Author Topic: Alert reducing settings in CIS - why, how & when to use [v5.8]  (Read 11487 times)

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11855
Alert reducing settings in CIS - why, how & when to use [v5.8]
« on: September 15, 2011, 01:30:05 PM »
DEALING WITH NEW ALERT REDUCTION SETTINGS IN CIS

There are new alert reduction facilities from CIS 5.8 onwards. This FAQ is an attempt to help users with them.
To take the right action you should only need to read 1-3. Item 4 is for those interested in the detail.

Please help us improve this introduction by posting suggestions to the 'Sandbox help materials - Feedback topic' here.

This introduction has been prepared by a volunteer moderator – with input from many other moderators and developers. (Thanks everyone, especially: HeffeD & Egemen). It has been produced on a best endeavours basis - it will be added to and corrected as we find out more. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.


Updated: 31 January 2011, to reflect changes up to CIS version 5.9.xxx
« Last Edit: January 31, 2012, 01:13:07 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11855
What's changed and why?
« Reply #1 on: September 15, 2011, 01:30:48 PM »
In CIS there are now:
  • New default firewall application rules that reduce alerts by allowing all outgoing connections
  • New alert reduction tick boxes ‘Do not show pop up alerts’ in each module which allow you to tell CIS how to handle all alerts eg ‘allow all’ or ‘block all’ or quarantine all. Notifications are not affected.
  • A new installation option that sets the firewall alert reduction tick box to allow, and the AV alert reduction tick box to quarantine

These rules are probably there to make life easier for users with little or no technical knowledge operating in environments with little security risk, where security software is set up by an administrator, for example company IT installations in which most security is managed by other means.
« Last Edit: September 15, 2011, 01:35:39 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11855
Effect on security
« Reply #2 on: September 15, 2011, 01:31:18 PM »
The new default outgoing firewall rule is not very secure, and should be avoided by those in search of a high level of security.

The new alert reduction installation option has little effect when CIS is in the default 'Internet Security' configuration, but should be probably avoided by those in search of a good level of security because of the potential confusion it could cause in future.

The new AV module tick box may be set without security risk, particularly if it is set to ‘quarantine’. The new D+ tick box may be set to ‘block’ safely, though this may mean that some software will not function. Setting it to allow will create a security risk. The new firewall tick box should not be set to ‘allow’ if you want good security, as it will silently allow all outgoing communications even if your global rules say to ask.
« Last Edit: September 15, 2011, 01:47:41 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11855
What to do when you install CIS
« Reply #3 on: September 15, 2011, 01:31:37 PM »
For good security in most contexts
Say no to the alert reduction installation option, if offered (it may not be offered when updating). Delete the new outgoing ‘all applications’ rule. Set the AV alert suppression rule to ‘quarantine’.

If you inadvertently say yes to the installation option, but want good security. Untick the alert reduction tick box in the FW module. Set the AV alert reduction tick box to ‘quarantine’. Delete the new outgoing ‘all applications’ rule in the Firewall module.

For good security with reduced alerts if you run mainly standard office apps
Say no to the installation option, if offered. Delete the new outgoing ‘all applications’ rule. Set the D+ alert suppression rule to 'block', and the AV alert suppression rule to 'quarantine'. Watch for notifications to help you understand why if some software won't run.

If you are an administrator, who manages security in many ways, and you want to reduce user alerts
Say yes to the installation option, if offered, and leave the configuration as 'Internet Security'. If not offered set the AV alert reduction tick box to 'quarantine' and the FW alert reduction tickbox to 'allow'. Consider whether to set the D+ alert reduction tick box to 'Block' or 'Allow' depending on your confidence in the other mechanisms you use to manage security. Set a group or local OS security policy to prevent users from trying to install their own software if you do not want them to get 'Unlimited Access' alerts.
« Last Edit: September 15, 2011, 01:46:29 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11855
The new settings in detail
« Reply #4 on: September 15, 2011, 01:32:37 PM »
New alert reduction tick boxes
There are new alert reduction tick boxes for FW, AV and D+.

The effect of the FW and D+ tick boxes is to automatically block or allow all alerts you would normally be generated by the default or user defined rules in the FW, AV or D+ modules. The only exceptions are D+ 'Unlimited Access' alerts - these cannot be suppressed by the D+ 'allow' option

The effect of the AV settings is to automatically block or quarantine all alerts you would normally be generated by the default or user defined rules in the AV modules.

Notifications (boxes that inform you but don't require input) are unaffected.

Installation option
There is a related installation option which has the effect of setting the FW options to 'allow' and the AV option to 'quarantine'. This installation option does not set the D+ alert suppression tick box.

New default rules for Internet Security configuration
The internet security configuration - the default configuration - now allows all outbound FW connection attempts by default. It also sets the AV alert suppression option to 'block' unless the installation alert reduction option is chosen.

Effect of installation option and tick boxes on Internet Security Configuration
From the above, the installation alert suppression option has only a rather minor effect on the behaviour of the Internet Security configuration unless you change the default module rules. Strangely it doesn’t really reduce the number of alerts at all. Of the alert reducing tick boxes, only the D+ tick box will have an effect.

Effect of installation option and tick boxes on proactive configuration
The new alert reduction installation option has no effect on new CIS installations set to proactive configuration, unless you change the rules for this configuration. When you set the proactive configuration it over-writes the effects of the new alert reduction option. The alert reducing tick boxes will have an effect if and only if set after the proactive configuration is set.
« Last Edit: September 15, 2011, 01:37:53 PM by mouse1 »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek