CIS Charrette - Application System Activity Control

~ WHAT IS THIS? ~

CHARRETTE:
A charrette (pronounced [shuh-ret], often Anglicized to charette and sometimes called a design charrette) consists of an intense period of design activity. The word charrette may refer to any collaborative session in which a group of designers drafts a solution to a design problem.

PURPOSE:
This is one of a series of charrette threads that I will be making to try and create an inclusive, consistent, and polished prototype for future versions of Comodo Internet Security. I am here to fulfill your wishes! - and some of mine - in the form of jpgs and pngs - to eventually be submitted in the secret (gasp!) usability sub-forum for review by developers.

YOUR ROLE: BE CRITICAL
I’ll be looking over the wishlist for features and suggestions to incorporate in our designs, but don’t hesitate to suggest ideas here. In fact, I encourage you to suggest ideas here - otherwise it’s not a charrette. Sometimes I have specific questions. To see them scroll down to the “Current Dilemmas” section. I also encourage you to check out the related threads listed below and support our resident wishers. Just make sure that, if your suggestion warrants its own thread, that you do make a thread for it. I am not replacing the wish list.


[b]~ APPLICATION SYSTEM ACTIVITY CONTROL ~[/b] Login to view the image.

GENERAL GUI ENHANCEMENTS:

  • The Help button is now located correctly and space-efficiently.
  • The Application Path field can be edited on the fly.
  • The user now has the option to Copy From - a feature in the firewall that has been around for ages but never made it to Defense+.
  • Export/ Import buttons allow users to export/import modular configuration files, with the ability to overwrite or append. (This allows users a more granular means to updating/restoring their configurations)
  • Modularity is now spread across inuitive in-window elements (tabs and expandable lists), rather than across several disjointed windows.
  • Sandbox Rules, Groups, and Access Rights are now much more fluidly manageable.
  • Granularity is stepped across in-window elements to allow for novice comfort through expert control.
  • Basic switches allow novice users to abstractly tune their Application Activity Controls.
  • Drop Downs (in the Access Type lists) allow intermediate and expert users to quickly change the behavior of Defense+.
  • Expandable lists allow advanced users to create custom rules (Adv.Rues), in a format consistent with firewall rules, openning the GUI to more advanced operations than simply allowing and blocking access to a certain file.
  • The lists now have both a search and filter function by which to quickly find specific rules or simplify the view.
  • The Adv. Rules fields show as follows [ # of enabled block rules / total # of block rules : # of enabled allow rules / total # of allow rules ]. They do not count the Basic Action nor the Advanced Default Action.
  • A link at the bottom left allows the user to jump to the Network Access Control window for the application.
  • An Apply button is now included so the user can save his/her work without closing the window.
  • Element size, spacing, and visuals are polished.

BASIC SWITCHES:

  • This tab shows by default. It is for novice users and basic application-wide changes.
  • It explains concisely what the difference is between Access Rights and Protection Settings.
  • The linked policy type under Sandbox Settings takes the user to the Sandbox tab.

BASIC ACTION VS DEFAULT ACTION:

  • Default Actions (now “Adv. Default” and “Advanced Default Behavior Handling”) are rules that fire after Advanced Rules are fired, such that, if there is not already a specific policy for the access, the Default Action will be followed. This is currently how Defense+ is implemented.
  • Basic Actions fire before Advanced Rules, and thus override every rule that follows, included the Default Action. This allows a user to quickly allow or block all acccess attempts. This switch is integral for novice users not concerned with fine tuning Application Activity Controls.
  • Upon applying no Basic Action, the Default Action will be force activated.

TREE STYLE RULE MANAGEMENT:

  • It is important for advanced users to see the guts. The tree style list, with sequential rulesets, provides a place for change made in the drop-downs and basic switches to logically manifest. As an example, if I change the Default Action to Block, then if I look at the explicit ruleset, I should see a Block-All rule at the bottom. Transparency is key.
  • Using a sequential ruleset allows the user the same power as sequential rulesets common to firewall policies. The rules higher in the list are given higher priority.
  • Using verbal (“Block file x”), rather than group (Adding file x to a blocked files group), style rulesets, the GUI is opened up to providing more advanced variables. By example, “{ Block } access to files in path { x } if those files { have no digital signature }”
  • The list can now be sorted by clicking on the appropriate table headers. This obviously doesn’t sort rulesets, just access types by the selected manner.
  • To expand or compress the entire tree, use the expand/compress toggle in the header.
  • Checkboxes allow users to quickly enable/disable rules.
  • Changes to Basic Action and Adv. Default via drop down can be applied to multiple Access Types simultaneously by highlighting several Access Types and then using one of the drop downs in one of the highlighted Types. (Both shift and ctrl style selection should be possible you Comodo devs.)
  • The tree contains a second set of headers to sort the list within each access type.

QUICK TOGGLES:

The Advanced Ruleset list contains three quick toggles and one priority marker. Quick toggles allow the user to quickly change basic settings for a particular rule (or set of rules if multiple are selected). They are used simply with a single left click.

The priority marker lets the user know the priority of the rule even if the list is sorted in such a way that the rules are not in priority sequence. The Basic Rule is always rank 00. The Advanced Default is always rank ZZ. This naming convention allows over 1200 rules.

The first quick toggle enables or disables the rule. It is the check mark.

The second quick toggle cycles through Allow-Ask-Block and controls whether the rule allows, asks, or blocks.

The final quick toggle activates/ deactivates logging.

RIGHT-CLICK & SPECIAL MENUS:

  • Right clicking on a table header will give you the following options: Sort 0-Z, Sort Z-0, Do not Sort, Columns >
  • The Columns sub menu allows users to show or hide certain columns. (In this window the only column that can be hidden is the Adv. Rules column)
  • Right clicking on the toggle-all tree toggle will give you the following options: Expand all, Compress all.
  • Right clicking on a specific Access Type will give you the following options: Add a new rule, Remove all rules, Move up, Move down, Purge invalid rules, Log all rules, Enable/Disable all rules.
  • Right clicking on a specific rule will give you the following options: Add a new rule, Edit this rule, Remove this rule, Move up, Move down, Purge this rule (only shows if the rule is invalid), Log this rule, Enable/Disable this rule.
  • The Select menu, next to the Application Path field, contains an additional option to manage file groups under Select > File Groups > Edit/ New…
  • The Select menu, next to the Application Path field, contains two additional options: to add folders recursively and non-recursively. This functionality can also be achieved by manually text-editing the path, following it with “(recursive)” or “(non-recursive)” neither of which are case sensitive.
  • The Predefined Policy drop-down, next to the Predefined Policy radio selection, contains an additional option to manage Predefined Policies at the bottom of the list called “Edit/ New…”
  • The Copy From menu, next to the Custom Policy radio selection, contains an additional options to manage Predefined Policies under Copy From > Predefined Security Policies > Edit/ New…

ADVANCED OPERATIONS FOR RULES:

  • The following rule is possible with this kind of rule creation system: “Block and log shellcode injections into file [*\config.cfg] if the target file is located in path(s) [C:\Programs*][C:\System*]”
  • See the attached image: Adv.RuleSet.Operation.[number].png for a map of potential advanced rule operations.
  • See the attached image: Adv.RuleSet.Example.[number].png for the example rule in a more object-oriented form.

[b]~ ADDING RULES ~[/b] Login to view the image.

GENERAL GUI NOTES:

  • Coming Soon…

[b]CURRENT DILEMMAS:[/b]
  • How do I maintain quick access to the sandbox (preferably via the tab) without locking sandbox settings to predefined policies? My tentative solution is as follows: For the predefined policy window (essentially identical to the windows shown), there will be a checkbox item under Basic Switches, under Sandbox Settings, as well as on the sandbox tab, that reads, “save sandbox preferences with the predefined policy.” This still, however, presents a problem of manifesting those options to the user in other windows such as the Defense+ Rules window.

[b]WISHES PENDING:[/b]
  • Add a “never sandbox this file” option.

[b]RELATED THREADS:[/b]

[attachment deleted by admin]

Page 2? Bah. Seeing as I’ve gotten support so far, I’m bumping this back to page one.

Remember, this isn’t just a ‘thumbs up my idea’ thread. This is a thread where I need you guys to think of things I haven’t.

Do you mean a lot of things? (Sorry, I couldn’t resist it).

The +/- to expand/contract all may not be required, as you can currently do this by clicking on the header. Although having the +/- there may make it more obvious.

Also, I think I prefer to have the option of CIS remembering the last state of the window (expanded, contracted or partial).

Otherwise - very logical and very nicely done.!!

I’ll continue thinking.

Cheers,
Ewen :slight_smile:

Stickied…

If I kept the current CIS convention, then there’d be no correct way to sort the table alphabetically. Note, the little down arrow in the Access Type header.

CIS5 currently does that, doesn’t it?

I missed the down arrow - nice touch.

However, sorting and “expand/contract” are two discrete actions aren’t they? They aren’t necessarily a hand-in-glove combination.

CIS5 currently does that, doesn't it?

LOL. I worded myself poorly. :-[

CIS remembers, but I’d like the option to NOT remember and display expanded/contracted by default.

Cheers,
Ewen :slight_smile:

Exactly, which is why I’ve removed the expand/contract functionality from the various headers, and instead relegated it to a little toggle-all button on the left end of the header row. The headers don’t sort and/or expand/contract. They only sort.

Haha ohhhh. Emphasis on “option.” :wink:

I think this is a setting to show itself in another window. Like general preferences or something.

I think it would be useful to tell CIS not to log anything an application does. I currently have problems with one of my programs attempting to access memory of Comodo files being logged every once in a while. It looks like you incorporated that ability in your second picture, but I can’t tell for sure.

Also, just a secondary query. Do you think it would be useful to add information about whether the applications are in Comodo’s internal safelist. This way you know whether your changing settings for an absolutely trusted application or one that is unknown.

Thanks.

I’ve added a new ‘abstract’ tab for application-wide settings. So, in there is your option to manage log settings in essentially a single click. Up until this point I only had log settings manageable per rule - rather tedious. The feature was there, just not ideally implemented.

Your second idea is a must have. Thanks. I’m gonna see if I can find a good place for it.

Alright Chiron, here’s what’s going on in my head right now.

Defense+ as it is, is horribly compartmentalized.

Tackling the issue you brought up, whether an application is Unrecognized, Trusted, or Blocked, should show up in the Predefined Policy drop down. But this isn’t superficial. Defense+ would come with the three Predefined Policies in the Predefined Policies list - by default and immutable. And when a program gets added to the Unrecognized Files list, it would also automatically populate the Defense+ Rules list.

But what about unrecognized files and their relationship with the sandbox?

Well, I’m planning on adding a sandbox tab in the ASAC window with the options you’d currently find in the Add a Program to the Sandbox window.

And finally, I’m looking to redesign the “Basic Switches” tab into a Summary tab, so that you’d be able to know, at a glance, what is happening in the other tabs, abstractly. I still intend to keep the current functionality though, somehow.

Larger picture, there should probably be a column in the Defense+ Rules Tab table that says what the sandbox policy is.

And even larger picture, I’m looking for a place to put a button or command that lets you quickly toggle between the Network Access window and the System Access window for one application.

I really appreciate a lot of work done for this. Really impressive but I hope such settings windows are not default in CIS.

Most of users will need simple and easily configurable settings with granular control a bit hidden for power users. KISS-- Keep it simple stupid.

I used to tweak n tweak the … HIPS rules but in the end I became tired. It was a never ending mission with each new version, new install etc. I am now using CIS in default settings with few pop up alerts and still feel comfortable.

These are not popup alerts. This is for the Application Settings.

Oh… sorry. I really mean to say settings.

Oh alright. Well. I look at it like this.

Granular control is hidden. It’s hidden in tabs, rather in separate windows. Which I think if far more preferable.

The Basic Switches tab is the tab that shows by default, and the tab that will probably be as far as a novice user gets. I need to work on it some, but the principle is there.

Intermediate granularity is available via the additional tabs, using those drop downs to quickly allow/block/ask specific types of accesses.

Advanced granularity is available via expanding the list to view and manage explicit rule-sets.

-1
wow how complicate you wanna it to be… i dont undertand many things
eq this override rules :frowning: there are overrides action in more than 3 places, wtf? what override rule will be used?
i hope almos none of these “charette” dont get to be applied in the future

cis actually have many functions in a simple way to use and configure
what are you asking is for get it complicated without the need of it

I have to agree.

-1

It’s obviously not worked out quite right but, dude, calm down. You want none of it? You don’t want to be able to search, filter, or sort your rules? You want to have to backtrack through several windows to edit file groups? You want to have to delete your exclusions to set CIS to block all access (assuming you’re not juggling predefined policies)? You don’t want to be able to apply your changes without closing the window? Get a grip.

Advanced settings are complicated. Have you ever opened the access rights window? It’s nearly exactly what I’m showing. Override actions are set separately for Access Rights and Protection Settings. Asking which of those will be used, as if they can’t both be used, suggests you’re not familiar with what Access Rights and Protection Settings are. Actually, I’m under the impression you’ve never actually looked at these windows in CIS. They’re just as complicated as what I’m showing, save for the override action. So, if your one gripe is the override action, then how about, rather than wigging out, you suggest something constructive, or explain why the override is excessive?


And while there’s value to a cold-reading, you can avail yourself of the rest of the thread, so that you can engage in at least a slightly informed fashion. Cause I get the feeling some of your questions were actually answered in this very thread, before you posted. For instance…

"Granular control is hidden. It’s hidden in tabs, rather in separate windows. Which I think if far more preferable.

The Basic Switches tab is the tab that shows by default, and the tab that will probably be as far as a novice user gets. I need to work on it some, but the principle is there.

Intermediate granularity is available via the additional tabs, using those drop downs to quickly allow/block/ask specific types of accesses.

Advanced granularity is available via expanding the list to view and manage explicit rule-sets."

Yes

what cis version are u using? groups are at one clic fron access rights in ver 5

Alreally done
Only need to set the firewall to custom or D+ to paranoid
Also by entering parent control password and suppressing D+ popups

I wan to they apply when I clic apply also

Im using cis for years
Im informatics student
Nearly exactly? It is ok but applied in the wron way
Override rules should no be applied on per-case basis only on general so about the access right windows im not saying its wron not neither ok

In more than 2 years am I never have seen these windows? No comments
About improving it? I see a tap called basic switches, as I understand Its to select the default rule to be trigger in the first time? Its meaningless that should be removed
In access right tap
Default action or override action? What will be the one in use
It should be only one column of rules
But to add more personalization another set of rules for applications in general not in the list, I think that is what you actually wanted


Its seens like you hate me only for my opposite opinion

I edit file groups rather often. Regardless, they are an advanced settings utilized in the window and so should be accessible from the window - not buried somewhere else.

Alreally done Only need to set the firewall to custom or D+ to paranoid Also by entering parent control password and suppressing D+ popups

I meant for one specific application.

Also, switching to paranoid does not accomplish what you’re saying it does, because paranoid mode still observes exclusions.

I wan to they apply when I clic apply

Do you think my current implementation doesn’t do that? What are you talking about?

Override rules should no be applied on per-case basis only on general

What is being sacrificed to have both general and per-case implementation?

In more than 2 years am I never have seen these windows? No comments

Defense+ > Computer Security Policy > Application System Activity Control > Customize Policy > Modify Exclusions

About improving it? I see a tap called basic switches, as I understand Its to select the default rule to be trigger in the first time?

No. It’s using the term “Default action” in exactly the same sense that CIS used the term before needlessly breaking another usability convention and doing away with a contextual title in the Customize Policy window.

Its meaningless that should be removed

The Default Action plays a MAJOR part in CIS, right now.

In access right tap Default action or override action? What will be the one in use

Both.

Default Action fires after all other rules. Override Action fires before all other rules. The former maintains current CIS usability. The latter allows you to quickly block access.

It should be only one column of rules

It actually is, but not the way you’re looking at it.

But to add more personalization another set of rules for applications in general not in the list, I think that is what you actually wanted

Global rules do not provide the granularity. Granularity is the objective.

Its seens like you hate me only for my opposite opinion

There’s a big difference between voicing concern and doing what you did. You’re not getting my sympathy and your attempt to play victim now doesn’t help.