Correct way to configure to "auto trust" executables and not ask permission?

Comodo CIS pops a dialog such as the one attached most of the time when a program is run, or even a text file via file extension association in the case of the example I have attached.

I understand that checking the “hide these alerts” check box will block these programs, not auto allow. (Per website: http://www.worldstart.com/comodo-antivirus-free-part-3-severe-virus-alerts/ )

Is there a way to configure Comodo to auto-allow?

We appreciate Comodo communicating when something is truly wrong… but these nag messages are comparable to the Mac ad’s making fun of Windows computers. And yes, I recall one of those ads pointed out “could turn it off, but then no warning would come when something is really wrong”.

Surly Comodo has considered MS’s mistakes and made a sensible balance possible, ja? So how does Comodo be tuned to be sensible? Thanks!

[attachment deleted by admin]

Auto-allow would allow all unknown programs, including unknown malware, to run unimpeded on your computer. Of course, that would be bad.

Selecting the option to ‘Don’t isolate it again’ will add it to the trusted files list. That way you won’t see any more Defense+ alerts for it.

If you would like advice for how to configure CIS, please see my article about How to Install Comodo Firewall.

Is there some way to whitelist certain filespecs, such as:

*.log
*.txt
U:\Distrib*

and allow the trusted filespecs to run without objection?

You could disable the “notify if something gets automatically sandboxed”.
If something doesnt run in the future, you must just remember that you check if its sandboxed, and if that is the reason.
With this, you would be “protected to the level” of the sandbox, though dont have to act each time.

Does this solve your problem?

Correct me if i am wrong.

So do you mean to check that “hide these alerts” box? I thought checking that box has been stated in this thread that in that configuration Comodo will silently sandbox the program. We see HUNDREDS of these popups as we try to get our work done. Yes, we run many command line programs in scripts. Also I frequently open *.log / *.txt files at the command line using Windows file association to select the proper program associated with the extension.

If Comodo sees a virus in said file, the obviously that is a different story.

But warning “a script wants to run xyz.exe program and I want to Sandbox it, may I” MANY times each day has gotten old a LONG time ago.

No, i meant:
Userinterface, defense+, defense+ settings, settings for the sandbox: “Show notification for processes that are put in the sandbox automatically” ← disable that

I personally dont run the automatic sandbox. I trust in defense+, and in an antivirus program. For special cases i use a full sandbox.
The comodo sandbox is made for useability. So people could have things run, but dont have to press answers all the time, while being protected to a level.
In your case, the sandbox doesnt fullfill this useability task.

I would suggest to tell the defense+ an answer, if it has a question, instead of using the sandbox. In this case, defense+ would not allow something to run automatically without your consent(for example paranoid mode), or it would allow it to run if its whitelisted (safe mode, but it could happen that a malware is digitally signed), or the antivirus would alarm (if it has the definition).

You must decide for yourself, if your circumstances can be handled without a sandbox. And btw, partially limited could also in worst case scenarios not prevent specific harmings. Again, this partially limited is also for useability.
If you need to run unknown files, you might choose to use an “on demand sandbox”.

EDIT: Do you run often new scripts?

What are your security concerns (formulated in general), and what are your useability goals?

The answer would lead best to the right decision :slight_smile:

To me that sounds like the setting that is behind the check box on the popup screen I presented.

I guess I could test that theory… set up a test box, check that box on one of the popups, and then go into the settings and see if that check box you pointed me towards has flipped to disabled.

Sort of along the starting point I outlined here:

That at the very least would cut down on the annoyance boxes greatly.

I do not like security pop ups when opening *.log / *.txt files. And I want files in the share U:\Distrib* to run without nonsense messages hampering them. I do all software installations on Windows client machines via automated Software Distribution. Such popups cause havoc with the SD system.

Come to think of it, even using applications - the word processor to print, internally the word processor is contacting the printing engine, so that results in security popup boxes - several of them - as the print job is processed by the word processor. aaakkk!!!

I am a technical user… no kidding others can get Comodo so wound up on their system I end up doing an uninstall / reinstall just to get things cleaned up. Answer incorrectly (over time) to popup boxes, no kidding apps die off one by one.

And I just got to thinking… perhaps I am just interested in AV + FW and disable Defense+ all together. Are these type of boxes specifically coming only from the Defense+ component?

.txt and .log files shouldn’t be getting sandboxed.

Are they by chance on external storage?

What configuration are you running?

No, local C:\ drive. Working at the command line, I am checking log files of the SD system and each file I launch via file extension association comes up with such a prompt as shown.

Defaults + setting a Global Rule to allow VNC connections to succeed from our trusted LAN zone.
http://www.lueckdatasystems.com/HOW-TO_Getting_VNC_Server_to_work_with_Comodo_Free_Firewall_Antivirus_for_Windows

P.S. And the Windows firewall is turned off / disabled.

Do these log files get dynamically generated by a program? Can you show a screenshot of Active Processes List so we can see what parent/child relations are happening when opening these log files?

  1. The SD system has completed running.
  2. Next up is to check the logs to check on results.
  3. I open a plain Command Prompt icon, change to the log directory.
  4. I select a file I want to open, start typing the filename, press Tab to complete the filename, then enter.
  5. ■■■■! Up pops the Comodo box attached to the OP. Since this is a very minimal test system, only Notepad is available as an editor, so that is what the file association points towards.

What do you mean with SD? What program is that? What does it do?

Can you show me a screenshot of Active Process and D+ logs when this happens?

What version of CIS are you using?

You can add those to Trusted Files.

Is the folder U:\Distrib* on a local or external drive?

Software Distribution = SD.

It is not merely one program, but that which deploys all software to target workstations.

Just Google for Gartner’s Software Distribution Magic Quadrant. That will give you an overview of the concept.

Not real soon. I am now beta testing some software for another vendor on the only Windows test box in the office.

You know Windows… A process list a mile long… and this is a laptop so all of the laptop drivers are loaded and running as well.

What would you be looking for? Can you give me some hints? Are you suspecting another antivirus / firewall software to be installed? NO! I know that is not wise. And I like the fact that Comodo is both AV and FW… just the D+ I think is where most of my complaints about Comodo come from… so I like the idea of having only ONE vendor to deal with, not a finger pointing contest possibility! 88)

To me, it is the way CIS insists on working. On all of my client installations, I have never seen it operate differently. So not just an isolated case on this one machine. And yes, I work from the command prompt on Windows. So not sure if Comodo pops more boxes with commands being started at the command line vs running them through the Explorer GUI.

The machine happens to be running Windows XP SP3 with current fixes applied, BTW.

5.8.x but this has been the case ever since I began with Comodo back in the 3.x days.

I will look again… could you please give me a hint where I should look in the 5.8.x version?

That would be a share from the Samba PDC… the directory structure where the SD packages reside on.

I would very much appreciate if you could post requested D+ logs and D+ Active Process List. That may make it easier to understand your situation.

When a program produces other executables, like compilers f.e., we advice to give that program the Installer/Updater policy. That way it can start all applications it wants (including the newly created ones by its self).

After having made the rule for that Application in Defense + Rules (Defense + → Computer Security) take a look at D+ rules. You may find the new rule some place under a rule called All Applications. When it is there drag and drop it to a place somewhere above the All Applications rule.

Let us know if that works for you or not.

Please make sure that there are no left overs of previously uninstalled security programs around. Not all uninstallers do a proper job. And left over applications, drivers or services can cause all sort of “interesting effects”.

Following are two of my tutorials to make sure there are no more left overs.

Use existing removal tools

Try using removal tools for those programs. Here is a list of removal tools for common av programs: ESET Knowledgebase .

Otherwise do a Google search with terms “removal tool” and * name of product or vendor*.

For a more technical hands on approach (for advanced users only):

We are gonna take a look to see if there are some old drivers of your previously uninstalled security programs are still around. First run "set devmgr_show_nonpresent_devices=1’ without the quotes from the command prompt.

Then go to Device Manager → View → show hidden devices → now look under Non Plug and Play drivers → when you see a driver that belongs to your previous security programs click right → uninstall —> reboot your computer. You need to Google the driver’s names to see to what programs they belong to. You don’t want to uninstall Microsoft/Windows related drivers of course; some Microsoft drivers may show up as non active please don’t uninstall them. It is best to make a system restore point before this of course.

When the problem persists make sure there are no auto starts from your previous security programs. Download Autoruns and run it.

This program finds about all auto starts in Windows. This tool can therefore seriously damage Windows when not handled properly. After starting push Escape and go to Options and choose to hide Windows and Microsoft entries, to include empty locations and then push F5 to refresh.

Now check all entries to see if there are references to your previous security program. When you find them untick them. After unticking reboot your computer and see what happens.

I recently uninstalled Norton Internet Security, I ran the Norton clean up tool before reboot, rebooted and found a Norton driver left in Non Plug and Play drivers.

I did a re-image of the test Windows machine this morning, and installed CIS 5.9 on it.

Left out GeekBuddy and Comodo Dragon components.

Rebooted. Set the detected LAN to Work / Trusted.

Opened a command prompt, changed to the log directory, and launched a log file via association with Notepad.

Provided is a screen shot of the resulting D+ annoyance message. As well, SysInternals Process Explorer view of the running processes.

This is a cleanly loaded test machine, so no build up of rogue programs which have decided to install themselves. Clean, clean, clean…

[attachment deleted by admin]

What is the parent application starting the log file? Does that get sandboxed?

When using a program that dynamically creates new files, think (de)compilers, then it is best to give the parent program the Installer/Updater policy.That way there are no questions asked when it starts new unknown programs.

That would be cmd.exe, as seen in the Process Explorer capture.

No, I never see any D+ boxes complaining about cmd.exe

I do not run any AV software on my packaging machine. I never keep a packaging image around long enough to warrant installing such, nor want to fuss with annoyances it causes. So all of the EXE file creation is done on that box.

When it comes to deployment, then yes, each package file being deployed (self extracting EXE files) brings up such a D+ warning as this log file caused.

And note, D+ did not prevent Notepad from opening, and the file is correctly loaded… so why must D+ pop any message about sandboxing if it is going to allow the app to do what it wanted to do anyway?

Thus I see only annoyance with D+ and no benefit… “Run Comodo AV + FW and be done with it!” is my conclusion.

Do I understand the process correctly as follows:

  • Create self extracting executables with application X
  • Application X starts a batch file
  • Batch file starts cmd.exe
  • cmd.exe starts notepad
  • created log gets sandboxed

The best thing to do to give Application X the Installer/Updater policy in Defense + Rules. Make sure that the rule made for Application X is at a place above a rule called “All Applications”; you may need to drag and drop the rule for Application X for this.

If the rule is somewhere underneath the “All Applications” rule if will follow the rule set by the “All Applications” rule; it is subordinate to that rule then.