Defence+ is not honoring Trusted Apps

I’m just now trying Defence+ again, thought I’d give it a second chance, and I’m having a problem. I set up a group with all my security apps in it and set D+ to treat them all as Trusted. However when I run any of them, D+ is auto-learning their behavior (I’m in Clean PC mode) and creating a new rule entry (see screenshot). Worse is that if I then try to set the new rule to Trusted, the next time I run the program again it is reset to Custom.

I have -

XP Pro SP2 32-bit
NOD32 2.70.39
BOClean 4.25
ThreatFire FREE
Sandboxie 3.21.15

[attachment deleted by admin]

Well I tried everything I could think of. Complete uninstall, clean, and reinstall. D+ still will not remember programs I mark as trusted. Oh, and I had already uninstalled ThreatFire at this point.

Since CFPv3 is useless as anything but a basic firewall w/o D+, I had to ditch it. I’m crying over here. I really like this product and was set on giving D+ another shot, but it’s impossible until this bug can be ironed out. At the moment I’m running with OA Free, which is good, but obviously not as configurable as CFP. On the upside it does pass CPILSuite even though it’s HIPS produces far less popups than D+.

Another note, the ThreatFire and CFPv3 uninstaller do a really good job. I didn’t find anything really left over except 1 or 2 empty folders. I didn’t find any bad reg keys, and CCleaner didn’t find any problems either. Windows Security Center is happy as well.

If anyone else can figure out what was going on, and Comodo can get this bug fixed, I’ll be anxious to go back to CFPv3. I wish I could be more help on what was going on, but this is all the info I have.

The pop up balloons make sense (to me) if D+ is learning, generally it will only run through them once. After you set your rules, do you push up D+ settings to train with safe mode or paranoid?

That’s not it. It learns it once (for example Start.exe from Sandboxie). Then I go and change it to a Trusted Application. That should be it, no more popups necessary. But next time I run it D+ is learning again and it resets the policy to Custom.

Same thing, I created a group with all my security apps (AV, BOClean, etc.) and set the whole group to Trusted Application. I shouldn’t get any popups at all about those apps. But each time they run D+ is learning again and it creates a new rule for each EXE. It doesn’t make any sense to work that way. What’s the point of my groups then? Of course same as above happens if I change one of those new rules to Trusted. Run the app again and it’s back to Custom.

wraithdu, if you are uninstalled from Comodo, install again with Defense+ set at Clean PC Mode. It searches and finds everything you have installed and assumes they’re safe. When I first installed I had that setting and didn’t get many alerts. I’ve since changed the setting to Train with Safe Mode and although I get some alerts it does seem to be learning. However, having said that, I’ve suspected v3 does seem to lose some of its settings after a boot. I’ll turn off logging and the next time I boot it will be enabled. Also, I remember v2.4 was terrible about not remembering what was given permissions. Good luck and Happy New year!

Don’t know if this would work, but one thing you might try is to replace the “*” with a “*” in “My Security Apps”

Also I found out the hard way that it is necessary to hit the apply button on every screen up to and including computer security policy for the changes to take effect.


I have been running in Clean PC Mode from the start.

I’ve tried that as well, and I make sure to apply all the way out, even closing the GUI window. It still doesn’t explain why I can modify an existing single app rule to Trusted, and D+ insists on re-learning it and resetting it back to Custom.

wraithdu, I’ve discovered a quirk which contradicts MikeH’s suggestion. In Miscellaneous>Settings>Logging if I hit Apply the changes stay, however, if I go back to >General (tab) and hit Apply it changes the Logging (tab) settings I’ve just applied. Point being, perhaps you should only hit Apply at the window for the feature your changing/setting.

The only other thing that I can think of is to make sure that the Windows firewall is off.
After reading about this in other posts, decided to check my system, and much to my chagrin it was on.


Did you do any registry cleaning?
Just ran RegSeeker on my system and see that it wants to delete some rules for HIPS Policy for the firewall.


@MikeH & ratchet
Thanks for all the suggestions, but the Windows Firewall is off, and I was not doing any registry cleaning. I also double checked my settings by re-entering the dialogs, and they were correct (thanks anyway though ratchet, you should probably report that as a bug in another thread).

I retried all this in a VM with v3.15 of CFP3. I get the same results - apps that I mark as trusted in a Group have additional ‘Custom’ rules created. And single apps that I mark as ‘Trusted’ have their status reset to ‘Custom’ after launching them again.

Can anyone reproduce this, as now it’s happened under 2 different systems for me?

CFP v3.15 in Clean PC mode
NOD32 3.0.621
Sandboxie 3.22

I think that when in Clean PC mode CFP attempts to learn behaviour of any apps that were on the pc when it was installed. It seems to do even when you apply a predefined rule - thus it changes everything back to custom.

Have you tried changing the setting to ‘Paranoid’ and then setting up your selected apps as Trusted. According to CFP help file the firewall will not attempt to learn application rules whilst in paranoid mode.

I am not sure if even this will work as I suspect that if an application tries to do something previously unknown then CFP will ask you whether you want to allow it. If you do then in theory this changes the rule to be different from the preset ‘Trusted’ which means it might change to ‘Custom’ again.

For example,say the preset rule ‘Trusted’ does not allow Application A to execute Application B so the firewall asks if you want to allow it. You click allow and remember. The rule for the application will now be different from the preset ‘Trusted’ rule, i.e. a ‘Custom’ rule. I could be wrong (probably am ;D) so hopefully someone more clued up than me might post to explain what is happening.


Dont know if you`ve tried this but it could work.
Set defence+ to training/change the apps to trusted and apply/change back to clean pc or train with safe mode.
Could be worth a shot.

Nice 1 Matty

I’ll give some of these new suggestions a try in a clean VM when I get some time and post back. Thanks.

I’m hoping it’s a bug in CleanPC mode, and won’t happen in, say, Train with Safe Mode.

Well I switched over to Vista, so I’m back to CFP 3.0.16. I’ve got a new install with Basic + Leak Protection and, unfortunately, I still have the same problems as described above. I even tried in ‘Train with Safe Mode’ as suggested, but same results.

I don’t get it. I just want D+ to ignore my security apps. Even setting one of them to ‘Trusted’ in the dialog, it’s reverted to Custom next time it’s run. So ultimately I can’t set anything to ‘Trusted’ :frowning: I mean I can still use CFP, but I’d like to have this sorted finally.

have you noticed that in a trusted rule, everything is allowed, except for execution under access rights, which only provides ask/block?? well a cutom setting can start out as a trusted, but when you allow an execution, that goes into an inclusion area (for lack of a better term). click the modify button and you will see the permissions your allow has added. remeber Trusted is like a global or templated grouping of permissions, but if your Trusted app needs to run another app/process or what have you, and you ‘allow’ it and ‘remember’ that allow it modifies that ask/block only permission and therefore becomes a customized version of the Trusted template.

it’s a pretty goofy way to implement program execution, but it does allow for some pretty tight rules once a trusted app gets all of the execution permissions it needs. on the other hand, if you do not select remember on a pop-up from a trusted app then the trusted template will not be changed, but you will be asked for that permission over and over, again because there is no allow in the execution access rules, only ask/block. so it does not a appear to be a bug per se, just a goofball way of handling this. i hope i have not made a complete babble.

to verify, make notice of the predefined security policy; Trusted under access rights. then open the custom ploicy that you had originally set as a Trusted policy, you will note that the permissions are exactly the same. then if you click the modify button of the first 9 (nine) permissions, if your app needed anything special with that permission, it will be listed there or you can add your own. that is what turns the Trusted pre-defined policy into a custom policy. so essentially what you are stressing over is mere semantics.


I find it funny that you posted that reply today, since today I finally came to the same realization. I was just about to post the same thing and downgrade my “bug” to “poorly documented”. So thanks for saving me some time!

In addition to what you posted, this also explains why I have additional rules for apps included in my Trusted Groups. I think this also implies a hierarchal application of the D+ rules, since if I look at a duplicate rule (a trusted Group app that has a single custom rule), it contains only the allowed EXEs, with all other rules set to ask. So it seems the Trusted Group catches all the other Allow rules, and just uses the 2nd single rule for the Allowed EXEs.

So I’m glad that I finally “get” it. However I think this program behavior needs to be more properly documented.