Hi,
I have two hard drives on my system, only one has an operating system. I recently formated my C drive and reinstalled everything and ran Defense + in clean PC mode.
Does Defense + see both my hard drives as clean? If so can I set it to only view the C drive as clean and treat the D drive differently?
Surely people who have more than one hard drive ie the second for storage etc, only format the drive where the OS will go.
Hi JolietJake - Clean PC mode just assumes that the software on your PC is not malware. This generates fewer alerts and allows CFP to learn the normal operations that you routinely perform. If you don’t think that your D: drive holds any viruses etc. you can leave it in that mode.
I thought it might be like this. Do you not think it would be good if you could trust one drive but not another?
Don’t know whether it’s good or not, but you can’t do that in Clean PC mode. Still, it can be done, you just have to swith to Train with Safe Mode (or even Paranoid Mode, for more control) and create certain rules. Here’s the idea:
What we try to do here is make Defense+ trust every application located on drive C: and not trust applications located somewhere else, right? Well, to do so, you’ll have to define a “trusted” security policy and apply it to everything in “C:*”. In Defense+ / Advanced / Predefined Security Policies add a new one, name it (for example, “Totally Trusted Stuff”), go to Access Rights, set everything you can to Allow. For the “Run an executable” option go to Modify…, and in the list of Allowed applications add an entry comprising all application on drive C: (click Add / Browse…, write “C:*” in the “Add new item” field, press “+”, then “Apply”).
You now have to apply this policy to all the executables on your trusted drive C:. Go to Defense+ / Anvanced /Computer Security Policy, and create a rule. For application Path click Select / Browse…, write “C:*”, press Enter. In “Use a Predefined Policy” select “Totally Trusted Stuff” you just created. Apply. Put this new rule on top of list, and delete everything else (except the groups initially created by Comodo - Windows System Applications, Windows Updater Applications, COMODO Firewall Pro). Apply and switch to Train with Safe Mode.
From now on every application on drive C: (whether Comodo considers them safe or not) will have the access rights of a trusted application, having access to protected files, registry keys, etc., and also being able to launch other applications on drive C: without any alerts. Applications anywhere else will be considered trusted if they are part of Comodo’ safe list, and will trigger alerts otherwise. Applications on drive C: that will try to execute applications on drive D: or anywhere else will trigger alerts too, unless the latter are in Comodo’s Safe list. You could also switch to Paranoid Mode to ignore Comodo’s safe list and have more control on what’s going on outside C:.
Take notice, though, that the whole idea of trusting C: completely is way from perfect. Within the mentioned policy, every new application introduced to drive C: automatically becomes trusted, so you have to be very careful about that.
Particularly the trojans or worms that might install themselves on your C: drive. I can’t see the virtue of removing all protection against potential malware that might appear on your C: drive in the future. Since viruses and rootkits generally install files in the %systemroot% directory - usually C:\Windows\system32\ - telling Defense+ that the C: drive is OK defeats the purpose of Defense+. As for not trusting the D: drive - that can be done using similar measures to those described by MaratR, except the policies would be for untrusted applications and applied to the D: drive. Is there a particular purpose to doing this? The purpose would inform the way any rules would be written.
Yeah, I download freebie apps and save them to my D drive to try them out. Instead of untrusting the whole D drive would it make more sense to lower the level of trust for a freebie I was going to install?
You can’t set the trust level for individual programs. The only thing that would help that way is to set your Defense+ Settings mode to Paranoid when you do your installs. You should also go to Defense+>Advanced>Defense+ Settings> and check all of the boxes for items to monitor. If you run in Clean PC mode most of the time, CFP learns the allowed actions and the learned permitted actions still happen in paranoid mode so when you switch to that mode, there is not a lot of pop-ups from the known safe stuff. Thus, the stuff on your C: drive which has been used or is known from the database of safe software will not generate new pop-ups, but every action of the newly-installed software will generate alerts and requests for permission. This is useless when you are installing, because even safe programs create directories and alter the registry and so on. You would have to be more knowledgeable than me to be able to tell the difference from the alerts. One thing that has worked to prevent installing malware for me is BOClean (also from Comodo, also free). It monitors the processes in memory that are started by the install and can spot malware when it loads - the usual encryption/compression types of signature fuzzing don’t work since the process in memory can’t be disguised that way. If you install CFP and BOC, you will have to tell BOC to ignore CFP, since CFP watches for programs that monitor CFP processes and generates alerts. I don’t think that it is an actual conflict, but the Event logs are filled with notices of BOC trying to monitor the CFP processes.