Application-specific 'Blocked Files/Folders' - (now with feature testing!)

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

Hi,

I was hoping someone may be able to confirm for me that the ‘blocked files/folders’ when applied to an explicitly listed application (e.g. Windows Explorer) works?
i.e if you follow a procedure such as the following:

  • in the Defense+ section of CIS, select ‘Advanced’ from the left
  • click ‘Computer Security Policy’
  • Select a program (e.g. ‘%windir%\explorer.exe’), and click ‘edit’ on the right
  • Select ‘Use a Custom Policy’
  • Click ‘Access Rights’
  • Next to ‘Protected Files/Folders’ click ‘Modify’
  • Click the ‘Blocked Files/Folders’ tab
  • Add a path to it (e.g. C:\Temp*) (Click ‘Add’, ‘Browse’ and navigate to and select ‘C:\Temp’ - which will result in C:\Temp* being added to the blocked list)
  • Confirm that C:\Temp* has indeed been added to the list
  • Hit ‘Ok’, then ‘Apply’, then ‘Apply’, then ‘Apply’ to apply the rule changes
  • Use windows explorer (i.e. explorer.exe) to browse to C:\Temp, copy and paste files, etc. - if the Defense+ setting is working in the way I understand it should, then you should not be able to copy, paste, browse it, etc

Note that I have tried the above procedure also with cmd.exe (C:\Windows\system32\cmd.exe) and found that unhappily, I could still browse the C:\Temp folder.

I am using Windows 7 Professional 32-bit; running Avast and ThreatFire; and if I use the ordinary system-wide ‘My Blocked Files’ it works exactly as expected.

It’d be great if others on a similar (and different) OS version could give this a shot and see what they find. I don’t really want to lodge a bug if it isn’t one.

Note that this question derives from an earlier question, which led me to wonder if this functionality actually worked:
https://forums.comodo.com/defense-sandbox-help-cis/limit-read-access-to-particular-files-to-only-certain-programs-using-defense-t59220.0.html
and someone else’s question, which led me to a similar question:
https://forums.comodo.com/defense-sandbox-help-cis/limit-read-access-to-particular-files-to-only-certain-programs-using-defense-t59220.0.html

Cheers.

2

Edit: I have reproduced these results on a second system with a fresh Windows 7 Pro and CIS install, using C:\Windows\system32\notepad.exe as the editor.
Having re-run the tests using a different program (Notepad++) to conduct the edits, the behaviour is entirely as expected (save questionable terminology oddities). These are at the far far bottom after the other tables, etc.

In an attempt to work out exactly how CIS functions with regard to the ‘blocked files/folders’ file list under ‘Protected Files/Folders’, I conducted a few tests. Below, I will describe the tests, and what I observed.

If you want to skip to just a table of results, it is at the bottom.

Note:
System is Windows 7 Pro x86 with CIS 4.1.150349.920, also running Avast Antivirus Free and ThreatFire.
Defense+ is set to ‘Safe’ mode; ‘Trust the applications digitally signed by Trusted Software Vendors’ was checked - all others on the ‘general settings’ were not. All checkboxes in ‘monitoring settings’ were checked. The relevant application (notepad.exe) was not specifically listed in My Own Safe Files. Sandbox was disabled.

  • I created a folder C:\Temp\test_CIS and in this folder I placed a file called ‘test.txt’
  • I created a new Computer Security Policy for C:\Windows\system32\notepad.exe (Defense+, Advanced, Computer Security Policy, Add), and under Access Rights for this entry I checked that the default action was ‘Ask’ for all access rights (i.e. Run an executable, Interprocess Memory Accesses, etc.)
  • I opened the ‘C:\Temp\test_CIS\test.txt’ file in notepad, and could edit and save it with no problems (as expected - there is no security in place yet)
  • I added ‘C:\Temp\test_CIS*’ to the ‘My Protected Files’ list (Common Tasks/My Protected Files
  • I opened ‘C:\Temp\test_CIS\test.txt’ in notepad and could edit and save it without being asked by Comodo if this was allowable (this was not what I had expected - since the entirety of the 'C:\Temp\test_CIS' directory was in the ‘My Protected Files’ list, and notepad.exe was set to ‘Ask’ for ‘Protected Files/Folders’ in Process Access Rights i.e. Defense+, Advanced, Computer Security Policy, C:\Windows\System32\notepad.exe, Access Rights)
  • To ensure this was not simply a mask problem in ‘My Protected Files’, I modified the entry in ‘My Protected Files’ from ‘C:\Temp\test_CIS*’ to ‘C:\Temp\test_CIS\test.txt’ - the specific file name of the file I was editing
  • Again, I opened ‘C:\Temp\test_CIS\test.txt’ in notepad and could edit and save it without confirmation from Comodo. Again, not what I expected.
  • Leaving ‘C:\Temp\test_CIS\test.txt’ in the ‘My Protected Files’ list, I opened the application-specific rights for notepad.exe again, and next to ‘Protected Files/Folders’ selected ‘Modify’. In ‘Blocked Files/Folders’ I added ‘C:\Temp\test_CIS\test.txt’, clicked ‘Ok’, ‘Apply’, ‘Apply’, ‘Apply’ to apply the rule changes
  • I opened ‘C:\Temp\test_CIS\test.txt’ in notepad, edited and tried to save it and was prevented from saving it. This was the behaviour I expected (i.e. I was not Asked if the protected file could be edited; rather it was simply blocked)
  • I then went back to the ‘My Protected Files’ list and modified ‘C:\Temp\test_CIS\test.txt’ back to ‘C:\Temp\test_CIS*’
  • I opened ‘C:\Temp\test_CIS\test.txt’ in notepad, edited and tried to save it and was prevented from saving it as with when the file ‘C:\Temp\test_CIS\test.txt’ was explicitly in both ‘My Protected Files’ and the application specific ‘Blocked files/folders’ list
  • I opened the application-specific rights for notepad.exe again, and next to ‘Protected Files/Folders’ selected ‘Modify’. In ‘Blocked Files/Folders’ modified ‘C:\Temp\test_CIS\test.txt’ to ‘C:\Temp\test_CIS*’, clicked ‘Ok’, ‘Apply’, ‘Apply’, ‘Apply’ to apply the rule changes
  • Tried to edit again with notepad, blocked
  • I opened ‘My Protected Files’ and removed ‘C:\Temp\test_CIS*’ and clicked ‘Apply’
  • Opened ‘C:\Temp\test_CIS\test.txt’, modified, and saved without any query
    I opened the application-specific rights for notepad.exe again, and next to ‘Protected Files/Folders’ selected ‘Modify’. In ‘Blocked Files/Folders’ I removed ‘C:\Temp\test_CIS*’, clicked ‘Ok’. Then I changed the ‘Protected Files/Folders’ default action to ‘Block’. Then clicked ‘Apply’, ‘Apply’, ‘Apply’ to apply the rule changes[/li]
  • I opened ‘C:\Temp\test_CIS\test.txt’ in notepad and was prevented from saving it.

I also did some more stuff (following in the same thread) but frankly writing it all down step by step became cumbersome. I probably should have created a video instead. Anyway, full results are tabled below.

Table 1: When application-specific ‘Protected Files/Folders’ setting was ‘Ask’ (i.e. Defense+, Advanced, Computer Security Policy, ‘C:\Windows\System32\notepad.exe’, Access Rights, Protected Files/Folders = ‘Ask’)
[tr][td] [/td][td]File in ‘My Protected Files’[/td][td]File not in ‘My Protected Files’[/td][/tr]
[tr][td]File in application-specific ‘Blocked Files/Folders*’[/td][td]x[/td][td]o[/td][/tr]
[tr][td]File not in application-specific ‘Blocked Files/Folders’[/td][td]o[/td][td]o[/td][/tr]

x = could not save to file
o = could save to file
bold = an unexpected (by me) result

  • This is the ‘Blocked Files/Folders’ tab after clicking ‘Modify’ next to the above-mentioned ‘Protected Files/Folders’ setting for the specific application
    In no case did CIS prompt for whether to allow notepad.exe to write to the file

Table 2: When application-specific ‘Protected Files/Folders’ setting was ‘Block’ (i.e. Defense+, Advanced, Computer Security Policy, ‘C:\Windows\System32\notepad.exe’, Access Rights, Protected Files/Folders = ‘Block’)
[tr][td] [/td][td]File in ‘My Protected Files’[/td][td]File not in ‘My Protected Files’[/td][/tr]
[tr][td]File in application-specific ‘Blocked Files/Folders’[/td][td]x[/td][td]o[/td][/tr]
[tr][td]File not in application-specific ‘Blocked Files/Folders’[/td][td]x[/td][td]o[/td][/tr]

x = could not save to file
o = could save to file

Table 3: When application-specific ‘Protected Files/Folders’ setting was ‘Allow’ (i.e. Defense+, Advanced, Computer Security Policy, ‘C:\Windows\System32\notepad.exe’, Access Rights, Protected Files/Folders = ‘Allow’)
[tr][td] [/td][td]File in ‘My Protected Files’[/td][td]File not in ‘My Protected Files’[/td][/tr]
[tr][td]File in application-specific ‘Blocked Files/Folders’[/td][td]x[/td][td]o[/td][/tr]
[tr][td]File not in application-specific ‘Blocked Files/Folders’[/td][td]o[/td][td]o[/td][/tr]

x = could not save to file
o = could save to file

Summary

  1. The ‘My Protected Files’ did not behave as the documentation would suggest. In order for a the file to be protected at all, it need to be in both the ‘My Protected Files’ and the application-specific ‘Blocked Files/Folders’ OR in the ‘My Protected Files’ list and have the application-specific ‘Protected Files/Folders’ set to ‘Block’
  2. The ‘Ask’ option in the ‘Protected Files/Folders’ didn’t appear to do anything.

Comments
This behaviour seems somewhat bizarre to me. I had expected:

  1. That having the file (C:\Temp\test_CIS\test.txt) in the ‘My Protected Files’ list would have protected the file for all applications (including notepad.exe) unless the application-specific setting for ‘Protected Files/Folders’ was ‘Allow’ or the file was contained in the application-specific list for ‘Allowed Files/Folders’.
  2. That when the file was in ‘My Protected Files’ and the application-specific ‘Protected Files/Folders’ was set to ‘Ask’, CIS would have asked me if the application (notepad.exe) should be allowed to write to the file.
  3. That having the file in the application-specific ‘Blocked Files/Folders’ would have protected the file from writing, irrespective of whether the file was in the general ‘My Protected Files’ list.

Caveats
It is possible that some other part of my computer security policy gave additional privileges to notepad.exe (although having checked the computer security policy list, nothing appears as if it should have). Nonetheless, even if another rule did give additional privileges to notepad.exe, I would expect that the most specific (i.e. the application-specific rule naming the program by full path) would override the other settings.
Also, having ‘Trust the applications digitally signed by Trusted Software Vendors’ may have led to the application being trusted beyond the explicit rules I set. Once again, I would expect that explicit rules would override any other trust-level settings.

Part 2: repeated using notepad++ rather than c:\windows\system32\notepad.exe
Table 1: When application-specific ‘Protected Files/Folders’ setting was ‘Ask’ (i.e. Defense+, Advanced, Computer Security Policy, ‘C:\Users\xyz\Desktop\Notepad++ Portable\App\Notepad++.exe’, Access Rights, Protected Files/Folders = ‘Ask’)
[tr][td] [/td][td]File in ‘My Protected Files’[/td][td]File not in ‘My Protected Files’[/td][/tr]
[tr][td]File in application-specific ‘Blocked Files/Folders*’[/td][td]x[/td][td]x[/td][/tr]
[tr][td]File not in application-specific ‘Blocked Files/Folders’[/td][td]y[/td][td]o[/td][/tr]

x = could not save to file
y = prompted by CIS (a program is trying to write to a protected file)
o = could save to file

  • This is the ‘Blocked Files/Folders’ tab after clicking ‘Modify’ next to the above-mentioned ‘Protected Files/Folders’ setting for the specific application

Table 2: When application-specific ‘Protected Files/Folders’ setting was ‘Block’ (i.e. Defense+, Advanced, Computer Security Policy, ‘C:\Users\xyz\Desktop\Notepad++ Portable\App\Notepad++.exe’, Access Rights, Protected Files/Folders = ‘Block’)
[tr][td] [/td][td]File in ‘My Protected Files’[/td][td]File not in ‘My Protected Files’[/td][/tr]
[tr][td]File in application-specific ‘Blocked Files/Folders’[/td][td]x[/td][td]x[/td][/tr]
[tr][td]File not in application-specific ‘Blocked Files/Folders’[/td][td]x[/td][td]o[/td][/tr]

x = could not save to file
o = could save to file

Table 3: When application-specific ‘Protected Files/Folders’ setting was ‘Allow’ (i.e. Defense+, Advanced, Computer Security Policy, ‘C:\Users\xyz\Desktop\Notepad++ Portable\App\Notepad++.exe’, Access Rights, Protected Files/Folders = ‘Allow’)
[tr][td] [/td][td]File in ‘My Protected Files’[/td][td]File not in ‘My Protected Files’[/td][/tr]
[tr][td]File in application-specific ‘Blocked Files/Folders’[/td][td]x[/td][td]x[/td][/tr]
[tr][td]File not in application-specific ‘Blocked Files/Folders’[/td][td]o[/td][td]o[/td][/tr]

x = could not save to file
o = could save to file

Summary
The ‘My Protected Files’ and application-specific ‘Blocked Files/Folders’ behave pretty-much exactly as expected for notepad++.exe

Comments
It seems that my earlier results with notepad.exe are a bit odd. I’ll continue to explore why notepad.exe produced different results. The fact that the application-specific ‘Blocked Files/Folders’ settings applied to notepad.exe do not seem to have any effect unless the entries are also in ‘My Protected Files’ still strikes me as odd. Whatever other rules may be in place, I would have expected that specific rules applied to the program would have overridden any other settings, trust levels, etc.