Confusing documentation for what should be basic tasks

I just installed Comodo 5.3.176757.1236 with Maximum Proactive option during setup. Now I’m trying to learn the program by reading documentation and following some of the suggestions in the docs and on the forums. One problem I’ve come across is very confusing and inconsistent documentation. For example:

On that page, in the section heading “Exceptions” is the following text:

Users can choose to selectively allow another application (or file group) to modify a protected file by affording the appropriate Access Right in 'Computer Security Policy' . A simplistic example would be the imaginary file 'Accounts.ods'. You would want the Open Office Calc program to be able to modify this file as you are working on it, but you would not want it to be accessed by a potential malicious program. You would first add the spreadsheet to the 'Protected Files and Folders' area by clicking the 'Add' button then 'Browse...' to 'Accounts.ods'. Once added to 'My Protected Files', you would go into 'Computer Security Policy' and create an exception for 'scalc' so that it alone could modify 'Accounts.ods'.

Now look at the images accompanying that section. None of the guide images designed for the beginner to follow along with show a database filename of Accounts.ods. Instead, they all, all, show something that looks like “work_task.ods”. Ok, I’ll presume that work_task.ods is actually supposed to be Accounts.ods like the text says. Now, not only can that be confusing in and of itself, but some of the instruction steps speak about adding the actual application, “scalc” which is to be allowed access to that protected file. Even in the steps where it says to add “scalc”, we still see the work_task.ods file being listed instead. So which steps actually get the application listing and which steps get the database/protected file listing?


In the step below that, it recommends protecting the contents of the Windows\System32 directory from being modified, but to allow programs such as Windows Update to modify the contents of that folder. Ok, wise thing to do… Let’s do it…

Again, quoting from that page:

In this case, you would add the directory c:\windows\system32\* to the 'Protected Files and Folders' area (* = all files in this directory).

Ok, easy enough. Done. Next…

Next go to 'Computer Security Policy', locate the file group 'Windows Updater Applications' in the list

In what list? In which tab? Ok, after looking through every tab to make sure it doesn’t appear in more than one, I’m going to presume you mean the main Defense+ Rules Tab. So I find the section that says Windows Updater Applications, which already has some items auto-populated underneath it, (i.e. msiexec.exe, wuauclt.exe, etc) and now what?

and follow the same process outlined above to create an exception for that group of executables.

What group of executables? Where do I add the reference to System32 folder to allow Windows Updater Applications access to it? Oh, I know. I click on Add, then browse to C:\Windows\System32 and add it under Windows Updater Applications? Nope, can’t add a folder, only files… So, what to do… what to do…

Ok, so it seems as though in order to add Windows\System32* to the Windows Updater Applications grouping, the policy must be changed from Installers and Updaters to Custom Policy. This isn’t exactly clear, and I’m not entirely sure it’s correct. Is it?

Also, why doesn’t Installers and Updaters show up in the Predefined Policies tab? It would be nice to see exactly what that preconfigured policy contains. My Predefined Policies tab shows Trusted Application, Windows System Application, Isolated Application, and Limited Application, but no Installers and Updaters. Why is this?

The Windows directory is already in Protected files. No need to add it.

Where do I add the reference to System32 folder to allow Windows Updater Applications access to it? Oh, I know. I click on Add, then browse to C:\Windows\System32 and add it under Windows Updater Applications? Nope, can't add a folder, only files.. So, what to do.. what to do...

Windows Update apps are already in the “Installer or Updater” group which has unlimited access. Leave it in that group.


Percept asked “why doesn’t ‘Installers and Updaters’ show up in the Predefined Policies tab?”

I’ve just logged into the forum with exact same question, so taking risk of joining this thread if only to keep subject in one place. 88)

There isn’t a predefined policy by this name in my settings, though it appears in the list for adding predefined policies to a new Defense+ rule. ???

I thought maybe I’d deleted it by accident, but CIS’s pdf help makes clear there are only four predefined policies, and I have four. I can open the four in ‘customize’ and see their access rights and protection settings. Can’t find nothing for Installers and Updaters? Guess it has special privileges not trusted to the average user’s mishandling?

What’s the difference with a ‘Trusted Application’ that also seems to have full access privileges?


Less-than-average user. :embarassed:

The only difference between Trusted and Installer is that Installers are allowed to execute any program, whereas Trusted will ask.

To Sartre… :-TU