1. What actually happened or you saw:
Currently applications “trust vendors” or “allowed and recognized applications” will run without any warning CIS, even with the HIPS enabled. An observation already made by some users is that the malware and adware applications that use valid signatures will run without warning / alert. When the option is enabled HIPS “create rules for trusted applications”, a trusted application will have the confidence of rule set applied to it which gives an application of the rights to run other applications, regardless of classification (file rating).
2. What you wanted to happen or see:
Add an option in the HIPS settings to create an allowed rule for trusted files. The allowed ruleset does not allow an application to run other applications.
3. Why you think it is desirable:
Whether by error or a security issue on the internet, comodo of practicality, files recognized as “applications allowed” or “trust vendors” (malware and adware toolbars using valid digital signatures) will have its execution deliberately permitted by Comodo Internet Security . Then …
4. Any other information:
Attachment “image” shows that this would be an option disabled by default. After all, the company did not want to lose users for this reason.
Another viable solution appears to be more acceptable. It would add an extra option in HIPS Rules “Add trust files” (do a check of the files in your database file trust, trust vendor and add applications on HIPS Rules) see attachment “imagem4”. In the advanced settings the user should have the option on which ruleset he/she wants applied to trusted applications (ie trusted or allowed)
Quote below added to exemplify my suggestion
C: \ windows \ *
C: \ Users \ *
Are configured to be treated as allowed video applications shows the default settings of the CIS and the changes suggested
Lett me see if I understand, you want an option for HIPS that instructs it to monitor ALL files both unknown AND trusted? If yes, this sounds like Paranoid mode which is already present in HIPS, is there anything specific with paranoid mode that doesn’t live up to the wish you’ve made?
Paranoid mode Ignores trusted files list tvl and white listed files. It goes based solely on hips rules so if there is no rule it will alert you which is what it sounds like you want. Maybe add more details so we can understand better
I posted a video. May facilitate the understanding, notice in the video that “allowed applications” will run normally. It will only be asked when they attempt to access other executables. Trojans, exploit … open safe applications, often the CIS has alerts us in some cases.
I think i finally Understand this wish. Its a very interesting concept. Would you want this enabled by default?
Yup! But not only that.
Also to mark the option to ignore the signed and Allow software. The installer do a search online or in the local database and sends them to the rules of the HIPS module applications using the default security policy “Allow application”
By checking the, in addition to ignore the VTL, the CIS would make a search by signed applications or considered safe and send everyone to “HIPS Rules” and treat as “allow application” (see attachment)