create a rule/group for blocking sub-/folder/*

Dear Comodo friends and supporters

I got a problem. I have under C:\ProgamData a subfolder that contains a file that shall
under no circumstances get access to somewhere behind my router. Not directly nor by any bipas.

So I thought well, to make things proper and have a means to use this rule more flexible I did this:

I create under Defense+ a new group.

There I put into my file and other stuff that is probhibeted to acces the net.

Then I create a custom rule under Defense+:


So, you see that I block the DNS.
I would assume now that each file in my ‘block group’ ( C:\ProgamData\Blockedfiles*) can not acces the Internet.

However, I was just proven the contrary.

I know we have the tab for ‘blocked files’. Defense+ Tasks > Computer Security Policy > Blocked Files

But this is to restricted as Comodo explains:
“Blocked Files
Defense+ allows you to lock-down files and folders by completely denying all access rights to them from other processes or users - effectively cutting it off from the rest of your system. If the file you block is an executable, then neither you nor anything else is able to run that program. Unlike files that are placed in ‘Protected Files and Folders’, users cannot selectively allow any process access to a blocked file.”

Can you tell me please what I should do?


If your goal is to prevent internet access for some files, why don’t you make a block rule for them in the firewall?

Hi Boris,

my goal is to have a more flexible way. If I got a group then I can manage that one easily and add
files and directories without any hassle in minutes. Then I can change the restrictions as I favor.

This could be one or any combination of:

  • Block Internet acces by blocking access to DNS (comodo D+ setting)
  • Make sure that any file in the group can not access my browser by the means of e.g. interprocess memory
  • can access any adress in my home LAN only

I think this makes sense, doesn’t it?


You can make a FW rule for the group you have defined. If you go to Network Security > Application rules > add > select > Files Group, you’ll see the group “NO DNS” as you have defined in your 2d image. This way, you have the flexibility you are looking for to add/remove files from the group. You can make rules for the group preventing outbound connections but allowing communication with your LAN.

If you want to try to block internet access through Defense+, on top of blocking DNS Client Service, you have to block in the applications rule for your Group:

  • in Protected Files & Folders : Device\Adf\Endpoint
  • in Protected Registry Keys, 4 HKUS keys for internet settings : proxy enable, proxy server, proxy override and saved legacy settings.

The easiest way is to set temporarily Defense+ in paranoïd mode, launch one of the file in your group and answer block and remember for the elements I mentionned above. This way you have the template to make the rule for your Group.

Dear Boris

this was the most comprehensible and detailed answer I could expect.

Thank you very much! You made my day :slight_smile:

Hi diverxl,

You’re welcome and thank you for the feedback.