Advice Request Comodo in Safe Mode blocks a trusted vendor app

[ctrlz]

Hi,
I'm using Comodo v10 in proactive security, the HIPS level is Safe mode.
Unfortunately, I always find this line in the blocked applications:


The exe comes from a trusted vendor:


And I have a custom HIPS rule that allow that exe:


If i unblock the app from the blocked list, after few seconds a new entry is created.
The only way to not create the entry is disable the HIPS component.

IMO it's a bug: the driver comes from a trusted vendor, I'm in safe mode and, anyway, and an explicit allow rule is present.
Do you know if there is a specific reason for this?

 

[Ink]

IMO it's a bug: the driver comes from a trusted vendor, I'm in safe mode and, anyway, and an explicit allow rule is present.
Do you know if there is a specific reason for this?

Have you been able to contact or post a bug report to Comodo Support (Email and Forum)?

 

[ctrlz]

Not yet, before to proceed I just wanted to be sure I wasn't missing something.
Anyway I'm going to report this bug to comodo

EDIT: posted bug report: Safe Mode always blocks application from trusted vendor - Bug Reports - CIS

 

[ctrlz]

You can find the full reply in the above link.
It seems a legit behaviour, but it was auto-blocked by CIS self-defense that prevents Interprocess Memory Accesses on its processes.
Added an exclusion in that ruleset, to avoid blocks with the synaptics driver

 

[509322]

IMO it's a bug: the driver comes from a trusted vendor, I'm in safe mode and, anyway, and an explicit allow rule is present.
Do you know if there is a specific reason for this?

You have to compare the file's digital certificate to what is in COMODO's Trusted Vendor List. A seemingly simple difference, like Synaptics Corp versus Synaptics Ltd, will result in a block. Also, COMODO might have whitelisted only a specific set of files for the vendor.

Not yet, before to proceed I just wanted to be sure I wasn't missing something.
Anyway I'm going to report this bug to comodo

EDIT: posted bug report: Safe Mode always blocks application from trusted vendor - Bug Reports - CIS

You're wasting your time.

In a case such as this you have to submit the file to COMODO for whitelisting. Doing so is infinitely faster than a bug report - and they will not consider this case a bug. You can find how to submit files for whitelisting on the COMODO forum.

 

[ctrlz]

@Lockdown thank you for the reply. I looked for the exact trusted vendor string, and it should be allowed.

The reply I received from the forum says that CIS processes protected themselves from memory access, unless you explicitly allow the process in the protection exclusions of the ruleset.
I did it, allowing synaptics to acces xCIS processes, and it works without blocks.

Please note that this doesn't happen with other processes, but only with CIS ones, so I think it could be right (it's a matter of self-protection). If it was an all processes, definitely not.

 

[509322]

@Lockdown thank you for the reply. I looked for the exact trusted vendor string, and it should be allowed.

The reply I received from the forum says that CIS processes protected themselves from memory access, unless you explicitly allow the process in the protection exclusions of the ruleset.
I did it, allowing synaptics to acces xCIS processes, and it works without blocks.

Please note that this doesn't happen with other processes, but only with CIS ones, so I think it could be right (it's a matter of self-protection). If it was an all processes, definitely not.

OK. I misunderstood. I thought it was completely blocked from running.

Synaptics has no need to access COMODO processes so it should be blocked from doing so.