Security Policy, now find %windir%\explorer.exe and double click on it, click on “Access Rights” and click on “Modify” behind the “Run an executable” that should give you a list of programs explorer.exe is allowed to run.

o…actually i was not going to start a new topic…just reply a post…I don’t know why it became a new topic…anyway please ignore it :wink:

Hi MrZero,

I split the post because the topic was already a few months old and i thought you where asking a “general” question… that’s why.

I’ve merged them back.

Oh I see…sorry…I haven’t looked at the date