D+ allowing programs to run without alerting the user.

Hello,

Upgraded to v5 recently and noticed that D+ is allowing some applications to run without alerting me to their execution (no trusted rules previously set in security policy). I initially thought that this had something to do with the new cloud search features which I disabled along with “trust files from trusted installers” just in case, but D+ still didn’t trigger any alerts.

The applications in question are:
C:\Windows\system32\vmnetdhcp.exe (VMware VMnet DHCP service)
C:\Windows\system32\AUDIODG.EXE (Windows Audio Device Graph Isolation)

Note that both are services executed by services.exe which is set to the default rule created at install.

I’m basically looking to enable old defense functionality of alerting me to any type of executable trying to lunch regardless of its trusted state in the cloud or the trusted vendor list. Can this still be achieved somehow?

for the record I didn’t not try removing the listings in the trusted vendor list, as I am unsure if I can restore it easily. Could this be what im looking for?

Also, did anyone notice that ever since v5 it takes defense a greater length if time to intercept an application?

My settings:

• D+ is set to paranoid
• Image execution control enabled with only “Do heuristic…” and “Detect shellcode…” enabled.
• Sandbox enabled with automatically detect and trust disabled. (have it on for the manual sanboxing via right click menu)
• “Trusted Files” and “Unrecognized Files” lists empty.

Thanks in advance.

if you wish D+ to alert you to everything, disable Sandbox.

Just disabled sandbox and the executables I mentioned are still slipping through without prompting an alert.

… and set D+ to Paranoid mode.

As you can see in my original post I already have D+ set to paranoid. The problem is that its not working as it should or at least as how it used to

Sorry. I missed that.

Do these files start with Windows?

Nope, AUDIODG.EXE starts randomly whenever I run anything that has to do with sound and vmnetdhcp.exe I started via a batch file or manually through mmc → services.

Thanks for the quick response btw.

By the way, application who are signed by the vendors in the trusted vendor list are automatically allowed to run regardless of D+ settings?

Yes they can.

Also I would check your Trusted files as Cloud can also place entries in there aswell as the Trusted Sofware Vendors list

I already check both both trusted and untrusted lists, they are both empty.
Anyone else with windows 7 who can verify these findings?

Removed every listing in the trusted vendor list, and the apps I mentioned still get past comdo without poping an alert. Any ideas? might be a bug?

I do not know, but with Trusted Files and Trusted Software Vendors empty Defense+ in Paranoid.

You should have alerts for everything, can you please check what Explorer.exe in Computer Security Policy is set at.

Dennis

It is set to “Windows System Application” if remember correctly I changed this app policy manually from the custom rule which is created on install which.

When a program has the “Windows System Application” policy it is allowed to start all other programs without alerting.

So basically, what your saying is that when a trusted application lunches another application (who doesn’t have a policy applied) will inherit the parent application policy? this doesn’t seem right to me.

I’ve been reading older posts and it appears that theres an additional hidden trusted vendor list withing comdo which is invisible to the user and might be the reason why some applications don’t trigger an alert even after setting to paranoid, disabling cloud, disabling sandbox and purging the trusted vendor list.

Is there really no way to get v4 behavior back? I don’t like the fact that some programs run without having a policy set by me.

Can anyone else using windows 7 and/or Vmware workstation verify that the executables I mentioned are getting past their D+?

Oh and another question, can anyone explain how some executables which are digitally signed by the same vendor are triggering alerts and some do not?

Any chance we could have a comdo rep comment on this?