Defense+ and digital certificates. [Resolved]

I wanted to use digital certificates to reduce the amount of alerts from some trusted software vendors. But it seems it’s not working as I expected. When Defense+ is in Safe Mode everything works as it should. All actions of digitally signed applications are learnt even though they’re not in Comodo’s safe application list. But when I switch Defense+ to Clean PC Mode I’m alerted about some actions of digitally signed application. And here rise my question because I don’t know if it’s correct Defense+ behaviour or not.

The mentioned application is a PunkBuster service which is digitally signed by Even Balance Inc…
There is a possibility that this application is somehow changed when I launch a game.(the game is Battlefield 2 but I think it’s irrelevant). Since the file is/might be modified you would think that Defense+ do its job and alerts you about it. But since this application is digitally signed and is considered as a safe file and even Comodo informs me that this is a safe application then should I still get an alert about that some safe application wants to do something.

In Clean PC Mode description (in Safe Mode description as well) there is a sentence:

‘Every action of the safe executable files are learnt’

and I would assume that it should take precedence over:

‘New executable files introduced to the PC are not assumed safe’

A developer comment on this one would be appreciated.

[attachment deleted by admin]

Noone has anything to say about this… Have I missed something ? ;D

Clean PC Mode I always thought meant when you install CPF3/CIS anything install at that time on your computer is classed as safe.
Dennis

I have mine set to Clean-PC. What it means is [everything] gets flagged first for your approval before being allowed to run (everything excet the basic Windows OS). I have had to either Allow or flag as Trusted (depended on the file trying to access) every piece of Windows software on my system whenever it ran for the first time after the install. This includes some modules of programs already flagged as either Trusted or Windows System files.
I am beginning to think Safe mode is the preferred and better way to manage what is allowed to run and what is not.
White-List should already include all Windows applications/files (that’s from a clean install) without having to continuously reflag all modules.

(:SAD) I just installed Comodo Firewall today (Free version: Windows XP SP3). I had tried Zone Alarm, which was too hard to use and had poor info management online and in the program. My problem: The Firewall does not recognize my e-mail provider, EarthLink. I tried using the in process method to add the banned vendor, but get back a message that there is no credible digital signature. I went in and fiddled around some (I am not computer savvy) and was able to bring up a signature under the properties tag. Comodo still won’t recognize the vendor signature. There is one other trusted vendor on the Defense+ list that I also would like to add (same problem). That is also a big name vendor.

Another question: I use Mozilla Firefox as my preferred browser. I have a lot of add-ons, some good for security like Java no-script and CS Lite, plus some that are there for fun or ease of function. Will there be trusted vendor issues for these, as well? So far, everything seems to be working fine. It seems to be an update issue. My firewall hasn’t gone thru all my files and processes yet, so I still have a lot of work to do.

I don’t exactly understand what’s meant here by “Firewall does not recognize my e-mail provider”. They distribute some email application or what? Go to Defense+ screen, Common Tasks, My Trusted Software Vendors and click on Add button. Then you can either browse to the executable, or import the signature from a running process. If that doesn’t work, then either the application is not signed or you need a proper root CA imported so that the certificate chain is complete, otherwise the certificate cannot be verified and trusted.

I don’t think digitally signed application is changed as it would mean that signature become invalid

Have you checked ‘‘Defense+ → Advanced → Defense+ Settings → Trust the applications digitally signed by trusted vendors’’?
Also check your pending files - if your application is there - it will not be assumed safe in Clean PC mode.

Thanks for answer.

I double checked and this option has been enabled. I have run additional test as well.

It seems to me that this is some kind of issue with Clean PC Mode and digital certificates.
As I said before in Safe Mode the proper rule is automatically created if I had imported Even Balance digital certificate to CIS ( Safe_Mode_1.png ). If I remove this digital certificate then I will get the same Defense+ alert like on the screenshot ( Clean_PC_Mode_2.png ). In Clean PC Mode whether I add Even Balance digital certificate to CIS or not I get an alert. With digital certificate added to CIS I get an alert that a safe application wants to access protected files, but no pending files are added ( Clean_PC_Mode_1.png ). Without digital certificate in CIS I get similar alert but this time the application is unrecognised and pending files are added ( Clean_PC_Mode_2.png ).

In addition I checked if the file has been physically modified by making the MD5 signature of ‘C:\Windows\system32\PnkBstrB.exe’ before running a game. After few runs of the game the MD5 signature is exactly the same and when I looked into file Properties only modification and last access dates have changed but the digital certificate is still valid according to Windows.

[attachment deleted by admin]

Let me explain…

The difference between Clean PC and Safe mode of Defense+ is that in Safe mode only applications from internal safe list, My Own Safe Files and (if corresponding checkbox is checked in D+ settings) applications digitally signed by trusted vendors are considered to be safe but in Clean PC mode only applications already installed on your PC are.

So, when you install a new application on your PC with Defense+ in Clean PC mode it’s not considered to be safe regardless of that, is it signed or not. Thus you obtain a notification about it’s activity.

Thanks for the explanation.