Add support for automatic rules inheritance

Note: Before continuing reading, please log in so that you gain access to this post attachments.
I’ll start with a concrete example of situation for the firewall component, which implementing requires automatic rule(s) inheritance. A similar scenario for Defense+ can be conceived as well.
Let’s consider an application (Application A) that behaves like this:
Application A -Creates and starts windows service B
-Launches- Application C -may launch- Application D}
-may launch- Application E} // depends on user actions
-may launch- Application F}
-may launch- Application G}

Also we have these constraints to deal with:

  • Application A is a single executable which when would run for the first time, it will unpack some files, create and start windows service B and launch application C;
  • The rest of the applications will unpack some files as well, when launched from application C for the first time;
  • Most of executable files are stored in folders which names cannot be determined before unpacking;
  • The user desires that all of the applications and the windows service as well, to have no network connection simultaneously, without even running application A once;
  • All the applications and the windows service, except application A are already classified by Comodo and are, by default, allowed to connect to the Internet.

Consequences of the lack of this feature for the above scenario
Is clear that setting up Comodo Firewall according the above scenario is very difficult without setting some or all firewall rule(s) for application A to be inherited by any potential child processes or applications automatically.
So far, the only solutions are:

  • stopping of all network traffic, but this works only for the firewall component, obviously and is a completely manual action;
  • running application A from the example, sand boxed as partially limited, but this may have undesired side effects.
    Even if you block an application from connecting to the Internet through Firewall Tasks, the child application(s) / process(es) would still be able to connect if they could connect when launched directly and not by the blocked application.

Implementation suggestions
a. at Application / HIPS individual rule level
It is the best choice and works like this:

  • the user would begin creating a new application / HIPS rule;
  • for the predefined rule sets, the automatic inheritance should not be permitted for security reasons;
  • if the user doesn’t choose a predefined rule set and builds a custom one, it should behave like this:
  1. For applications rules (firewall component rules) - on each individual rule creation and editing window there should be a check box called something like “Make this rule inheritable” that should make that rule to be inherited by the child process, “grandson” process and so on, of the application for which that rule is defined. For security reasons, permissive rules (rules with allow action) should not be permitted to be inheritable.
  2. For HIPS rules, for each individual application, there should be added an additional column called something like “Make inheritable” in the HIPS rule table, containing a check box on each row, for every access right and protection setting, which, if a certain check box is checked, would make the corresponding access right or protection setting, of an application to be inherited by the child process, the “grandson” process and so on, of that application. Permissive access rights (access rights with allow action) and inactive protection settings shouldn’t be permitted to be inheritable.

b. at sandbox level
Considering the restrictions inheriting nature of Comodo Internet security’s sandbox, on which, for every sand boxed application A that launches application B, the application B is also sand boxed with same restrictions, the possibility of creating custom sandbox restriction levels may also do the trick, but this is good only for very experienced users.

c. at Firewall tasks application blocking level
When the user chooses to block a certain application from establishing network connections, it should have the possibility to propagate that block to the child processes, “grandson” processes and so on, of that application. Works only for firewall component, but is the easiest to implement, also is enough to comply with the scenario provided above.

Note: Words in italic describes GUI elements that have screenshots attached to this post.

[attachment deleted by admin]