confusion about image protection settings

When activating image protection settings I’m understanding that the initiating process would require explicit resource access permissions for the resource access names that are configurable as protected settings. Without explicit permission for the initiator to access any one or more of the four potential target’s protected settings resource access names, an alert will be generated. However, if monitoring for any of the 4 types of access name for protection setting on the target is active - for any arbitrary image - and the initiator has explicit permissions to do so, but a protected settings exclusion is not explicitly configured, the resource access of the initiator is denied, no alert is generated and the action is logged as if the initiator lacked the primary permissions to access the resource access name.

An example:

Comodo Internet Security file-group has all resource access name protection settings enabled

To get the right click context menu of the CIS system-tray icon to function:

explorer.exe needs to have access rights to %PROGRAMFILES%\COMODO\COMODO Internet Security\cfp.exe for the Windows Messages access name.
cfp.exe needs to have an exclusion in Windows Messages in cfp.exe protection settings.

Furthermore, cfp.exe would need to have an additional exclusion for %SYSROOT32%\csrss.exe (where %SYSROOT32% = Windows\system32

The latter is in the Windows System Applications group having Windows System Application predefined policy configured. That policy allows all resource access names.

After I implemented protection settings for CIS file-group, I seen log entries for:

cfp.exe hook %SYSROOT32%\Msctf.dll

I’ve never seen that before. This has something to do with protection settings. However, Msctf.dll isn’t running; it extends MS Text Services. So I’m assuming this should be something added to cfp.exe Windows/WinEventHooks resource access name permissions, and not as an exclusion to the same resource access name in protection settings? I don’t know why that got woke up by activating protection settings, but it did.

Furthermore, I see log entry for %PROGRAMFILES%\COMODO\COMODO Internet Security\cfplogvw.exe install hook %PROGRAMFILES%\COMODO\COMODO Internet Security\cfplogvw.exe

This is apparently having to do with either launching D+ Events, the Log Viewer, i.e., MORE, or pertaining to the windowed mode of the Log Viewer and trying to resize the viewer - dunno - but whatever.

Intuitively it would seem that the initiating process, i.e., cfplogvw.exe, should have resource access permissions for the Windows/WinEventHook access name specifying cfplogvw.exe AND in cfplogvw.exe protection settings cfplogvw.exe should be specified as an exclusion for the Windows/WinEventHook access name; apparently cfplogvw.exe is installing a hook to itself. So it needs permissions to do so and allow it do be done to itself?


I’ve never messed with this before; the default configuration for all Protection Settings appears to be ‘disabled’, except for Comodo Internet Security file-group.

I’m extremely intrigued with this concept; it offers a canary method of warning that somebody invisible is in the mine stealing coal.

'Cause, explicit permission is required by an initiating process to access the resource access names as configurable Protection Settings.


Intuitively it seems that Protection Settings could serve as ‘motion detector’ for root-kits - inherently invisble - and de-facto Bouncing Betty / Claymore-mine warning that vermin are within the perimeter.

So I’d think that all system critical process should have all Protection Settings enabled, and any image that requires resource access name permissions to access target image Protection Settings resource access names should itself have its Protection Settings enabled.

And based on my review of the D+ rules accrued over 5 years, I believe that resource access names referencing DLL’s implicitly, should have and explicit D+ rule created whereby ONLY the Protected Setting resource access name is enabled as required by the initiator.