Hello,
yesterday, I installed CIS (haiving previously uninstalled CPF - was very happy with that and decided to give a CIS a try) and found out something strange. Maybe it’s not exactly a bug, but for me it’s a bit weird.
CASE #1:
I run, for example a Sandboxed (SandboxIE) uTorrent from ObjectDock and D+ doesn’t ask me if I allow an ObjectDock.exe to start Start.exe (SandboxIE component), the first notification I get about is whether to allow uTorrent to connect to the net. No notifications about running Sandbox IE components, running uTorrent…
In this case, when I go into settings and D+ tab, in Computer Security Policy I see new rules (but, while clickig on allow I wasn’t marking the box to remember my choice, so where are these new rules from? - it would be normal in Learing Mode but D+ is all the time in Safe Mode setting).
I manually delete the new rules for all the above applications but D+ acts like they were still there (still no monits about running Start.exe, uTorrent and SandboIE components).
However, when trying do install a new app (that wasn’t there on my pc when CIS was being installed) I get all the monits, just like everything would be fine. In Computer Security Policy there are no new rules emerging. All this happens in Safe Mode.
To me looks like if D+ in Safe Mode was acting like if it was in Clean PC mode. Strange.
In Paranoid Mode everything works fine.
My config: XP SP2 32bit, CIS + Avira + BOClean + TF.
Maybe it isn’t exactly a bug but simply a different behavior of D+ in CIS compared to CPF, however, I decided to post it here.
Perhaps it depends if you installed the “Recommended” configuration or the “Max security” config. I use the “Max security” one and get as much pop-ups as I got with v3.0.x.
I’m quite sure that between 3xist’s and my post there was an additional answer from someone else.
This was not for the first time where I have the feeling that posts just disappear.
[ at ]Swordfish: I suggest you to read a description of each Defense+ security level setting. The behaviour of Defense+ you described is completely expected when user starts an application which is on Comodo’s safe list (white list and ObjectDock is on it. I didn’t check the rest.). This way Defense+ reduces the amount of alerts and you’re completle safe since these applications were previously examined by Comodo’s experts.
[s]Train with [/s]Safe Mode: While monitoring critical system activity, Defense+ will automatically learn the activity of executables and applications certified as 'Safe' by Comodo. It will also automatically create 'Allow' rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing 'Treat this application as a Trusted Application' at the alert. This will instruct the Defense+ not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in 'Clean PC Mode' then [s]Train with[/s] Safe Mode' is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.
Ok, I get the idea but… is there a possibility that D+ in Safe Mode would behave exactly like it did in CPF? (I mean that it would not add “safe” applications to my Computer Security Policy Rules?).
Asking, because now I use Paranoid Mode and it’a a bit too much.
And - how safe a “safe” application really is? (scanned with one A/V engine or more?, a behavior analysis? or whatever? what a situation when a “safe” executable have been tampered with?)
CIS has more safe signatures in safe files database than CFP - that could be the reason why some files has not been assumed safe by CFP are assumed safe by CIS now.
Thank you, but I will try to ask again:
Is there a possibility to make D+ not insert new rules automatically (for safe applications) in Computer Security Policy rules in Safe Mode? Or do I have to go back to CPF or use Paranoid Mode in CIS?
btw. It’s a bit stange - some not everyday apps like SandboxIE are known for CIS (considered thus as safe) and, for example firefox.exe could not be recognized. Please take a look at the attachment.
I was a die-hard CPF user for a long time and I must admit that I’m a little disappointed with that change of D+ behavior, not only because of a large gap between Safe and Paranoid mode now, but more because the very interesting way CIS differentiates known (.i.e. safe) and unknown (i.e. unsafe) applications.
Ok, I understand that this (auto adding “known” to Comp. Sec. Policy in Safe Mode )will make life easier for the 80% of users, but what about the rest 20%? Bo they really have to go Paranoid?
And, for now, CIS in Safe Rules makes automatically rules for uTorrent, which is - but this is of course my opinion - potentially more dangerous, than up-to-date Firefox (with NoScript and etc.).
Just one last question - because it keeps coming back - regarding use of of AV architecture (especially in the light of 3xist and Kyle posts): what do you mean by that? To be precise: if a file is scanned with one A/V engine and then it’s considered safe or is it scanned using more sophisticated A/V mechanism like CAVS?
There is no change in that regard. D+ Safe Mode added safe apps automatically even before (eg. notepad.exe)
One relevant change different from CFP is that explorer.exe Treat As policy is set to windows system applications (previously it was trusted app or custom) thus explorer will not trigger an execute alert even for unknown apps.
As for Firefox.exe not in the safelist I guess it could be due to the fact FF is usually updated and it is more likely that it is needed to perform a manual Lookup (eg from pending file dialog) to confirm it was whitelisted (safelisted).
Since FF is a digitally signed app it would be possible to add Mozilla code signing certificates to trusted vendors to have all mozilla apps considered trusted.
To prevent automatically training triggered by safe mode the only way would be to set each ASK permission to block or use D+ paranoid mode.
TBH I’m searching for something in between safe and paranoid mode too.
The only way to get alerts for ASK access rights is to use paranoind mode (To my understanding every policy-less app can be regarded as having an all Ask policy)
IIRC Safe mode will basically learn many behaviours that have not been explicitly set to allow or block (setting those rights to block has proven to be unsatisfactory for me and I had to revert them to ask for troubleshooting purposes).
It is entirely possible that a custom policy has some Ask enties and AFAIK non paranoid modes can add new entries for these access rights.
To my current understanding a whitelisted app has less privileges than a trusted app.
In fact even if notepad.exe is whitelisted it still triggers an alert if I attempt to create a bogus executable (eg test.exe) in D+ safe mode.
I didn’t make the necessary tests to confirm other restrictions imposed on safelisted apps but I would appreciate a way to disable the safe behaviour for specific safelisted apps and known if they are safelisted after an CIS/CFP update (only possible using manual lookup).
This will provide me a way to watch over specifc safelisted apps and get an alert when they attempt something new and at the same time have other safe apps automatically learned.
Even if D+ is designed to be a malware prevention app I’m inclined to explore its uses as a system gatekeeper and have it enforce app specific policies and watch over specific entities in the same way a firewall can be used to restrict even legit connections (eg update requests).
IMHO there are some features that even if they could be considered legitimate by some they could be deemed unnecessary by others.
