Well, it’s unsorted. And I’ll try to avoid most of evaluative ;D words.
How to make CIS to lookup unknown files by request only?
What is “Disk access” really mean?
Why this shown me when both hdparm.exe accessed my HDD with ATA commands and I opens a drive in Explorer from “My computer” in any “Browse for file…” window of any even trusted app?
The same for “Direct memory access”
Why even in “Proactive” config explorer.exe allowed to do this?
Where is direct access to “Group” window?
How can I see “trusted vendor” certificates details?
Is this certificates even taken in account?
How can I make a rule refering to an all “Trusted apps” as group?
upd
Where can I look on rules contained in the “Installer or updater” policy? Where is this policy at all?
How can I manually start in the Sandbox some “document” (i.e. associated program)?
upd
What IS the REAL difference, if any, between this two HIPS settings combos?
a) [_] Enable HIPS
b) [x] Enable HIPS [x] Don’t show popups: [Allow reqs]
It would certainly be better IMO had the new Interface and Kiosk been more thoroughly checked and tested before public Beta. Quite a few long term issues also remain which is disappointing.
1. How to make CIS to lookup unknown files by request only?
No simple setting to do this, it's either off or on. You can change the firewall rules allocated by CIS to itself.
2. What is "Disk access" really mean?
Why this shown me when both [i]hdparm.exe[/i] accessed my HDD with ATA commands and I opens a drive [s]in [i]Explorer[/i] from "My computer"[/s] in any "Browse for file..." window of any even trusted app?
Please see help file. I am not quite sure what the implication of the word direct used in the help file is, which I think may be what is confusing you. Any other mod know?
3. The same for "Direct memory access"
Why even in "Proactive" config [i]explorer.exe[/i] allowed to do this?
I think direct here probably means process to process memory access - eg a call not mediated by OS. COM calls for example are mediated by OS
4. Where is direct access to "Group" window?
There is none but there should be IMHO. I have suggested it myself before.
5. How can I see "trusted vendor" certificates details?
You cannot in CIS, but CIS is pretty good at automatically checking these, eg for revocation. You can now switch off vendor trusting if you wish.
6. Is this certificates even taken in account?
Yes its critical and they are checked online.
7. How can I make a rule referring to an all "Trusted apps" as group?
You cannot, which is a pity. (I think I've mentioned this before too, not sure!). One reason might be to achieve separation between HIPS and BB, but I am not sure that is compelling. You could define a group an apply the 'allowed' policy to them in HIPS, but that group would be defined and maintained by you. Allowed in HIPS is not the same as Trusted by the behavior blocker.
8. Where can I look on rules contained in the "Installer or updater" policy? Where is this policy at all?
They run with admin privs and no restrictions. All files run by them get the same privs. The installer updater policy stopped being user tailorable when it became part of way the behavior blocker worked. It would have caused too many problems if people had changed it. They could have provided an alternative editable policy for HIPS though I suppose.
9. How can I manually start in the Sandbox some "document" (i.e. associated program)?
You cannot I think though I have not fully verified, which reminds me must do another bug report on that (did one 3 years ago with CIS 4.00)
D+ & sandbox FAQs under D+ help board may also help. I have tried to keep them up to date with CIS 5.x, but they’ll need a lot of further updating when 6.0 is finally released.
I think direct here probably means process to process memory access
But HIPS Rule -> Access rights tab -> Interprocess Mem. Access already here. So as a healthy minded man I think its exactly thing aka "physical mem access" (to any address). But yes it's a huge Q what this term means for Comodo devels...
Quote
but CIS is pretty good at automatically checking these, eg for revocation...
...its critical and they are checked online.
...And the one only thing that I can do is to trust them completely, isn't it? :LOL:
But what if I'm offline for a some time?
And more important -- well, I trust this vendors, I like them, I ready to kiss 'em everywhere etc. etc. BUT -- how can I ditingush between legitimate "Microsoft Corp" cert and stolen "Microsoft Corp" cert?!?
It’s VERY strange and unintuitive separation.
Anyway (IMO) any “trusted” (for example by who-are-all-this-folks vendor list) app at least allowed to run until it does some “strange”, am I right? If so this stupid rules like for Explorer (run apps: ask, except: *) can b less stupid with replacing this with “run apps: ask, except: trusted”
OK, it’s commonly named “Absolutely Trusted”
mouse1, thanks. Hope I’ll b able to endure with this “revolutionary innovative product” for a pair of weeks more.
What IS the REAL difference, if any, between this two HIPS settings combos?
a) [_] Enable HIPS
b) [x] Enable HIPS [x] Don’t show popups: [Allow reqs[color=black]][/color
If you turn HIPS off, block rules won’t operate.
If you turn HIPS on and click don’t show pop-ups, allow requests, block rules do operate.
I think direct here probably means process to process memory access. But HIPS Rule -> Access rights tab -> Interprocess Mem. Access already here. So as a healthy minded man I think its exactly thing aka "physical mem access" (to any address). But yes it's a huge Q what this term means for Comodo devels...
Healthy mind ... we'll see what CIS can do to fix that :)
Anyway fair comment. Should have realized you didn’t mean interprocess accesses. Here’s the hep file:
Interprocess Memory Access - Malware programs use memory space modification to inject malicious code for numerous types of attacks, including recording your keyboard strokes; modifying the behavior of the invaded application; stealing confidential data by sending confidential information from one process to another process etc. One of the most serious aspects of memory-space breaches is the ability of the offending malware to take the identity of the invaded process, or ‘impersonate’ the application under attack. This makes life harder for traditional virus scanning software and intrusion-detection systems. Leave this box checked and Defense+ alerts you when an application attempts to modify the memory space allocated to another application (Default = Enabled).
Physical Memory: Monitors your computer’s memory for direct access by an applications and processes. Malicious programs attempt to access physical memory to run a wide range of exploits - the most famous being the ‘Buffer Overflow’ exploit. Buffer overruns occur when an interface designed to store a certain amount of data at a specific address in memory allows a malicious process to supply too much data to that address. This overwrites its internal structures and can be used by malware to force the system to execute its code (Default = Enabled).
but CIS is pretty good at automatically checking these, eg for revocation...
...its critical and they are checked online....And the one only thing that I can do is to trust them completely, isn't it? :LOL:
But what if I'm offline for a some time?
I'm not sure, sorry.
And more important -- well, I trust this vendors, I like them, I ready to kiss 'em everywhere etc. etc. BUT -- how can I ditingush between legitimate "Microsoft Corp" cert and stolen "Microsoft Corp" cert?!?
Well I guess you mean fraudulently used. Revocation is your best guarantee. Companies revoke certs when informed that they are being mis-used. Comodo is quite cautious about what Cos it puts on the TVL. Also in CIS 6.0 can now choose not to trust vendors, if you wish.
Many strange distinctions turn out to be fossils
Anyway (IMO) any "trusted" (for example by who-are-all-this-folks vendor list) app at least allowed to run until it does some "strange", am I right? If so this stupid rules like for Explorer (run apps: ask, except: *) can b less stupid with replacing this with "run apps: ask, except: trusted"
Not sure what you mean here
They run with admin privs and no restrictions. All files run by them get the same privs. OK, it's commonly named "Absolutely Trusted"
Yup
[b]mouse1[/b], thanks. Hope I'll b able to endure with this "revolutionary innovative product" for a pair of weeks more.
We hope for you to endure the revolutions long enough to dizzy that healthy mind.... :)