Confused about "learning" and "allow rules"

I am a new user. The D+ help for “D+ Settings” describes the different operation modes (Paranoid, train with safe, clean PC, training, and disabled). The descriptiions for several of the modes refer to “learning” about executables and also creating “Allow” rules. For example, for Train with Safe “… Defense+ will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules [for] these activities.”

What exactly does “learn the activity” mean? Also, I would like more info about “create Allow rules”. The help doesn’t seem to say. I have played around with the different operation modes to try to figure this out from observation but I still don’t get it.

Let’s start with Allow rules. I assume that that the Allow rules are the list of Access Rights (Run an executable, Interprocess Memory Accesses, …, Keyboard) where for each item in the list the action can be one of Ask, Allow, or Block. Indeed, I find that D+ does (depending on the mode I am in) auto create Allow rules for applications. I find that the action for each item in the list is always set to ‘Ask’. Will D+ ever set it to ‘Allow’ instead? Is that possibly what “learn the activity” means? That is, say that a certified safe application foo.exe at some point does a “Interprocess Memory Access”. Will D+ “learn” this activity by changing the action for this activity for this foo.exe from ‘Ask’ to ‘Allow’? That is, is that what “learn” means?

If this is true then I have a different question… What exactly is the point of ‘learning’ the activities of certified safe applications. If it is certified safe, then D+ will let foo.exe perform all activities w/o alerts so what is the point of learning its activities (noting the activity and changing it from ‘Ask’ to ‘Allow’)?

I made another thread earlier about the same issue. Training mode is far for what it should feature. It adds a single wildcard rule in some parts where it makes making a ruleset more difficult.

See thread;msg222376#msg222376

Learn the activity means that it will be created an allow action corresponding to the triggered acces rights.

For some access rights this means leaving the default action to Ask and adding a corresponding entry in the Modify… button\Allow list

Safelisted apps will not automatically learn all actions (eg there will be still alerts if protected Files/Folders Acess rights are needed) in D+ Train with safe mode.

AFAIK D+ training mode is able to learn everything regardless if the application is safelisted and many users use that mode only for few minutes in order to create rules for new games.

AFAIK CleanPC mode is similiar to Training mode if the user empty the pending file list as D+ will learn all applications that are not featured in that list.

Upon installation D+ CleanPC is enabled by default pending an AV scan or an explicit confirmation that the PC is clean from malware (eg. because it has been just reinstalled).

D+ Predefined policy “Trusted application” has most permission set to Allow (excluding Run an Executable).
Differently from safelisted Apps in D+ Train wit safe mode, Treat as “Trusted applications” may grant more access rights (eg. protected file/folder access privileges)

I guess it is possible that safelisted apps will behave differently from Treat as “Trusted applications” also in other cases although I didn’t make any test to confirm this.

I guess the ability to have an explicit policy generated for safelisted apps may also be related to CIS Parental Control features that allow to restrict all actions that would be able to trigger alerts.

gibran, thanks for the useful feedback.

Ah, so when an activity by a particular app is observed by D+ the activity is “learned” (remembered) by updating that app’s policy for that particular activity. And the update is indeed to allow the activity, either by changing the general action from Ask (alert) to Allow or, as you point out leave it as Ask but add this exception to the activity’s Modify list. (For example, say the app’s activity was it modified protected registry key xyz, so add xyz to the Modify list for the “Protected Files” activity.)

Having defined “learned”, I don’t understand your comment that not all activities are learned for safelisted apps in Train with Safe mode. Seems to me that in Train with Safe, all activities of safelisted apps are learned and that non-safelisted apps are not learned (ie you will get an alert).

Re Clean PC mode, I agree. And an app gets on the pending file list because it is not safelisted AND the app was installed on your PC after D+ itself was installed. (In Clean PC mode, activities of all apps that were installed before D+ was installed are learned even if the app is not safelisted.)

I think that your last para is your response to the last para of my post (that is, why does D+ bother to create and update a policy for safelisted apps if the policy will always allow every activity). I don’t understand your reference to Parental Control features. Do you mean so that the user can subsequently manually change the action for a particular activity (from silently allow to either block or alert)? Another possible purpose that I can think of might be in support of switching modes to Paranoid mode. In Paranoid, according to the help, D+ doesn’t learn activities of safelisted apps and considers only the existing policies.

You can quickly verify this. Notepad.exe bundled with windows is a safelisted app. If you open notepad and save a bogus file as test.exe, you’ll get a warning even if notepad is safelisted (creation of new executables pertains protected file folder/access right).

Parental Control allow to silently block all action that trigger alerts.
Using this feature along with D+ safemode and safelisted apps it would be possible to automatically block all actions that will not be automatically learned (eg if that app create new executables).

I guess that switching back from paranoid mode to train with safe mode all safelisted app policies will start to be automatically learned again. But nevertheless is a possibility.

Anyway in Train with Safe mode you can chose to explicitly block further learning by changing the Ask default action of access rights to Block (or Allow).

Eg Train with Safe will learn some registry access rights while you use a safelisted app. You can then decide to prevent further learning and set the default action of registry access right to block.
Even if that app is a safelisted app you can prevent further learning. If that app will ever need to access some new registry keys D+ will block these actions.

Another characteristic of this learning is that you can check the learned policy and get an indea of what protected resources that app needed (eg protected registry keys, spawned executables, etc.)

[attachment deleted by admin]

Ah, good to know (your Notepad example).

I’m still not sure I fully appreciate the purpose of D+ ‘learning’ the activities for safelisted apps (ie D+ auto maintains a policy for the app that notes and permits every activity that it performs). You point out that the user can if desired manually change any or all of the permitted activities to Blocked. But I could manually create a policy for an app myself when/if I want to block some activities. I don’t need D+ to have auto created the policy in the first place. Your last point makes sense to me though – it is interesting to see in the Modify list what particular resources the app needs.