There is a lot of confusion regarding how CIS behaves when a file is updated (modified\changed). I think what is most confusing is that alerts and auto-sandboxing occurs for what the user knows to be a Trusted file. They do not expect CIS to treat Trusted files in such a manner - and - think this is a random, out-of-the-blue quirk\bug. It is not; CIS is working as intended.

When any Trusted file is updated (modified), then CIS will change the rating to Unrecognized - and consequently - alerts and\or auto-sandboxing of the file will occur (of course this depends upon the user's chosen settings).

For example, MBAM has been recently updated by Malwarebytes. Naturally, user wants that new, juicy update. So how will CIS behave in this situation? MBAM is a safe, trusted app and so are all its modules. What will happen in CIS when the files are updated?

In the CIS file list, all the modules were rated as Trusted by Comodo. During installation of the update, CIS re-rates all changed and newly introduced modules to Unrecognized. Notice the Rating column. mbam.exe has been changed to Unrecognized. mbam.sys and mcaw.sys are MBAM drivers. They too were rated as Trusted, but now have been changed by CIS to Unrecognized.

Also, CIS will create a "duplicate" File List entry when a file is updated; it doesn't mean there are multiple installations of the same file -it's just a way to keep track of when the file was modified and - technically - show that a different\modified version is\was installed on the system.

What is the user to do?

Two basic options:


The user can rate the files as Trusted. This is the best option - since we know a Trusted app (mbam.exe) has just been updated - and changing the rating from Unrecognized to Trusted prevents needless alerts\auto-sandboxing for known, Trusted files.

For the most optimum experience, user should add the entire MBAM folder contents to the CIS File List and rate all the newly introduced modules as Trusted. (Don't forget changed\new drivers installed at C:WIndows\System32).


The user can keep the Unrecognized rating - and wait for Comodo File Lookup Service (Cloud) to re-rate the files as Trusted. However, until then, when each of the files are loaded into active memory - then CIS will alert and\or auto-sandbox. This can result in a whole lot of alerts, but can be circumvented by creating Allow rules as the user responds to the individual alerts. All this is not necessary, when most alerts can be prevented by option 1 above. Option 2 is better suited to the odd file that you might have missed.

NOTE: The file age is the date the file was discovered by CIS\introduced to the system. The file age does NOT = the date of update (modification\change). MBAM was introduced to this particular system about 2 months ago... whereas mbamsearch.exe was just introduced 1 minute ago.

Remember: The old (Trusted) files have been newly updated (Trusted changed to Unrecognized by CIS - until changed by user or Comodo FLS).

Why was CIS designed to work this way? For maximum protection... and when you take the time to study it, you realize it does work.

Emsisoft handles this sort of thing a little bit more user friendly. It alerts the user when files are updated - and the user can choose to continue to enforce existing Allow rules - or to delete them completely and rebuild the rules.

Each system has its strength and weaknesses in terms of user experience, but as far as absolute security - neither has a definitive advantage over the other.
Last edited by a moderator: