Anti-executable configuration for v5.3


Attempted to adapt “Configuring Defense+ for min alerts & good security under admin account” for my Win 7x64 system but failed dismally when I couldn’t reboot correctly - got back to the desktop okay after a long, long time, but it looked like HIPs was overwhelmed by the intervention role I’d obviously given it.

Abandoned that idea and tried the anti-executable guidance in;msg423361#msg423361

This refers to CIS v4.1 but I assumed it could work in v5.3 too?

I activated a fresh ruleset and copied all the steps to the letter… 88) The result was another avalanch of prompts for every simple action - blocking most of them didn’t stop me eventually doing what i wanted ??? — opening progs and files/writing/saving etc— but I didn’t fancy trying a reboot if so many intervention prompts would fire when i couldn’t get to them.

On checking Defense+'s, every process and app in my whitelist had created new rules full of Allow modifications, mainly for access rights to Protected Registry keys and COM interfaces. That’s when I wondered if maybe I should’ve deleted all Defense+'s default Protected Registry Keys & Protected COM Interfaces? Same for Protected Files and Folders? I left all these in place too ;D

It may be that all the extra prompts are evidence of sneaky exploits living happily under my usual radars - either way I don’t want to give up, so would appreciate any help to adapt the anti-executable configuration for use in version 5.3.

The Defense+ event log during my 45 min attempt to run Defense+ as anti-executable shows I dealt manually :a0 with 312 alerts:

92 Modify File
182 Modify Key
7 Install Hook
6 Access COM Interface
13 Access Memory
5 Direct Keyboard Access
6 DNS/RPC Client Access
1 Direct Monitor Access

No expert, but they all seem to be routine actions by system processes and the whitelist apps. So, I’m hoping the answer is having to remove the protected keys etc from this config, right?

Cheers :slight_smile:

Without digging into the two tutorials you have been using. It sounds like you are using D+ in Paranoid Mode as you are getting an overload of alerts.

What’s keeping you from running default Proactive Security settings?


Sorry about delay in reply.

Can’t help futtering with Comodo ;D I see a challenge and want to learn.

There again, relying on default settings i get this out of the blue… :-\

Mind you, Comodo didn’t shut down far as i could see. I guess I’ll just keep messing till something breaks or i figure the mysteries out. >:-D

[attachment deleted by admin]

Did you report this bug?

Yup. Email was automatic.

And in my defence, I hadn’t been messing. :a0 But i had just run AccessChk at command prompt, so don’t know if that unsettled something.

Like i said, tho, Comodo didn’t shut down, whatever the pop-up said. Reassuring ;D

If you look at step #9 in the guide, you’ll see that most of the items you listed shouldn’t be monitored by CIS.