Usability enhancement for Defense+ in Safe/CleanPC mode

[Guest]

[SS26]

This is a request to implement new category named "My own unsafe files" as opposition to category "My own safe files".  New category is supposed to have higher privilege than "My own safe files".

Purpose of "My own unsafe files" is supposed to force Defense+ in Safe/CleanPC mode to treat safe files as unknown files, hence preventing autolearning of activities of these files.


Basic logic of operation of "My own unsafe files" when Defense+ is in Safe mode:
During file execution Defense+ checks if executable is safe.  If so, Defense+ checks "My own unsafe files" list if the executable in question is present there.  If file is in the list, then Defense+ treats it as unknown, despite it is signed by trusted vendor or in the "My own safe files" list.



Why Defense+ (and CIS) would benefit if such feature would be implemented.

User-friendliness would increase significantly.  Because currently Defense+ does not provide a compromise: either bunch of alerts in Paranoid mode, or uncontrollable (in terms of restriction) whitelist in Safe/CleanPC mode.
"My own unsafe files" could be such compromise.
As a result number of CIS users could increase (significantly).

Moreover, such feature allows to preserve all initial engineering decisions for Safe/CleanPC mode because:
* it is completely autonomous (could be removed from Defense+ in any time if found inappropriate);
* it is an optional feature, which should be enabled by a user manually otherwise current Safe/CleanPC mode would not be altered in any way, hence all users that are happy with current Safe/CleanPC mode would not be affected.


P.S.:  Almost same suggestion here.
P.S.2: Moderators, please don`t move this thread to Wishlist board at least currently.


CIS developers, your comments are welcomed.

[commanding the celsius]

I like to vote so I picked "This feature could be useful.".. Sounds like something for advanced users.. But if you are going to start something "suspicious" and you are afraid/know its white-listed and want to make sure you get the option to customize the rules for this application then there's always an option to switch to paranoid a short time.. All current rules are still there, so you will probably not get a ass-load of popups from CIS about whats already running if you had CIS for a while and can make sure you get to controll this one/two applications the way you want to.. 

Not saying its a bad idea but there seems to be ways to achieve this.. If I understood you correctly..

[SS26]

Not saying its a bad idea but there seems to be ways to achieve this.. If I understood you correctly..

Achieve what?
Keep in mind that since english is not my native language i could mislead others   ....and sometimes i do not fully understand questions

thanks for voting

[commanding the celsius]

Achieve what?
Keep in mind that since english is not my native language i could mislead others   ....and sometimes i do not fully understand questions

thanks for voting

Never mind the achieve thing.. English is not my native language either.  What I was trying to say that I don't think this enhancement is extremely necessary and it seems mostly aimed to advanced users in safemode but yeah it could make some tasks easier for some. That's why I vote "This feature could be useful.". Since I believe it could be useful to some..

[SS26]

edit

I don't think this enhancement is extremely necessary and it seems mostly aimed to advanced users in safemode but yeah it could make some tasks easier for some.

Real examples are (my candidates for "My own unsafe files" list):

* cmd.exe; to prevent malicious batch scripts from destroing system if i accidentally launch one of them from Windows Explorer (see this thread for more details);
* services.exe; to prevent third party (and malicious) drivers being loaded silently by D+ (see this thread and linked posts there).   i`m sure that was the case previously, but my recent tests disprove this; now D+ in safe mode display alerts for drivers being loaded by services.exe if .sys file is not in the whitelist....

In order to not sacrifice protection against mentioned threats one is forced to struggle with Paranoid mode.  If there would be "My own unsafe files" these problems could be solved rather elegantly.

Thread title changed.

[commanding the celsius]

edit
Real examples are (my candidates for "My own unsafe files" list):

* cmd.exe; to prevent malicious batch scripts from destroing system if i accidentally launch one of them from Windows Explorer (see this thread for more details);
* services.exe; to prevent third party (and malicious) drivers being loaded silently by D+ (see this thread and linked posts there).   i`m sure that was the case previously, but my recent tests disprove this; now D+ in safe mode display alerts for drivers being loaded by services.exe if .sys file is not in the whitelist....

In order to not sacrifice protection against mentioned threats one is forced to struggle with Paranoid mode.  If there would be "My own unsafe files" these problems could be solved rather elegantly.

Thread title changed.

I usually likes enchantments that helps improve interception against "real threats"..  But looks like the main reason for this is lost if your testing are correct..?  And that other reason seems to be getting fixed  (at least to some extent) in version 4.. But yeah, "This feature could be useful" for advanced-users who like something in-between safe and paranoid mode..

[SS26]

U R right.... And batch scripts and cmd.exe issue imo should be fixed in other way....and not like planned for v4 either.  

I leave this topic for future reference, because there still can be situations when you want more control without having to deal with Paranoid mode.

[tcarrbrion]

CIS assumes that safe applications are always safe. Who is to know that there is not some safe application that, when you download some macro, codec, addon etc, suddenly becomes dangerous. The assumption is that it will always download a new exe to do its dirty work which CIS will block but does this have to be true?

I would be happier if I got an alert for any application, assumed safe or otherwise, that tries to load a driver or do direct disk access. This would lead to very few addition alerts but give greater peace of mind. At the moment this can only be done with paranoid mode which I cannot use. The problem at the moment is lack of choice. You can block whatever you want but you cannot force a pop-up for just certain things.

[SS26]

I would be happier if I got an alert for any application, assumed safe or otherwise, that tries to load a driver or do direct disk access.

As for driver loading alert: it will be consistent once they fix autolearning issue.  I will write about it later  Here is related post.  
As for direct disk access, i agree that could be very useful in some cases.

[SS26]

But looks like the main reason for this is lost if your testing are correct..?

I was wrong.  Issue with services.exe remains in Safe mode.  See this post.

....And my request in first post is fully valid again.  I want to run usable Defense+ (Safe or CleanPC mode), but to guard config from unpredictable autolearning.

[tcarrbrion]

As for driver loading alert: it will be consistent once they fix autolearning issue.  I will write about it later  Here is related post.  
As for direct disk access, i agree that could be very useful in some cases.

In safe or clean PC mode safe applications get device driver installation and direct disk access set automatically to allow even if the application never does this. This appears to be by design and the only way to prevent it is paranoid mode or to make sure it is set to block. I cannot see how to force a pop-up. This is your Scenario #2 here: https://forums.comodo.com/leak_testingattacksvulnerability_research/issue_with_certain_driver_loading_technique-t46268.0.html;msg333344#msg333344

I have complained about this many times but no one with any influence seems to think that this is a problem.

[SS26]

* cmd.exe; to prevent malicious batch scripts from destroing system if i accidentally launch one of them from Windows Explorer (see this thread for more details);

batch scripts and cmd.exe issue imo should be fixed in other way....and not like planned for v4 either.  

I was wrong, there is a solution (first sentence).

[The Joker]

I guess your suggestion is a consequence of wrong decision with CIS design.

I use safe mode for Defense+ and, unhappily, it allows almost everything, including those ones that aren't required for certain applications. This is give too much unnecessary power to an application!

I really prefer see a pop up telling me that the application is safe or digitally signed but asking me what to do than learn app behavior without prompt! I don't feel in control, and safe apps can do unsafe things...

CIS assumes that safe applications are always safe. Who is to know that there is not some safe application that, when you download some macro, codec, addon etc, suddenly becomes dangerous. The assumption is that it will always download a new exe to do its dirty work which CIS will block but does this have to be true?

I would be happier if I got an alert for any application, assumed safe or otherwise, that tries to load a driver or do direct disk access. This would lead to very few addition alerts but give greater peace of mind. At the moment this can only be done with paranoid mode which I cannot use. The problem at the moment is lack of choice. You can block whatever you want but you cannot force a pop-up for just certain things.

Couldn't agree more!

[SS26]

This is your Scenario #2

Nope.  Scenario #2 is a buggy behavior (i updated that post):  D+ tries to trigger alert for "services.exe is trying to load driver", but fails due to bug...and autolearns  

Scenario #1 and #2 should provide SAME results because what we do is merely add executable to the whitelist, but with different ways. 

[SS26]

I guess your suggestion is a consequence of wrong decision with CIS design.

I don`t think there is wrong decision with design.  I would say design improvement is needed:  compromise between full Paranoid and full Safe\CleanPC modes. 

[Tags:]