Application Training [CFP]

Not sure if it’s right to post this under Bug Reports. I just don’t get it sometimes. My Defense+ is in “Train with Safe” mode. I have the “C:\Windows\Explorer.exe” listed in My Safe Files. I’ve also defined it as a Trusted Application. But now it keeps alerting me every time I try to run some application not already listed in explorer.exe’s Access Rights, even safe ones. The screenshot is attached.

Doesn’t it contradict the logic of the “Train with Safe” mode? Shouldn’t Comodo automatically assume the “Allow this request” answer here (learn the safe application’s action)? Or am I missing something?

I’m running CFP on Windows XP Professional SP2.

[attachment deleted by admin]

Despite the fact that both application are Comodo Safe… explorer.exe still needs authorisation to run XLView.exe. You could set explorer.exe to allow ALL executions. But, I wouldn’t recommend that… this would probably be the first alert you’d see if something unexpected attempted to run via explorer.exe (the users primary app launcher). In addition… just because the applications involved are Safe, it doesn’t necessarily follow that Safe App A should be allowed to run Safe App B just because they are “Safe” themselves.

I don’t think it needs an explicit authorization in Train with Safe mode. All the applications in explorer.exe’s “Access Rights - Run an executable - Allow” list got there without my approval, I just launched them and Comodo allowed it automatically. Until it just stopped doing that for some reason.

So, I reinstalled CFP, placed the Defense+ into Train with Safe Mode, and defined explorer.exe as My Safe File again. I can now launch any safe application (whether it is in Comodo’s safe list or My Safe files list) without alerts. They automatically get listed in explorer.exe’s Access Rights, and the baloon message says explorer.exe’s behavior is learned.

But not with XLView.exe (it is the Microsoft Office Excel Viewer 2003). When I try to execute this application, I still get the same alert.

Same happens with Comodo’s own installer. When I try to launch it, a Defense+ alert pops up asking me to approve the launch of the safe application by the safe application (screenshot attached). At the same time, another installer (that I put in My Safe Files list) is launched without any alerts.

So, here’s the way to reproduce the issue:

  1. Put Defense+ into Train with Safe mode. Make sure the Image Execution Control is not disabled.

  2. Go to Defense+ - Advanced - Computer Security Policy. Remove explorer.exe from the list of applications.

  3. Go to Defense+ - Common Tasks - My Own Safe Files. Select Add - Browse running processes. Choose explorer.exe.

  4. Open My Computer / Explorer. Go to C:\Windows. Execute notepad.exe. A baloon message should appear saying explorer.exe’s behaviour is learned. In Defense+ - Advanced - Computer Security Policy - explorer.exe - Access Rights - Run an executable - Modify…, a “C:\Windows\notepad.exe” entry is now present.

  5. In My Computer / Explorer browse to the folder containing the Comodo installation executable (CFP_Setup_3.0.14.273_XP_Vista_x32.exe). Execute it. The Defense+ alert is triggered.

In both cases the same safe application (explorer.exe) executes another safe application. With one of them the behavior is learned. With another one it is not.

[attachment deleted by admin]