Hello,
I’m not filling a bug report for 3 reasons :
- first, I use an old version of comodo (3.5.54375.427), because I’m afraid to recreate all rules…
- second, if it is a bug it might have been corrected in new versions (I would like a link to a versions changelog between all versions so that I could see what has been corrected
)
- third, it might not be a bug but a feature (apps running as Authority-NT/System might be given some rights automatically since they can’t be started under this account unless the system is already compromised)
My config :
Windows XP SP3
Comodo 3.5 in Paranoïd mode
What happens :
If I run an application under the Authority-NT/System account, this app can do “direct disk access” and “protected com-privileges access” without warning of CIS
However this app will trigger an alert when “modifying protected file”, “modifying protected registry key”, “starting a driver”
But the same programs will normally trigger the alerts for “direct disk access” and “protected com-privileges access” if run under the admin account…
I couldn’t test other CIS alerts since I don’t have programs that trigger them
How to test that yourself :
If someone want to test (most probably under a current version of CIS) :
you can use Diskview from sysinternals/microsoft : http://download.sysinternals.com/Files/DiskView.zip that does “direct disk access” when refreshing its view
and process explorer from sysinternals/microsoft : http://download.sysinternals.com/Files/ProcessExplorer.zip that does “modify protected file”, “modify protected registry key”, “start a driver” and “protected com-privileges access”
Since these 2 apps are from sysinternals/microsoft and are signed, you should not “trust app digitally signed” from sysinternals/microsoft or you will get no alert at all !
You’ll also need to start these applications under the Authority-NT/System account :
Personnally I use NtWrapperLite from duodata : duodata.de
If you run Vista/7 you may need to read this page :duodata.de to have the app started by NtWrapperLite be interactive (with a GUI)
A more simple alternative may be to start these applications through the task scheduler, see here : http://security.fnal.gov/cookbook/LocalSystem.html
Thanks for any response.