H
hjlbx
Thread author
Comodo Internet Security v. 8.2.0.4591
The linked video below shows how there are synchronization issues between the various parts (databases\servers) that comprise Comodo's File Rating System.
Comodo's File Rating System = File Lookup Service (Cloud), local database (machine upon which CIS is installed), Comodo Instant Malware Analysis Service (CAMAS\CIMAS) and Comodo File Intelligence (CFI). Plus there are internal Comodo lists.
The file used in the video is C:\WIndows\System32\aeinv.dll .
The file's SHA1 hash is: 50e71839285e234d694e1e5f1e8dff80fe873780
It was introduced on the system: 4/22 (Trusted by FLS)
Updated (modified) on: 6/17 (changed from Trusted to Unrecognized by CIS)
Re-rated by Comodo on: 6/24 (changed from Unrecognized back to Trusted via FLS)
There are two entries in the CIS File List - which is correct. However, if you watch carefully, you will see that the File Detail (Comodo rating on local machine - from FLS\Cloud) does not agree with Comodo Lookup (I am not sure of the Lookup database location - perhaps Comodo File Intelligence or other internal file list).
Furthermore, by entering the file's SHA1 hash at https://file-intelligence.comodo.com/search-sha1.php , you can verify that as of today (6/28) that aeinv.dll is listed as "Unknown" in Comodo File Intelligence. If you have it on your local machine, it should be Trusted in the CIS FIle List... and that rating, in all likelihood, came from Comodo - unless you changed it from Unrecognized to Trusted in the CIS FIle List sometime between 6/17 and 6/24.
So... what's the point? At the very least it causes confusion. At worst, it might cause CIS to treat a file differently over time - until there is complete agreement across all Comodo FIle Rating databases. In other words, the worst case scenario is that CIS will treat a Trusted file as Unrecognized - and generate alerts (depending upon user's chosen CIS settings) and auto-sandbox the file. This, while annoying, can be circumvented through the creation of Allow rules.
The ultimate worst case scenario is where a file has been re-rated by Comodo from Trusted to Malicious - but it takes a relatively long time for all the databases to sync. I have not seen nor heard of such a thing - but think about it.
The bottom line: the user can create rules that solves almost any File Rating issues and\or bugs that cause CIS to improperly treat a safe, Trusted file as Unrecognized. Keep in mind that Comodo is all about "Old School," manual administration of the system... so users should expect, at least some intermittent, administration. CIS now has the option for the user to change the rating of a file - which, in most cases, fixes any issues.
If user desires more "hands-off," automated experience, then use @cruelsister 's suggested CFW configuration.
NOTE: What is covered here is a logistical issue - and not a CIS bug. CIS File Rating bugs do exist - and for some time now - but this isn't one of them. Even in the case of some of the more serious File Rating bugs, the user can create Allow rules to eliminate alerts, blocks and auto-sandboxing for safe files.
The cause: as far as I have been able to determine, @Malware1 gave me a tidbit of info = Comodo File Intelligence database uses some form of cache - so - there can be a delay between file rating synchronization between all the databases that make up the system. Just an educated guess... so take it for what it is. I am drawing a conclusion here - and this is not the opinion of @Malware1.
In this case, nothing was ever broken. When the file was updated on 6/17, CIS changed the rating from Trusted to Unrecognized and it generated alerts (based upon my chosen CIS settings) - which is correct behavior. So from 6/17 to 6/24 I had to create Allow rules. After the file rating was changed on 6/24 from Unrecognized to Trusted by Comodo, I no longer needed those Allow rules. Tip: Once in a while I go through the HIPS, firewall and sandbox rules - verify a file's rating to see if anything has changed - and delete any unneeded rules.
Here is OneDrive download link for video: https://onedrive.live.com/redir?resid=2C645D108A1E40C7!4857&authkey=!AEWleuHFmCJMLeM&ithint=video,avi
NOTE: Movie is in Microsoft Video1 AVI format; can be viewed using Windows Media Player or VLC or Classic Media Player. Viewing it this way should be much more clear - but video is 82 MB...
The linked video below shows how there are synchronization issues between the various parts (databases\servers) that comprise Comodo's File Rating System.
Comodo's File Rating System = File Lookup Service (Cloud), local database (machine upon which CIS is installed), Comodo Instant Malware Analysis Service (CAMAS\CIMAS) and Comodo File Intelligence (CFI). Plus there are internal Comodo lists.
The file used in the video is C:\WIndows\System32\aeinv.dll .
The file's SHA1 hash is: 50e71839285e234d694e1e5f1e8dff80fe873780
It was introduced on the system: 4/22 (Trusted by FLS)
Updated (modified) on: 6/17 (changed from Trusted to Unrecognized by CIS)
Re-rated by Comodo on: 6/24 (changed from Unrecognized back to Trusted via FLS)
There are two entries in the CIS File List - which is correct. However, if you watch carefully, you will see that the File Detail (Comodo rating on local machine - from FLS\Cloud) does not agree with Comodo Lookup (I am not sure of the Lookup database location - perhaps Comodo File Intelligence or other internal file list).
Furthermore, by entering the file's SHA1 hash at https://file-intelligence.comodo.com/search-sha1.php , you can verify that as of today (6/28) that aeinv.dll is listed as "Unknown" in Comodo File Intelligence. If you have it on your local machine, it should be Trusted in the CIS FIle List... and that rating, in all likelihood, came from Comodo - unless you changed it from Unrecognized to Trusted in the CIS FIle List sometime between 6/17 and 6/24.
So... what's the point? At the very least it causes confusion. At worst, it might cause CIS to treat a file differently over time - until there is complete agreement across all Comodo FIle Rating databases. In other words, the worst case scenario is that CIS will treat a Trusted file as Unrecognized - and generate alerts (depending upon user's chosen CIS settings) and auto-sandbox the file. This, while annoying, can be circumvented through the creation of Allow rules.
The ultimate worst case scenario is where a file has been re-rated by Comodo from Trusted to Malicious - but it takes a relatively long time for all the databases to sync. I have not seen nor heard of such a thing - but think about it.
The bottom line: the user can create rules that solves almost any File Rating issues and\or bugs that cause CIS to improperly treat a safe, Trusted file as Unrecognized. Keep in mind that Comodo is all about "Old School," manual administration of the system... so users should expect, at least some intermittent, administration. CIS now has the option for the user to change the rating of a file - which, in most cases, fixes any issues.
If user desires more "hands-off," automated experience, then use @cruelsister 's suggested CFW configuration.
NOTE: What is covered here is a logistical issue - and not a CIS bug. CIS File Rating bugs do exist - and for some time now - but this isn't one of them. Even in the case of some of the more serious File Rating bugs, the user can create Allow rules to eliminate alerts, blocks and auto-sandboxing for safe files.
The cause: as far as I have been able to determine, @Malware1 gave me a tidbit of info = Comodo File Intelligence database uses some form of cache - so - there can be a delay between file rating synchronization between all the databases that make up the system. Just an educated guess... so take it for what it is. I am drawing a conclusion here - and this is not the opinion of @Malware1.
In this case, nothing was ever broken. When the file was updated on 6/17, CIS changed the rating from Trusted to Unrecognized and it generated alerts (based upon my chosen CIS settings) - which is correct behavior. So from 6/17 to 6/24 I had to create Allow rules. After the file rating was changed on 6/24 from Unrecognized to Trusted by Comodo, I no longer needed those Allow rules. Tip: Once in a while I go through the HIPS, firewall and sandbox rules - verify a file's rating to see if anything has changed - and delete any unneeded rules.
Here is OneDrive download link for video: https://onedrive.live.com/redir?resid=2C645D108A1E40C7!4857&authkey=!AEWleuHFmCJMLeM&ithint=video,avi
NOTE: Movie is in Microsoft Video1 AVI format; can be viewed using Windows Media Player or VLC or Classic Media Player. Viewing it this way should be much more clear - but video is 82 MB...
Last edited by a moderator: