Comodo comes supplied with a incredibly vast list of “pre-approved” certificates, this means that any software listed with these certificates will be considered ‘Trusted’ and as a consequence will bypass a lot of your HIPS settings.
When it comes to the Windows operating system, or Comodo, this is most likely a good thing, as you’d run into a lot of issues were it not the case.
However; As the list is so vast, it would be very beneficial to know exactly which certificate is tied to which approved applications, so it would be possible to remove as many pre approved certificates as possible without negatively affecting the performance of the operating system, or Comodors behaviour within it.
It also seems that, even with the “file Rating settings” options “Rate applications according to their vendor rating”, the applications on the Trusted list will be ‘added’ as trusted, or is this a bug in my installation?
For example: “InfDefaultInstall.exe” was rated as Trusted yesterday, according to Comodo. Despite the fact that I haven’t set it to be so, nor did I get any HIPS popups for this application, even though HIPS was set to Paranoid. The only tie to certificate from this File list is the “Company”, which unfortuantely means that it will be one of about 200 different “Microsoft Corporation” certificates that are pre-approved.
This false belief that just because an application is Signed by a “known certificate” it can be trusted is a falacy that has been proved again and again, most recently with the latest Solarwinds attack.
As such, I would ask for Comodo to review their “Vendor List” and possibly split it in two – one for JUST Comodo and/or Microsoft Operating System certificates and one for the rest, in addition to the aforementioned “link” being displayed from the File List to the Vendor List.
I absolutely agree. It was suggested in the above linked topic the creation of a ‘Light Trusted Vendor List’ with just enough for the OS to work properly and allowing users to choose between ‘Full TVL’ or ‘Light TVL’. I also created a Wish request for ability to Import/Export the Vendor List as txt Document as it will improve convenience when a user modifies the Vendor List.
Microsoft signed executables are hardcoded to be rated as Trusted by CIS, since V12 at least. Mods or devs can confirm.
You are right, Comodo should supply its userbase with better/easier ways to customize/modify the Vendor List and File Rating component behavior…
a) Upon installation, CIS scanned the PC for a list of installed software and prompted the user with a suggestion of what vendors to trust, allowing them to un-trust any they desire. This would be a lot easier than browsing through the list of 1,000 or so vendors manually.
b) Upon installing something new that is potentially a trusted vendor, CIS asked the user to add it to the list of enabled trusted vendors, or not.