Add ability to exclude trusted installer privileges for apps/groups [M1388]

1. What actually happened or you saw:
Some programs are rated “Trusted/Installer” and all their child processes are running without restrictions. While the rating is sometimes correct, these privileges are granted to applications like :

  • TCMADMIN.EXE (Total Commander Administrator Tool)
  • GoogleChromePortable.exe (the launcher of PortableApps)
  • Any trusted file bigger than 40 MB
    etc.
    It is very important to suppress these privileges.

2. What you wanted to happen or see:
It would be useful to have such options:

  • checkbox “Detect trusted intallers” (should be enabled by default)
  • link “Exclusions”

When the checkbox is unchecked:
Applications with rating “Trusted/Installer” shall not be granted privileges “Installer or Updater” automatically. These privileges can be granted only by HIPS rule.

When the checkbox is checked:
Application with rating “Trusted/Installer” are running with privileges “Installer or Updater” (as usual)

Applications and groups defined in the exclusion window shall not be accorded privileges “Installer or Updater” automatically, regardless of the checkbox.

N.B. When an application is excluded, that means it shall be controlled by HIPS and by Auto-Sandbox as an usual application (not installer). The files created by it shall not be added to “Trusted” automatically.

3. Why you think it is desirable:
It can solve severe security problems (Comodo Forum).

The available option “Detect programs which require elevated privileges” is not enough ; disabling this option doesn’t lead to HIPS control.

4. Any other information:
There is a workaround to suppress installer privileges for the version 7 that does not apply to version 8. (described formerly here: Comodo Forum)
Screenshot that might aid for a visual perspective : Comodo Forum

[attachment deleted by admin]

If I remember correctly, there is a similar feature in File Rating.
Is this wish request necessary if the mentioned security problems are fixed?

Thank you.

Hello qmarius

By the feature in “File Rating” it is possible only to disable adding installed files to trusted. For any installer.

By the feature in “Sandbox Options” it is possible only to disable exclusion child processes of installers from sandboxing. For any installer.

And there is no option to disable exclusion child processes of installers from HIPS.

I propose an option to fully disabling all installers privileges for selective groups of installers.
Only for automatically detected installers.
When a program has HIPS rule “Installer or Update”, it should be granted all installers privileges, regardless of the proposed option.

The security problems are not fixed.

Thanks.

I’ve made some edits. Do these modifications reflect your wish request ?

Thank you.

Yes, they are.
Thank you very much for correcting!

Thank you for submitting this Wish Request. I have now moved this to the WAITING AREA.

Please be sure to vote for your own wish, and for any other wishes you also support. It is also worthwhile to vote against wishes you think would be a waste of resources, as implementing those may slow down the wishes you would really like to see added.

Thanks again.

+1 . Excellent idea! :-TU

Voted Yes, this is absolutely needed in CIS

I thought it would be more suitable to place this option to “File Rating” control panel.

[attachment deleted by admin]

I agree. Usually it’s the general idea that gets approved or not. With that in mind, I’ve generalized your wish request a very bit more.
Also, I’ve added your new screenshot.

Thanks.

15 points are reached!

Thanks to everyone who has responded to this proposal.

+1 :-TU Now 16 :smiley:

I would like to thank everyone who has voted on this particular enhancement. As this wish has accumulated the necessary 15 points I have added this to the tracker for consideration by the devs. However, do note that even though this wish will be considered by the devs, it does not necessarily mean that it will be implemented. I will update this topic when I have any additional information.

Thank you.