A few questions about Defense+

i have a few questions about comodo’s defense+ that i’m sure the experts here will be able to answer. i have proactice security and paranoid mode on.

why is defense+ learning at system startup even in paranoid mode? it did this for multiple items, but one specific item i remember is its learning of services.exe making changes to the registry. paranoid mode states that “every action that is not listed in the policy is alerted to the user”. if this is the case, then why is any learning at all going on? i did not give any permission for defense+ to learn anything. by the way, the learning is not happening only for windows system applications. i see it happening even for programs i installed personally. after the learning has taken place, an entry labeled “Custom policy” appears under “Computer Security Policy”. is this a potential weakness in defense+ that it automatically learns potentially dangerous actions and allows them without first consulting the user?

secondly, why is comodo detecting “modify the user interface” and “execute” (dll files) even when all boxes under the “monitor settings” tab of “defense+ settings” are unchecked? unchecking all the boxes means i wish to disable all protection. yet, if the two above activities are being detected, then clearly, not all protection has been disabled.

finally, when programs change, why doesn’t comodo re-issue its alerts? for example, i had a program that i updated, installing a new version over an old version. this should have changed the program’s .exe file. yet, defense+ did not issue any alerts to ascertain whether i still wanted to keep in place a rule that was created when the old version of the .exe file first ran. if this is the case, couldn’t a malicious program simply change or replace an .exe file without making comodo suspicious?

Windows system applications are in the policy and therefore allowed. They are allowed to call executables like f.e. services.exe. Please take a look at the Custom Settings of services.exe. I think most things will a allowed except for a few really important settings.

the learning is not happening only for windows system applications. i see it happening even for programs i installed personally. after the learning has taken place, an entry labeled "Custom policy" appears under "Computer Security Policy". is this a potential weakness in defense+ that it automatically learns potentially dangerous actions and allows them without first consulting the user?
Can you provide us with examples of programs? I am not quite sure about the boot behaviour and new files. I will ask the other mods.
secondly, why is comodo detecting "modify the user interface" and "execute" (dll files) even when all boxes under the "monitor settings" tab of "defense+ settings" are unchecked? unchecking all the boxes means i wish to disable all protection. yet, if the two above activities are being detected, then clearly, not all protection has been disabled.
It should not give the "modify the user interface" alert according to the help file:
If you disable monitoring of an activity, entity or object using this interface it will completely switch off monitoring of that activity on a global basis - effectively creating a universal 'Allow' rule for that activity . This 'Allow' setting will over-rule any policy specific 'Block' or 'Ask' setting for that activity that you may have selected using the 'Access Rights' and 'Protection Settings' interface.
May be your configuration is corrupted? Is this a clean or upgrade install? From what version were the updates made?

The alert for dll’s does not reside under the Monitor Settings. What program did give the dll alert? Rundll32.exe? Another program?

finally, when programs change, why doesn't comodo re-issue its alerts? for example, i had a program that i updated, installing a new version over an old version. this should have changed the program's .exe file. yet, defense+ did not issue any alerts to ascertain whether i still wanted to keep in place a rule that was created when the old version of the .exe file first ran. if this is the case, couldn't a malicious program simply change or replace an .exe file without making comodo suspicious?
First of all you would have allowed the malicious program in the first place. Comodo would have alerted you here. The reason you didn't see the alert for the update of the program is most likely that you changed to Installation Mode. Comodo does indeed not perform a hash check like Zone Alarm Free does.

However Comodo would have alerted you when the software was about to change the other program in the first place. Comodo will catch the intruder right before the act and not after the act like Zone Alarm. Only a user mistake or a bug with CIS would leave the change unnoticed.

To see if your configuration is corrupted you can import a back up profile from the installation folder of CIS and try.

so if a windows system application calls an executable, is it normal for the executable to have even higher privileges than the windows system application that called it? for clarification, i deleted services.exe from my Computer Security Policy. as soon as i rebooted, an entry appeared at the bottom of my Computer Security Policy for services.exe. the label on it was “Custom policy”.

i think i owe you specific examples of entries that mysteriously appeared with “Custom policy” labels. they include: smss.exe, winlogon.exe, lsass.exe, services.exe, svchost.exe. these are clearly all windows system applications. but here is the strange part: immediately after installing comodo and rebooting, i deleted every single rule from my Computer Security Policy, including these files i just listed. this means that they could not have been labelled Windows System Applications because i specifically forbade Comodo from doing so by deleting the rules that had automatically given them that label. in other words, i want more control over some of my system applications, so i deliberately choose NOT to label them system applications, but to apply my own rules instead.

but this is not all. to ensure that a glitch did not force the labelling of such entries as Windows System Applications while still showing me the false label of “Custom policy”, i even changed the Windows System Application predefined policy to have more restrictions. for example, i forbade programs labelled Windows System Applications from loading device drivers, from changing my custom defined protected registry keys, from accessing my keyboard, and a few other actions. what this means is that these programs could not possibly have been allowed by virtue of being labeled “Windows System Applications”.

there is even more proof that this is true. if i go into the rules for these programs (e.g. smss.exe, winlogon.exe, etc) i find that, among other actions, they are actually ALLOWED to access my keyboard. i specifically forbade windows sytem applications from accessing my keyboard! and remember, i have paranoid mode set! what this means is that when certain applications are run, they are automatically given the label of “Custom Policy” and through this label, they are given permissions that i would never allow them to have. but how does comodo know what programs to give such permissions without asking me? it certainly doesn’t create an overly lenient “Custom Policy” for every single application i run. it only does it for certain ones. doesn’t this mean that comodo has a whitelist of programs that i am not allowed to access? i don’t want to use any whitelist. i know what programs to block and which ones to allow, and i want 100% control.

there are also examples of non system applications that are mysteriously given this overly lenient “Custom Policy” at startup. one such example is daemon.exe, from the program daemon tools. daemon.exe is given permissions that i do not want it to have, and comodo isn’t so much as popping up an alert to tell me about this. please ask the mod about this very important question! i think there is a whitelist being used.

strange, because even with all the boxes under the “Monitor Settings” tab of the “Defense+ Settings” section unchecked, i am still getting this alert. if the “modify the user interface” alert cannot be disabled under “Monitor Settings”, then how can i disable it? the setting must be somewhere. i admit i’m not very good at looking in help files for information, but i do try, and i have tried in this case, but i can’t find it :slight_smile:

what you say is true. but sometimes, a user might wish to reduce their protection slightly in exchange for less popups. as you know, it can be frustrating to have to click on so many. using a computer should not be a chore, even if one is concerned about security :slight_smile: a hash check would give users such freedom. perhaps i should suggest this as a feature for a future version of comodo?

this way, even if i turn off the alert when the software is about to change an allowed program, the hash check will still catch the dangerous action. this would have the desired effect of containing the dangerous action while also reducing the number of questions the user is asked.

it’s unlikely my configuraiton is corrupted, because this is a clean install of comodo. the only version i have ever installed on this computer is the latest version.

if the alert for dll’s does not reside under the Monitor Settings, where does it reside? if it’s under “Image Control Execution Settings”, i have it set to aggressive mode. the only “files to check”, however, are .bat and .com files, not .dll files. while all “Monitor Settings” boxes are checked, Defense+ asks me for every dll file that rundll32.exe tries to execute.

update: i think i found the right setting. is it under “Run an executable” of the process access rights under predefined security policies?

I think you have to take into consideration that the core windows executables, such as services.exe etc. are considered ‘safe’ applications and are defined on the CIS safe list.

The containers you see under Computer Security are just that, containers. They are just place holders for applications with similar requirements.

is there no way to turn off the CIS safe list? any installer can install a driver through services.exe, for example. it is important to find out what is behind the driver. i don’t just want to blindly trust a system application. the COM protection for preventing malware from using system applications to install their own drivers potentially has a weakness (see egeman’s post on page 2):

https://forums.comodo.com/leak_testingattacksvulnerability_research/rootkitdriver_install_not_intercepted-t25663.0.html

by the way, not all of the applications that comodo created custom rules for without my permission were core windows executables; far from it. the only thing these applications seemed to have in common is that they all ran at system startup. but if this is the sole defining characteristic of the whitelist, then it takes away a lot of control from users.

That post is more than a year old, so it’s completely invalid.

Anything that attempts to install something else via a ‘system’ application/service will be seen by D+ and you will get appropriate alerts.

well, the only reason i posted that was because egeman never came back with results. in any case, what do you mean by “appropriate alerts”? registry protection? because that’s different than the device driver filter alerting the user. the same is true for protected files/folders. besides, this post here shows that a lot is being missed by the device driver filter:

https://forums.comodo.com/defense_help/defense_fails_to_stop_driver_loading-t43955.0.html

notwithstanding this, do you happen to know about what causes the “modify the user interface” alert i described in the first post?

Quill meant that D+ will warn you when services.exe gets called. So, you are in the position to deny services.exe to run.

As with regards to your remark about making of rules you did not allow by CIS on boot up the following; so eloquently said by moderator Ronny: “It will “auto” learn all things that could possibly cause a system startup to fail/hang/lock logon etc, services.exe is a good example of that,”

Here are two observations from other mods regarding behaviour in Paranoid Mode
By Ronny:

It will "auto" learn all things that could possibly cause a system startup to fail/hang/lock logon etc, services.exe is a good example of that, just put on balloon messages and see what happens... And i run a tuned ProActive/Paranoid on my Win7 and it happens here also.
If you set Show Balloon messages (and your system to autologon, fastest) it will show you some "autolearn" messages even in Paranoid mode. I did not test to see if "Block if GUI is closed" would change this...
By Quill:
When I did this experiment (deleted all D+ rules and restarted) on choosing restart I was prompted for explorer.exe and csrss.exe. on startup I go a prompt for smlogsvc.exe, svchost.exe. userinit.exe and spoolsv.exe.

In addition to these prompts CIS allows for the creation of policies for winlogon.exe, smss.exe.lsass.exe and services.exe. That’s it.

I assume that if I had some applications set for automatic start, they too would have generated alerts.

CIS is only requesting access to what absolutely must have privileges for the system to function correctly, anything else is acted upon as it comes into play.

“Block if GUI is closed”? I can actually look into this. This must have been an older version of Defense+, because this exact setting can’t be found in the latest version of Defense+. The closest one would be “Block all the unknown requests if the application is closed”. I will test this myself. However, I think the overwriting of rules is due either to a bug or a whitelist, because if I remember correctly, Comodo was already running at the time Defense+ showed those autolearn messages. The autolearn went on for quite some time even when my system had nearly finished loading all the stuff from the system tray. Until I test this option, I cannot say for sure what’s going on. Thanks for pointing this out, EricJH.

Comodo only overwrites custom rules when they are under the All applications group in the Computer Security Policy. To make sure this doesn’t happen you can drag the application until they are above the standard groups.

In Paranoid mode however I think rules for new applications will be put above the standard groups anyway. If that is not the case then there may be something not quite right with your installation.

The quickest way to determine the latter is to import the back up profile of Proactive Security from the CIS installation folder (COMODO - Proactive Security.cfg). Give it a new name like Proactive Test or so and activate it. Now see what happens.

I erased all the groups as soon as Comodo finished installing. There currently are no groups at all in my rules. All new applications exist in one big list. How are these groupless applications treated?

UPDATE: “Block all the unknown requests if the application is closed” seems to prevent anything from being added as a custom policy; even system applications, and even syntpenh.exe. Furthermore, it also seems to prevent rules from being overwritten. I consider this issue resolved for now. I haven’t seen any new items being added to the list without prompting me now that I have unchecked the box that Ronny suggested, but I will report back if I do. :slight_smile:

We were all wrong. It seems only Ronny knew about this box. For those who said that “critical system applications” are automatically added for you, please reconsider :). Delete all rules form your list, and uncheck that box, then try again.

By the way, thanks for your help too EricJH. I would never have found that quotation by myself. :slight_smile: