Seems to, the following global solution works and solves the problem.
The first tests look promising with:
HIPS:On with SafeMode with modified predefined “All Applications” rule with:
Access Rights → Access Name:Protected Registry Keys; Exclusions:BlockedRegistryKeys:Registry Groups:COMODO Keys
Results:
C:\Windows\system32>reg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox /f
ERROR: Access is denied.
I’m testing it further.
Again, you are trying to protect it from yourself. There is no point in this, unless you consider the person on the other side of the keyboard to be an idiot >:-D
The commands from keyboard was only for test purposes.
I think you have not read the content of the discussion. It is not about access to the registry from the keyboard but about access to the CIS config for thousands of applications recognized as trusted. I prefer to be sure I have protected the CIS settings and not only to believe that they are safe.
But if you want ok, I can describe an exemplary attack using .reg, which disarms CIS:
Our hypothetical victim is the average computer user.
She uses a computer for browsing the internet, shopping and payments.
She does not know about computers.
She has a CIS installed with default settings by her friend’s son.
One day she gets an email “Hi, look so funny pic haha!” with an attachment containing .reg used to disarm the CIS.
Windows defaults hide file extensions, and the name of this .reg for confusion is set to Funny Photo.
She opens it, CIS stops completely protecting her computer and she does not even know it.
She then gets a second email, this time with the attached real Trojan.
CIS no longer protects her computer, so she runs the Trojan without any problem.
The Trojan turns on her webcam and the perverted hacker films her naked in the evening dancing in front of the mirror.
In the morning comes the third email with the information “pay 1000 $, because if not this movie will go to the net.”
The lady pays.
And John from the Comodo forum still tells her that she is really safe :P0l
hmm
I do not want to be a monster, but it seems to me that in this scenario, the woman would be protected if she did not have Comodo at all, but only the usual Windows Defender, which can not be turned off by .reg and it would not allow the Trojan to run.
I can understand the intention of bazolo which is similar to to the security precautions of large companies that use hackers to detect security holes. But I will link once more to this report:
[QUOTE]https://avlab.pl/en/comodo-security-were-difficult-overcome-even-hackers-cia
No antivirus does not have perfect security is impossible to hack all and everything, but for professionals from the CIA security, Comodo have proven to be particularly difficult to overcome.
[/quote]
Note: not was corrected by me!
And I tell once more what I had posted some times ago:
My nephew who is responsible vor IT security in a system-relevant company uses comodo for himself.
Perhaps it may be maybe you’re actually protecting yourself.
Some INet-users are proud not to need any protection but brain 2.0 or later versions. :o
comodo (or whatever) + another go-hand-in-hand-av + brain 2.4 -----> good protection means for my part:
comodo + malwarebytes + sometimes checking the computer with tdsskiller.exe and adwcleaner + brain 2.x or later.
Nowedays everyone who uses internet should know about dangers like when I use a car. That doesn’t mean I have to be an IT specialist but I have to be careful and that I told children for long a time, already.
What you’re doing certainly needs some knowledge and therefore I don’t know if that may happen in reality (in the PC-World) or only in your computer.
I furthermore trust in comodo + … and it’s been good so far.
Decent hackers, on the other hand, are really important for security.
Bazolo, I now see where your concern is coming from. I see it as a security risk; not a big one and one that has not been seen in the wild.
I have sent a pm to umesh informing him about the scenario and this topic.
Great :-TU. EricJH, prodex and all other interlocutors thank you for the lively discussion.
Thank you for persevering your point of view.
How do you know that Defender protects it’s registry keys against user actions? Does it also protect its self against changes to the registry made by trusted applications?
Thanks, will get back on it.
That’s a point I get sometimes no good feeling if I install (albeit very, very rarely in the meantime) programs which are not so trusty for me because they are not so clearly trustworthy (but therefore not dangerous, i.e. ccleaner a.s.o.).
I do not know what they really are doing in my PC. When the message appears, “do you allow the program making changes to your registry” then I have no good or undefined (because of my lack of knowledge) feeling. No security program can protect me from my decision. But signature of umesh:
We can’t stop malware entering user’s PC but we render them use-less when they enter PC: Welcome to Comodo’s Default Deny innovation.
Windows Defender protects own regkeys.
I attached screenshots.
But even if Windows Defender could be blocked, Windows Notifications will signal an alarm about the security inactivity.
And in case of my attack, Windows Notification is also cheated.
That’s right, and that’s why CIS settings not just that they should be, but they MUST be specially protected.
Usually hackers do not reveal their secrets, but I use CIS myself so want to be also protected 
:-X
I could change protected registry keys.
What means “protected objects” when I can change it? Is any program or any hacker to do this or is it so how Eric wrote:
[QUOTE]… not a big one and one that has not been seen in the wild.
[/quote]
What have I done wrong or what don’t I understand? It seems to be a piece of cake to change that. Or is it so that comodo discovers when someone/any program tries to manipulate my computer? Then I am NOT a hacker for my PC and for comodo :-\ and so comodo has not to protect me from myself - is this so?
Default CIS config has disabled HIPS but even if you enable HIPS you can still change this protected keys because regedit is just Trusted app.
To patch it, try following in HIPS Rules:
HIPS:On with SafeMode with modified predefined "All Applications" rule with:
Access Rights -> Access Name:Protected Registry Keys; Exclusions:BlockedRegistryKeys:Registry Groups:COMODO Keys
Blocking Important Keys for all trusted applications will crash the system.
But you can block Important Keys for selected trusted apps (for example for regedit) by make the rules in HIPS.
The main protection of these keys is the administrator permission for the application that wants to modify them.
Note: COMODO Keys != Important Keys but Important Keys includes some of COMODO Keys
Thank you!
I did it for trying, only.
ops, just seems to me that I found a new security risk field, this time related to firewall. As my fears confirm, I will start a new thread.
Regedit is trusted but unknown programs cannot start trusted applications without notifying the user (when using HIPS only). Luring an unsuspected user to open Regedit to make changes to the registry is an unrealistic scenario so I see no need to patch the rule for regedit.
Yes, it’s clear.
But this patch is to protect COMODO Keys against all trusted apps, not only for regedit.
This patch also protects against the attack I described earlier:
HIPS:On with SafeMode with modified predefined "All Applications" rule with:
Access Rights -> Access Name:Protected Registry Keys; Exclusions:BlockedRegistryKeys:Registry Groups:COMODO Keys
That’s sometimes the/my problem. Should I or shouldn’t I when comodo says:
“xxxx is a known program but yyyy is unknown. If it is your program you use you can allow it.
But in case you have any doubts, block it” which is what I do, then.
If I have only a little doubt I cancel it even if it is i.e. cmd which is a known but by comodo mentioned as unknown and I think comodo knows what I don’t know might happen in the background).
A) If you don’t trust the certificates then disable the option to use them.
B) Malware can bypass software based protection modules. There is no point in attempting to create a software based self-defence system because if your system can become infected in the first place, then you are potentially ■■■■■■■ anyway.
C) Nothing you have shown above seems to be a bypass. You are just disabling settings and complaining that you are able to be attacked… because you just DISABLED the settings. That’s like locking your car but leaving your windows open and complaining things got stolen. It’s not the cars fault you kept the windows open.
The only thing I would point out, that in a perfect world, the file reputation system would provide instant analysis so that you do not have to wait if certificate checking is disabled.
AD A) Blocking certificates would become a nightmare. Then the Safe Mode would become the Paranoid Mode and it is not a solution, because a whole life would only be spent on defining endless (often uncertain) rules. But you can not trust the certifications endlessly, rather you should use the method of limited trust with the additional lines of defense that I am proposing.
AD B) Omitting one of the progam modules does not mean winning the battle, when others are active, they can win the fight with attacker, but you want to give everything with the walkover at once.
AD C) So write for example to Microsoft or Avira or others, because they just blocks access to own settings. Convince them that it is nonsense that they do.
I’m sorry I do not have time to repeat the same over and over again. I work a lot.
Comodo’s bosses decided it is a threat, convince them now, not me.