Process Lasso and Comodo Firewall v7

Started by Victek, March 09, 2014, 01:48:16 PM

Previous topic - Next topic

Victek

Hello!  I recently started using the new Comodo Firewall version 7.  With both the beta and the now released version I'm seeing Process Lasso listed in the Comodo Intrusion alert log.  Specifically it shows cis.exe and cistray.exe as the "targeted" files and the flag as "access memory".  I've already excluded both files from Process Lasso Probalance and marked Process Lasso files as "trusted" in Comodo Firewall, but the intrusion alerts persist.  Any help with this will be appreciated.  Thanks!

BenYeeHua

Ya, this will need the dev to hard code it into the Process Lasso ignore list, as excluded the file from PL for just stopping them getting restraint, but not accessing the process.

I will tell the dev and let it adding the processes into the ignore list.  :)

Jeremy Collake

The cause is Comodo protecting it's own processes. When it sees Lasso access them, it blocks the attempt and logs it.

Comodo protects its own processes so that malware doesn't shut them down or otherwise interfere with them. Almost all security software does that these days. Some log these events, other's just block them.

So, this will be resolved in the next beta version released. A new final will follow within the next week.

That said, the issue here shouldn't cause any large troubles, other than filling Comodo's log with these events.
Software Engineer. Bitsum LLC.

Victek

Thanks for letting me know that a fix is in the works.

Jeremy Collake

Although I am going to exclude 'cis.exe' and 'cistray.exe' from being listed, at least in the next beta, I want to re-iterate this:

Seeing log events about actions blocked by Comodo's intrusion detection, defense+, or elsewhere is NOT unexpected or problematic. This will happen. It's not really a bug of Lasso, nor is Lasso doing anything inappropriate. It's just that Comodo is super-sensitive, and wants to list every conceivable third-party access to its processes.
Software Engineer. Bitsum LLC.

BenYeeHua

Quote from: support on March 13, 2014, 06:24:07 PM
Although I am going to exclude 'cis.exe' and 'cistray.exe' from being listed, at least in the next beta, I want to re-iterate this:

Seeing log events about actions blocked by Comodo's intrusion detection, defense+, or elsewhere is NOT unexpected or problematic. This will happen. It's not really a bug of Lasso, nor is Lasso doing anything inappropriate. It's just that Comodo is super-sensitive, and wants to list every conceivable third-party access to its processes.
And not providing the setting to disable it?

I think it should not be enable as default, as most user will not read the log...

Victek

Quote from: support on March 13, 2014, 06:24:07 PM
Although I am going to exclude 'cis.exe' and 'cistray.exe' from being listed, at least in the next beta, I want to re-iterate this:

Seeing log events about actions blocked by Comodo's intrusion detection, defense+, or elsewhere is NOT unexpected or problematic. This will happen. It's not really a bug of Lasso, nor is Lasso doing anything inappropriate. It's just that Comodo is super-sensitive, and wants to list every conceivable third-party access to its processes.

Yes, I understand this.  The only problem is the continuous "intrusions" create a lot of "noise" - the intrusion counter is displayed in the front of the Advanced UI - and the only way to deal with it is to ignore it, which makes it useless as a warning.  I will install the latest beta and see if that stops it.  Thanks!

Phil

Here's a workaround:

  • Go to HIPS Settings, select HIPS Rules and edit Comodo Internet Security Folder

  • Browse the Protection Settings and click Modify on Interprocess Memory Access module


  • Add Process Lasso folder to be excluded
[/list]

BenYeeHua

HIPS!?
This is not a good idea if user don't know how to use it...
QuoteHost-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
http://en.wikipedia.org/wiki/Intrusion_prevention_system

Victek

    Quote from: Phil on March 18, 2014, 07:49:11 PM
    Here's a workaround:

    • Go to HIPS Settings, select HIPS Rules and edit Comodo Internet Security Folder

    • Browse the Protection Settings and click Modify on Interprocess Memory Access module


    • Add Process Lasso folder to be excluded
    [/list]

    Thanks Phil, that works.

    Victek

    Quote from: support on March 13, 2014, 06:24:07 PM
    Although I am going to exclude 'cis.exe' and 'cistray.exe' from being listed, at least in the next beta, I want to re-iterate this:

    Seeing log events about actions blocked by Comodo's intrusion detection, defense+, or elsewhere is NOT unexpected or problematic. This will happen. It's not really a bug of Lasso, nor is Lasso doing anything inappropriate. It's just that Comodo is super-sensitive, and wants to list every conceivable third-party access to its processes.

    Thanks for adding the exclusions in the beta and 6.7.0.52.  Unfortunately they do not solve the Comodo Firewall intrusion log issue, but the modification that Phil posted takes care of it.

    BenYeeHua

    Quote from: Victek on March 23, 2014, 03:26:29 PM
    Thanks for adding the exclusions in the beta and 6.7.0.52.  Unfortunately they do not solve the Comodo Firewall intrusion log issue, but the modification that Phil posted takes care of it.

    Hmm, then I guess this fix don't works, and it need more...