Defense+ 3.14.x as a "pure" anti-executable

This one is for the select few. Advanced users who like:

• version 3 over the rest
• AEs over HIPS
• to tweak things
• to be clean freaks

If you don’t belong to either of those and hold no interest in this topic, please don’t participtate.

The goal is to make Defense+ the lightest it can be while maintaining its role as an anti-executable by disabling most security settings. As an added bonus effect, there are fewer Defense+ app rules created. This is something I’ve recently came up with. It’s still as secure as before, except obviously during installations and uninstallations, but that’s the idea: either trust the software I’m about to install or don’t install it all. I’ve been “around the block” long enough to know the associated risks and conveniences. Should the worst happen, I re-image my PC. Even I have grown tired of HIPS alerts, regardless of whether I know how to answer them or not and regardless of Installation Mode (which ultimately creates rules for temporary files and requires maintenance later). There has never been a malicious application or executable in my Defense+ rules. I also have in the past confirmed my PC’s cleanliness by checking with various scanners from time to time with nothing but false positives. Of course, all this fits my own needs based on my usage patterns, so it won’t apply to others.

So with all that mumble jumbo background out of the way, here are my imperfect settings in no particular order:

My Protected Files & My File Groups
I remove everything in my Protected Files. I do the same in My File Groups but leave those 3 just for clarity in my Computer Security Policy screen (although I could easily removed them if I wished).

My Blocked Files
Obviously nothing here because all my programs are used and “trusted” by me

My Pending Files
While I’m in Clean PC Mode, this will start to populate new executables, and of course will be purged once I’m done installing them.

My Own Safe Files
Nothing here.

My Blocked Files
All cleared out. Even the two default Comodo ones.

My Protected Registry Keys
All cleared.

My Protected COM Interfaces
Nothing.

Predefined Security Policies
Windows System Applications is the only one left. Again, I could remove this too but I leave it there for clarity’s sake to separate my app rules into groups.

Defense+ Settings
General Settings tab - Always in Clean PC Mode except when I’m (un)installing, it’s Disabled.
Disable the three options
Monitor Settings tab- All disabled

Image Execution Control Settings - The plot thickens ;D.
General tab - Leave them at defaults - Normal Image Execution Control Level and Detect shellcode injections. Buffer Overflow protection I believe is a separate nasty entity on its own, but my worries could be for naught if I’m setting Defense+ as an AE. Let me know if I’m wrong on this.
Files to Check tab - Removed all. At first, I misunderstood that this is the list Defense+ checks on all executables. Wrong. I added *.msi and tested by installing a MSI file without any prevention at all. Reading through old posts by Egemen and another forum, this is something that Defense+ checks after those files are launched (probably tied in with the Shellcode injections check - again, correct me if I’m mistaken).

Predefined Security Policies - The main dish :).
Pic # 1 is basically all the applications I ever use and need for Windows to operate. I’ve tried to launch everything and every setting I could remember to build this list while in Clean PC mode.

Pic # 2 is from the * application / process rule {basically, the “every” file rule }, which is used to accommodate for potential applications and process that Windows might launch or that I might have missed in the future. I set all the sub-options to allow, except the first one to Ask on launch. Now, of course being in Clean PC mode, instead of asking, Defense+ will automatically and silently create the necessary rules. It saved me time when I first was rebuilding my rules because they all adopt the same structure.

After all that, I access each individual app from pic # 1 and set the “Run an executable” option to Block. This should cover any possible exploit. I’ll give a more complicated example and the relationship between two applications (Pic # 3): My Opera browser is allowed launch/execute only certain programs (e.g. I sometimes click on the downloaded or transfer window to launch instead of minimizing Opera and then double-clicking on the file on my desktop). Using MS PowerPoint Viewer 2003 as specific example, Opera is allowed to launch .pps, .ppt and similar file extensions. Conversely, MS PowerPoint Viewer is allowed to launch Opera (e.g. sometimes a .ppt file has a URL embedded that I want to launch as a shortcut). You might wonder, “what happens if that .ppt file contains malware and therefore PowerPoint Viewer, as a trust app, can inadvertently cause harm?!”. Remember what I mentioned earlier: after launching and operating all my useable programs, I go back to each rule and set the “Run as executable” from Ask to Block. That means in this example, Opera is only allowed to launch said programs, while PowerPoint Viewer is only allowed to launch Opera, nothing else. This explains why I put the * rule at the bottom, as shown in pic # 2.

The only flaw I can see that I haven’t covered are script executable files. I’m not as familar with these. Feel free to jump in if you have an idea. Sure it’s a pain to configure at first, but like before, once it’s done it is “set and forget”.

PS: I forgot to include that I enable Parental Mode with supressed all alerts. And again, each time I’m about to install or uninstall something, I disable Defense+.

[attachment deleted by admin]

What is an Anti-executable? Its a program which inhibits the execution of other, un-authorized programs. Authorized by whom? The user and or an inbuilt safe list. Why should one use this? All malware infections are some program code which execute instructions which are malicious in nature. If one can stop this execution, one will never be infected.

Why I love this? Once I’ve installed my programs I don’t need to install anything else. I use my PC for work and browsing the web. I don’t play games on it. If you are a gamer you will find this approach very tedious and unworkable. But if you need to lock-down your pc and want peace of mind, this is the only approach.

Why Select CIS? Because its the best in what it does. There are other options but they are confusing to work with.

How to do it? Approach
A] Simple

1. Make sure your PC is clean by running a few scanners and or fresh install.
2. Install all your trusted programs.
   3a. Install CIS. Put D+ in training mode and or Firewall (if using) in training mode.
   3b. You could also put D+ in clean pc mode and or Firewall (if using) in safe mode.
3. Enable parental control and watch the fun.
4. After a few days, put D+ Into Paranoid and Firewall (if using) into Custom Policy.
   All installed programs will have rules for them and your PC is fully protected from any and all infections.

B] Simple but Complex

1. Same as above.
2. Same as above.
3. Install CIS and put D+ in safe mode and or firewall (in safe mode).
4. Goto D+ Settings–>My Own Safe files–> Add the whole program files directory. Also Add your Portable Program files directory. And or add any remaining program directories. Use the options “Include Sub-directories to make life easier”. Eg. Ive add C:\StocksUp with include sub-directories.
5. Enable parental controls and you are set.
   Advantage of this is no clean pc mode=no pending files list.
6. After a few days put D+ into paranoid and firewall to custom policy.
   this is similar to OA, i.e. you whitelist everything on your hard-disk even before it runs. Rule making is on the fly.
   Attachment 1 shows My “My own Safe files”.

C] Complex.

1. Do what soya said above… ;D j/k
2. same as above.
3. same as above.
4. Install CIS, Goto D+ settings and add Program files and Windows Directories with a * at the end, so as to include all files. Then allow all Access Settings. This is similar to using SRP in windows. The only caveat is, if somehow a program lands itself into these directories it would be able to do anthing.
   3b. So you Add These two directories to your Protected Files List, thereby mimicking LUA.
   This approach is more complex and not necessarily better. I love approach B.

Note 1: With approach A and B you could, if desired, edit the Access Settings–>Run as Executable sections for programs like firefox, IE, Chrome, Excel and other so that they are not allowed to run code. This is something which I’ve done, more for peace of mind than anything else.

Note 2: If Parental Controls are not enable then CIS will not function as an anti-executable. So this is the most critical step. Password could be anything, mine “v” as no program will be able to access this setting.

Note 3: Attachment 2 shows a few more extensions added to The executable files sections of protected files super section.

Note 4: On installing a new program and or updating an existing one, the best approach is to disable D+. Yeah yeah I know you are scared, paranoid; can I trust the program … hey if you can’t then please, don’t install it.

I love CIS in this mode. Its quiet, I never get any pop-ups, it works wonders, its secure, it doesn’t intrude on anything, and is the lightest security app ever.

[attachment deleted by admin]

I’m bad at explaining things sometimes, but my setup really is unconventional. In a nutshell, everything that’s interconnected is only allowed to speak (execute) with each other at most. With that in mind, it seems if I wanted a more complete AE setup, I may have to add a few more rules to block them off. e.g. explorer is allowed to launch regedit, but I don’t have a rule to block regedit from being able to launch other programs. Whether it’s possible to begin with is another story.

I don’t happen to trust all that goes on my computer. 88) While I do lockdown a family computer, I keep mine ‘open.’

I think you need to lay off the porn 88) ;D. But AE are not only useful on a family PC (that has admin looking after it), it helps against drive-by-downloads.

Does this same procedure also work for V4, provided that the Sandbox is disabled?

I personally just use V4, with the Sandbox disabled, but seeing as V4 is the only one availble for download on the Comodo site I figured people might be interested.

Having tried version 4 briefly (but never with this setup), I would say it’s possible too. In fact, version 4 supposedly allows you to get away with having no rules added.

And 3.14 is still on the server: https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-314130099587-released-t50813.0.html Get them while they last!

I just remembered one thing (and more to come) that I didn’t include earlier: how I block MSI files from executing. It’s different from slagen’s methods: in explorer.exe, I set the Run as executable to the Block side. This prevents my downloads from Opera from manual or automatic launch as it doesn’t even get to reach msiexec.exe, the second stage 8).

No porn :o

I saw you have a BitTorrent client too…

Yes and it’s the main reason for my internet too ;D. I pretty much download nothing but anime.

Regarding .msi files:

1. if you’ve already run a msi file then explorer.exe will have msiexec.exe listed in the Run As Executable Section of Access Settings Super Section. You must delete this otheriwse .msi could easily run when double clicked.

2. Disallow firefox/chrome/ie and other net facing apps from executing msiexec.exe, otherwise .msi could run without knowledge.

.msi is like a .bat file. Its not executable on its own, but it is executable via a medium, msiexec.exe and cmd.exe respectively.

I love this approach. :-TU

There many locations that msiexec.exe spawns. I only blocked explorer.exe from executing this one, which should be the main one: C:\Windows\system32\msiexec.exe

Here’s a pic showing all the allowed programs before I lock it down with “Block”.

[attachment deleted by admin]

One of the reasons D+ is so powerful is that its so flexible. One of most interesting features of Faronics Anti-Executable v2.x (An app which is/was used by the LAPD among other renowned organizations) was that it would not even allow creation of executable files on the hard disk. Imagine that? How can you infect a PC when you can’t even create an executable content…

This is very easily achieved by D+. As my image shows; D+ Settings->Computer Security Policy->Firefox->Access Rights->Protected Files/Folders. Add “Executable” to the Blocked Files/Folders section and voila. You can’t even d/l an executable file from the internet. Do the same for IE and other internet facing apps and … well you get the idea. :-TU

try adding “All Applications” or a “*” to the Blocked/Files Folders for fun.

If I had the cash, I would pay $1-2million for D+ alone and get it developed further. It has so much potential, but so many issues. The menu system is so hierarchical, the depth should’ve been only 2 and not 4/5 as its now. Oh well.

ps. I don’t use the above settings as I occasionally download programs and program updates. Though I do use this settings for certain, lets say risque/poorly designed programs.
You could even use the BLOCK Setting in Access Rights for a program, but that would disallow registry access, which a few programs need to run properly.

V.J.

[attachment deleted by admin]

Yes it is flexible. I can achieve the same results with my setup by editing the application rules.

Another Cool Settings is :

D+ settings->Computer Security Policy

1. Add Executable’s and then edit the Access Settings to Deny All.
2. DO THIS ONLY AFTER ALL YOUR PROGRAMS HAVE BEEN LISTED IN THIS SECTION. Don’t do this if you’ve NOT checked “Create rules for Safe Applications” in v4. If you do this without that rule checked, in v4 then none of your programs will run properly. ;D

After this settings, programs are automatically denied execution. There is no need for parental control and a password. 8)

I’ve done the same for the firewall. In the settings section I’ve Added “All Applications” And set it to Blocked Applications. Again the caveats from point no.2 (from above) apply. The result it, no worries and no pop-ups and totally denied execution.

I’ve noticed a lot of threads on various forums (none of which I am a member off) lament the fact that Comodo has a lot of popups. Funnily enough, I’ve rarely encounter one. I think its got to do with the way you use CIS. I feel sorry for those poor souls who trust an AV and or Sandbox/Policy Based apps to protect their entire system. I’ve tried em all and the easiest way is CIS emulating an anti-executable. Its set up in 3 steps.

Great thanks to Soya for setting this thread up.

[attachment deleted by admin]

Yes this would work, but I don’t consider it a replacement for Parent Mode, unfortunately. The purpose of Parental Mode is not only to suppress alerts, but to allow every file on your PC (which of course are trusted/safe) to do work in the background. This includes daily operations that you, as the user, didn’t initiate. e.g. the other day, the Defense+ log caught my rundll.exe trying to create a process (i.e. trying to execute) runonce something something (forgot the exact name) after a few days of “silence”. I believe it was a legit process and although there was no foreseeable hindrance, I’d rather not take my chances to block something that may be necessary. That’s another benefit of Parental Mode - any blocked actions are logged, whereas if you set it in your pic to block at that level, it won’t be logged.

^^ Ahh good good. D+ is quite flexible that way. I think you are right about that rundll32 thingy.

Thanks.

I forgot to screenshot how I covered MSI and script files (:SHY). This is inside my rundll32.exe

[attachment deleted by admin]

A different method that works with CIS v3.x and later is found at https://forums.comodo.com/defense-sandbox-help-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html.