Author Topic: Settings for running Steam [Draft] [v6] [v7]  (Read 12954 times)

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #30 on: May 10, 2014, 03:54:57 AM »
Thanks Sanya. Sorry was guilty of inprecise language.  Yes it's about the alerts being hidden and games preventing alt tab.

I'm trying to get a set of settings which will allow Steam and absolutely all Steam Games to run without alerts or other adverse effects for that reason, and for user convenience.

Partly also to choke off the 'bugs' and help issues which have been reported re Steam and Cis from v4 onwards.

Settings that will be suitable for the average user to use without problems. So the security-usability tension is acute. Maybe there need to be multiple set of settings from more to less secure, dunno.

Best wishes

Mike

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #31 on: May 10, 2014, 03:57:31 AM »
Another problem. Steam, the company, say these should be excluded from FW, but I cannot find them in my 8.1 installation. Maybe they come from unpacked update executables. Anyway I have no path for them:

steaminstall.exe (installer, clearly)
hl.exe (?)
hl2.exe (?)
steamTmp.exe (install temp file?)

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #32 on: May 10, 2014, 04:22:43 AM »
steaminstall.exe (installer, clearly)

Iunno, this may refer to the installer for Steam but I'm not sure, it could also be the installer for games.. If my first guess is true then it's obsolete since it's now called SteamSetup.exe and if the later is true then I don't know where to find it.

If the later then setting Steam.exe to Installer/updater should be enough from a HIPS perspective since it would be Steam.exe that initializes Steaminstall.exe, for BB setting Steam.exe to exclude and exclude child processes should also be enough (I think, depends if "Steam > Steaminstall > Unrecognized install executable" means the unrecognized install executable is sandboxed or not)
hl.exe (?)

hl.exe refers to the executable for Half-Life or otherwise games that build on Half-Life (mods of Half-Life) and I guess perhaps certain games built on the GoldSrc engine.

For HIPS setting Steam.exe as installer/updater is enough since hl.exe is launched by steam.exe
For BB setting Steam.exe as excluded and exclude child processes should be enough since Steam.exe launches hl.exe
hl2.exe (?)

hl2.exe refers to the executable for Half-Life 2 (including Episode 1 and 2) or otherwise games that build on Half-Life 2 (including Episode 1 and 2) and perhaps certain games built on the Source engine.

For HIPS setting Steam.exe as installer/updater is enough since hl2.exe is launched by steam.exe
For BB setting Steam.exe as excluded and exclude child processes should be enough since Steam.exe launches hl2.exe
steamTmp.exe (install temp file?)

Iunno and I don't know where to find it but for HIPS setting Steam.exe as installer/updater is most likely enough since most likely Steam.exe is the one to launch steamTmp.exe, for BB setting Steam.exe as exclusion and exclude child processes is probably enough too.
I support privacy and freedom online - eff.org

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #33 on: May 10, 2014, 06:51:20 AM »
I just tested it and setting Steam.exe as exclusion in BB and excluding child processes means that if Steam.exe launches launcher.exe then launcher.exe will start outside of the sandbox BUT ALSO if launcher.exe launches for example Starbound.exe then Starbound.exe is launched outside of the sandbox. (launcher.exe and Starbound.exe are both unrecognized)

Video proof/example: http://youtu.be/Mo9aVPFVZPQ
Edit: Sure in the video I show it in the wrong order, I go Exception first then no exception then HIPS... Should have gone no exception first, then exception and then HIPS... Would make more sense but the video is still accurate.

So literally all that is needed on the HIPS front is setting Steam.exe to Installer/updater and for BB set Steam.exe as excluded and tick to exclude child processes. Now the only issue is AV and Firewall. I have personally never had any issues with plain AV on any games I have played, for this I'd suggest a per application approach when it is needed (which is rarely in my experience) and for Firewall I would personally suggest to do it on a per application basis but I can understand if that might not be good enough for this guide.
« Last Edit: May 10, 2014, 07:06:50 AM by Sanya IV Litvyak »
I support privacy and freedom online - eff.org

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #34 on: May 10, 2014, 07:05:50 AM »
I just tested it and setting Steam.exe as exclusion in BB and excluding child processes means that if Steam.exe launches launcher.exe then launcher.exe will start outside of the sandbox BUT ALSO if launcher.exe launches for example Starbound.exe then Starbound.exe is launched outside of the sandbox. (launcher.exe and Starbound.exe are both unrecognized)

Video proof/example: http://youtu.be/Mo9aVPFVZPQ
That's the spec as I undersand it.

Quote
So literally all that is needed on the HIPS front is setting Steam.exe to Installer/updater and for BB set Steam.exe as excluded and tick to exclude child processes. Now the only issue is AV and Firewall. I have personally never had any issues with plain AV on any games I have played, for this I'd suggest a per application approach when it is needed (which is rarely in my experience) and for Firewall I would personally suggest to do it on a per application basis but I can understand if that might not be good enough for this guide.
Yes I think for general users an Av exemption is needed. Steam service is so critical that I will exclude that as well - if you check the steam site there have been quite a lot of problems with Steam Service permissions. Maybe it does not always get trusted/admin as it needs. May depend on OS, or signing problems. No real loss from doing this I think, though I accept in principle it should not be needed. BO exemption and FW allowed/stealth ask status is needed too, as there are some incoming connections (see above). I'll redraft.

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #35 on: May 10, 2014, 10:52:24 AM »
Ok here's a proposal before we change

- If BB is on Steam and Steam Service should be excluded from BB with child exclusion
- IF HIPS is on Steam and Steam Service should be installer updaters, and if in paranoid the other executables should be at least allowed apps
- Program Files (x86)\Steam\* should be excluded from AV & made allowed for FW (There are various reports of Steam executables as well as games being detected by AV, probably heuristics, and in such a rich environment one could never know when another .exe might be added)
- for BO exclusions, which cannot be recursive, maybe we just exclude Steam\SteamApps\Common and Steam\Steam\games or maybe we just make it Program Files (x86)\steam\* for simplicity

I guess on 32 bit Steam would be in Program Files not Program Files (x86)
« Last Edit: May 10, 2014, 12:22:05 PM by mouse1 »

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #36 on: May 10, 2014, 12:14:19 PM »
- IF HIPS is on Steam and Steam Service should be excluded from BB with child exclusion, and if in paranoid the other executables should be at least allowed apps

So your HIPS settings assume the user still has BB enabled? Otherwise I don't see the relevance with excluding in BB (and you already mentioned it one line above so it's probably redundant to type it out once again since if the user has both HIPS and BB enabled they should already have done the step above and if the user doesn't have BB enabled then the BB instructions are irrelevant.. ???)
I support privacy and freedom online - eff.org

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #37 on: May 10, 2014, 12:22:42 PM »
So your HIPS settings assume the user still has BB enabled? Otherwise I don't see the relevance with excluding in BB (and you already mentioned it one line above so it's probably redundant to type it out once again since if the user has both HIPS and BB enabled they should already have done the step above and if the user doesn't have BB enabled then the BB instructions are irrelevant.. ???)


Sorry cut and paste mistake, amended

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #38 on: May 10, 2014, 12:33:03 PM »

Sorry cut and paste mistake, amended

Oh sorry didn't realize >_<
I support privacy and freedom online - eff.org

Offline Dch48

  • Comodo's Hero
  • *****
  • Posts: 2548
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #39 on: May 10, 2014, 02:25:58 PM »
I didn't know you could run the Steam executable in full screen mode. You can maximize it but that's not the same thing.
Avatar FX6327X Desktop
AMD FX-6300 6 core CPU
Sapphire R9-270X GPU
Windows 8.1 64 bit, IE11 & Outlook 2007
Comodo Internet Security 7.0 full package, MBAM on Demand

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #40 on: May 10, 2014, 04:34:07 PM »
I didn't know you could run the Steam executable in full screen mode. You can maximize it but that's not the same thing.

You can and you can't... The normal GUI no, but steam big picture mode is basically full screen steam made for the living room with controller as primary input.
I support privacy and freedom online - eff.org

Offline Dch48

  • Comodo's Hero
  • *****
  • Posts: 2548
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #41 on: May 10, 2014, 07:11:27 PM »
You can and you can't... The normal GUI no, but steam big picture mode is basically full screen steam made for the living room with controller as primary input.
I see. I haven't seen that option.
Avatar FX6327X Desktop
AMD FX-6300 6 core CPU
Sapphire R9-270X GPU
Windows 8.1 64 bit, IE11 & Outlook 2007
Comodo Internet Security 7.0 full package, MBAM on Demand

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #42 on: May 11, 2014, 03:57:04 AM »
I see. I haven't seen that option.

For me the button for it is in the upper right corner, under min/max/close buttons.
I support privacy and freedom online - eff.org

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #43 on: May 11, 2014, 04:12:17 AM »
OK revised it. Please note that AFAIK turning off the BB does not turn off BO protection.

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: Settings for running Steam [Draft] [v6] [v7]
« Reply #44 on: May 11, 2014, 04:25:18 AM »
I wonder if, in paranoid mode, Steam executables (aprt from Steam and Steam Service) need Windows System privs?

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek