Defense+ and Sandbox issues

Defense+:

Issue 1: Defense+ does not seem to be raising alert for anything covered under “protected settings” when in training mode. doesn’t this defeat the purpose of training mode? for example, having protection on windows services is a very good feature, but having to white list, by hand, every single application that could be making a request to a windows process is redundant.

issue 2: sometimes in training mode, things are still blocked, and sometimes in safe mode, I am not receiving alerts.

issue 3: edit: CIS was blocking all sorts of windows applications (bitlocker?) so just to test i added a wildcard expression for %windir%\system32* and set all to “Allow”. still, applications under this directory are blocked from hooking into an application under Program Files (one that contains no protection rules). i am at a loss understanding what could be trumping my rule;

CIS Defense+ seems to block everything that hasn’t got an explicitly defined exclusion!??

am i missing a very obvious step somewhere?

Sandbox

Issue: it simply does not work. launching virtkiosk.exe results in the application hanging, sometimes consuming 100% cpu. right-click launching an application in the sandbox does the same thing. dragon/IE will not launch in the sandbox

i have tried uninstalling, using the cleaner tool in safe mode, reinstalling. i have tried on another machine. i have tried on a different architecture (x86 and 64bit). i have tried disabling services, exiting applications, etc

i have tried disabling DEP, ASLR, SEHOP, etc. i have even checked virtkiosk.exe against Depends, and attached a debugger to see if it was trying to access a shared library, object, or file in which i might have been missing (or something else obvious).

no cigar. i have not had any luck getting it to work :frowning:

any ideas?

well, i woke up this morning, and fired up the development machine. the first sign that i noticed which tipped me off to that something was wrong, was that all my desktop widgets were not functioning properly.

next, i noticed that i lost all internet connectivity in every application. disabling COMODO firewall and defnese+ didnt help either.

so i went to go use System Protection to restore to an earlier time. to my ASTONISHMENT, the Comodo installer did NOT create a restore point!!! any installer that brings with it DRIVERS needs to create a SYSTEM RESTORE POINT!

restore points for system application installer are not just aesthetics, or appeal, its proper coding on the windows platform!

luckily i had one from an earlier time (not without losing a few days of system changes mind you)…

sorry guys. just ignore my post above. i am never installing this half baked security suite on any of my machines again. heading straight back to avast!

and while your at it, somebody needs to add to the wish list:

"hire people willing to write working code, that has been thoughtfully tested, and uses the proper checks and balances set out by the operating system to which it is being installed. "

Personally I find Windows Restore and back up to be messy when used and really slow, and there is no requirement to use windows backup when installing drivers or filters, according to a friend of mine that writes drivers at Intel.

From the CIS-game rule-book:

[b]Training Mode:[/b] Defense+ monitors and learn the activity of any and all executables and create automatic 'Allow' rules until the security level is adjusted. [u][i]You do not receive any Defense+ alerts in 'Training Mode'.[/i][/u] If you choose the 'Training Mode' setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.
- emphasis mine

However learning is contingent upon the following:

[b]Create rules for safe applications[/b] - Automatically creates rules for safe applications in Computer Security Policy ([i][b]Default = Disabled[/b][/i]).

Note: Defense+ trusts the applications if:

The application/file is included in the [u][i]Trusted Files[/i][/u] list.

The application is from a vendor included in the [u][i]Trusted Software Vendors[/i][/u] list.

The application is included in the extensive and constantly updated Comodo safelist.

By default, CIS does not automatically create ‘allow’ rules for safe applications. This helps saving the resource usage, simplifies the rules interface by reducing the number of ‘Allowed’ rules in it, reduces the number of pop-up alerts and is beneficial to beginners who find difficulties in setting up the rules.

Enabling this checkbox instructs CIS to begin learning the behavior of safe applications so that it can automatically generate the ‘Allow’ rules. These rules are listed in the Computer Security Policy interface. The Advanced users can edit / modify the rules as they wish.

emsisoft file protection make hang virtkiosk.exe on my pc… never find a fix for that