Most intriguing reply, thank you for the explanation.
You say it works without D+? I ask since i had it disabled.
Wildcards, i just fell off my chair now! ;D Why do i need that? Isn’t that permissive/ default allow?
One thing i can’t picture correctly: i take your word for it that it was allowed since it was explorer (it was). But this just complicated things in my head.
For instance, i use SSM free since i can lock things down with “disconnect UI” (and this setting alone can block things allowed in ‘connected UI’ mode). I can then let people use my computer, knowing they can’t use IE7, tamper with some things, and execute anything new. All this silently. Comodo as it is, will allow people to bypass my rules as long as they use explorer. While i know such people shouldn’t use my computer, i think nevertheless this is not an ideal solution.
What about public computers, other situations where this is needed?
In these cases, this means more trouble configuring it. Is there a setting then so i can be alerted whenever any allowed application is changed, explorer or no explorer? Is it the default action, allow/ask/block? (and then i have to answer for all files…)
I’m really confused, thinking about all possibilities. I realize i could be resisting change pure and simple. But i don’t think so, i think i’m resisting complication.
Here’s a scenario: suppose something filters the activity reported in the file system (rootkit). CFP has no was of telling something changed. I know this is already a compromised system, but D+ is really advanced to this paranoid point (any advanced HIPS is).
It gets complicated when a process permission to change “protected files” already bypasses firewall’s rules (or user intended rules). It takes an advanced user (really advanced lol) to keep up.
The firewall part (the part i want) only looks for the application name, but does not ask about it’s integrity. Dazed and confused
Also, pretty much any program that interacts with explorer can potentially do it also (i’m not thinking about firewall rule’s consequences when allowing an app to modify explorer or something - this is a snowball effect) .
One would additionally gain from the clear separation of firewall rules and file permissions (with hash check). And if i can’t/won’t use file permissions, or there is a bug in it, i’m naked.
Can’t you put the option to use hashes? SHA-1 as the minimum these days (i think). Go ahead an make a warning that i can’t use wildcards. I don’t want them :-\
Please reply addressing my concerns (here or PM), by correcting me or acknowledging.
the following paragraph can actually complicate things, take it as just another idea in the pot to refine and discuss, i do not expect it to be practical nor ideal
It (hash) can also serve as an extra check for D+ itself - as D+ allows modifications based on its rules, it would recalculate the hash to check integrity as they are executed or used - independently of firewall allowed programs; then if a previously firewall allowed app tries to access after modification, there would be a prompt that notifies that, and describes it as an allowed D+ event with the description (a log of the event, with something like ‘explorer has rights’ etc.) or if it doesn’t match D+ hash from previous allowed actions (‘this is potentially dangerous, as D+ didn’t allow such change’ etc).
end of madness episode ;D