When activating image protection settings I’m understanding that the initiating process would require explicit resource access permissions for the resource access names that are configurable as protected settings. Without explicit permission for the initiator to access any one or more of the four potential target’s protected settings resource access names, an alert will be generated. However, if monitoring for any of the 4 types of access name for protection setting on the target is active - for any arbitrary image - and the initiator has explicit permissions to do so, but a protected settings exclusion is not explicitly configured, the resource access of the initiator is denied, no alert is generated and the action is logged as if the initiator lacked the primary permissions to access the resource access name.
An example:
Comodo Internet Security file-group has all resource access name protection settings enabled
To get the right click context menu of the CIS system-tray icon to function:
explorer.exe needs to have access rights to %PROGRAMFILES%\COMODO\COMODO Internet Security\cfp.exe for the Windows Messages access name.
cfp.exe needs to have an exclusion in Windows Messages in cfp.exe protection settings.
Furthermore, cfp.exe would need to have an additional exclusion for %SYSROOT32%\csrss.exe (where %SYSROOT32% = Windows\system32
The latter is in the Windows System Applications group having Windows System Application predefined policy configured. That policy allows all resource access names.
After I implemented protection settings for CIS file-group, I seen log entries for:
cfp.exe hook %SYSROOT32%\Msctf.dll
I’ve never seen that before. This has something to do with protection settings. However, Msctf.dll isn’t running; it extends MS Text Services. So I’m assuming this should be something added to cfp.exe Windows/WinEventHooks resource access name permissions, and not as an exclusion to the same resource access name in protection settings? I don’t know why that got woke up by activating protection settings, but it did.
Furthermore, I see log entry for %PROGRAMFILES%\COMODO\COMODO Internet Security\cfplogvw.exe install hook %PROGRAMFILES%\COMODO\COMODO Internet Security\cfplogvw.exe
This is apparently having to do with either launching D+ Events, the Log Viewer, i.e., MORE, or pertaining to the windowed mode of the Log Viewer and trying to resize the viewer - dunno - but whatever.
Intuitively it would seem that the initiating process, i.e., cfplogvw.exe, should have resource access permissions for the Windows/WinEventHook access name specifying cfplogvw.exe AND in cfplogvw.exe protection settings cfplogvw.exe should be specified as an exclusion for the Windows/WinEventHook access name; apparently cfplogvw.exe is installing a hook to itself. So it needs permissions to do so and allow it do be done to itself?
???