Defense+ doesn't enforce "ask policy", but silently allows the action [296]

Hi, I think Defense+ doesn’t handle the ask policy as it should:

  1. What you did:
    I downloaded an EXE file with Internet Explorer

  2. What actually happened or you actually saw:
    The EXE was saved without intervention from Defense+

  3. What you expected to happen or see:
    I expected Defense+ to show a warning, that IE tries to create a protected file, since “Executable files” is in my protected files list and I have a “ask poilicy” for IE.

  4. How you tried to fix it & what happened:
    I have no idea how to fix it. I changed the “ask policy” to block manipulating executable files and as expected, IE wasn’t able to save the file anymore. So I think my configuration should work as expected and D+ should ask me about IE.

  5. Details (exact version) of any software involved with download link:
    CIS 5.0.162636.1135
    IE 8.0.7600.16385 (tried 32bit + 64bit)

  6. Any other information (eg your guess regarding the cause, with reasons):
    I think Defense+ doesn’t enforce ask policy, but instead allows the request silently. See (4): Blocking works as expected.

Files appended

  1. Screenshots illustrating the bug: n/a

  2. Screenshots of related event logs or the active processes list:
    sorry, no log entries, since D+ didn’t do anything

  3. A CIS config report or file.
    I attached a screenshot of my IE policy.

  4. Crash or freeze dump file: n/a

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS 5.0.162636.1135, AV DB: 6313
    I’m using CIS with a custom configuration based on the proactive configuration.

  2. Whether you imported a configuration, if so from what version:
    No, started with a fresh one

  3. Defense+ and Sandbox OR Firewall security level:
    Defense+: Clean PC Mode
    Sandbox: Off
    FW: Custom policy

  4. OS version, service pack, no of bits, UAC setting, & account type:
    Windows 7, no SP, 64bit, UAC enabled, admin account

  5. Other security and utility software running:
    Nothing, Windows Defender is disabled.

  6. Virtual machine used (Please do NOT use Virtual box):
    No

[attachment deleted by admin]

Correct. The file was saved, but it is not running, so D+ has no part in this yet.
At most the AV might would warn you if it was viral.
As soon as you attempt to run this, D+ and/or sandbox will be right there protecting you.

That’s not the point!

The intention behind this policy is, that I get notified, when a critical application (in this case IE) tries to manipulate important files.
The plan is to get an alert when the intrusion happens (by an unpatched security issue or own stupidity), so it’s easier to locate the problem.
An alert, that a new file tries to run is nice, but I don’t know, where the file originated if I didn’t actively and willingly save it.
Even worse - in case of a file deletion or a file change it may be too late to restore the original state.

The point is: Defense+ offers me the possibility to select if I want to be asked, I want silently allow or silently deny an action. So if I select ask in the policy, I want to be asked and not to allow silently!

By the way, I just tested this with a Win 7 32bit environment. It’s the same behavior.

You have use Paranoid mode if you want to be asked IE is a Safe application so will not ask in CleanPC Mode or Safe mode these always take priority over any rule you may set in these two modes.

Dennis

That’s not right! As I’ve already written above, if I select “block” instead of “ask”, all works like expected and the behavior is blocked. So the rules have priority.
If you were right, this should have no effect either!

Moved to Format verified Issue Reports

Dennis

Me too!

I have notepad.exe in the “Defence+ rules” and all options “Ask” and in “Protected Files and Folders” the path "C:\programme\Mozilla Firefox*. In the Defence+ Security Level “Safe” AND ALSO “Paranoid” CIS ask me NOT, when notepad.exe modifies a file under “C:\programme\Mozilla Firefox”. When I block in notepad.exe rules the “Protected Files/Folders”, CIS blocks in Safe/Paranoid notepad.exe to modify a file in “C:\programme\Mozilla Firefox”.

Here is a post about precedence in version 4. The devs have confirmed that what I describe is how he intends things to work. Whether you think its how it should work is another thing!

Precedence #2 is relevant to your issue.

In reading this please remember:
autosandbox policies include trusted files
safe files = trusted files in version 5
CSP rules = CSP ~ D+ rules in version 5
autosandbox D+ rules = the D+ rules implemented by autosandbox policies - not CSP ~ D+ rules

Hope this helps a bit

Mouse

Hm, I think you forgot the link to the post :wink: At least I hope so, since I have no idea, what your post wants to tell me. What is CSP?

Kind reagards,
Michael

OK now its in! (See quote above). Sorry.

CSP = computer security policy
D+ rules = Defence plus rules

Hope that helps

Mouse

Thank you for pointing me to this post. I tried to find something about this in the CIS5 help, but I wasn’t successful there.

So to summarize:

  • The statements, that you just need to disable the sandbox to get back CIS3 behavior are simply wrong. It wasn’t possible in version 4 (I already knew that) and isn’t in version 5, since there is no way to disable these new security policies. (I’ve disabled the sandbox and unchecked the “Treat unknown files as” option).
  • There is no official help file explaining the complete set of policies and how they work together. So the only way to get to know how CIS5 works is setting it up and waiting until something unexpected happens?
  • The behavior I’ve reported is correct and wanted and the devs think, there’s no security risk in silently allowing requests, even if there’s an explicit ask policy - without officially documenting this?

Please tell me I’m wrong!

No sure who made that statement, but disabling the sandbox is only part of it.

To make CIS 5 D+ alert everything for which you don’t have a tailored application rule you need to do at least the following:

[ol]- Disable sandbox.

  • Move security slider to paranoid, unless you want trusted applications to be trusted
  • Remove all files from trusted files
  • Remove all entries from the trusted vendor list (use del key multiple times)
  • Disable all cloud lookups (AV and D+) to prevent re-population
  • Reboot after doing all the above. Please note that as in CIS 3 you may find some OS files are denied necessary permissions - if this happens boot into safe mode and examine boot and D+ event logs and make rules to resolve the issue. Or use learning mode on first reboot, then move to paranoid after sorting the application rules.[/ol]

Not the greatest expert at this so other mods may chip in. Please note the difference between trusted applications and files. If you try this tell me if it works and I’ll do a FAQ.

* There is no official help file explaining the complete set of policies and how they work together. So the only way to get to know how CIS5 works is setting it up and waiting until something unexpected happens?
The help file needs additional material and a deeper update. This is a critical issue in the mods bug tracking system.
* The behavior I've reported is correct and wanted and the devs think, there's no security risk in silently allowing requests, even if there's an explicit ask policy - without officially documenting this?
Well in the new way of working, it's very much intended that there should be no alerts for trusted files unless they need unlimited access). The problem is that there's not much documentation regarding how to make the new CIS work in the old way for those that want a Classic HIPS - how to do without trusted files. A question of priorities for Comodo I guess. That's why I stepped in with my FAQ, which I will try to update for version 5 if people find it helpful.

Hope this helps a bit

Many thanks

Mouse

I read this numerous times for v4, and also at the beginning of the v5 release. Probably this was the result of the lack of documentation.

In paranoid mode also “ask policies” are respected on my system. So the new unmodifiable policies don’t seem to influence D+ anymore. I liked Clean PC Mode a lot, as it gave me full control (and an overview over) new applications on the system, while I got no popups for known apps I didn’t explicit create a rule for. But since CIS3’s Clean PC Mode seems to be gone, I’ll think about a handy policy for D+ in paranoid mode.
So, it seems to work at a first look. I’ll have to adept this to my needs and to hope, that there won’t be another point, where I don’t understand CIS’ behavior.

I hope, that there will be a good documentation soon. This would have prevented this bug report and also the discussion. Unexpected and undocumented behavior is an absolute no-go for a security application in my eyes.

I have no problems with no alerts for trusted files. The point is, that I like to decide which files I trust. And not some magic behind the scenes putting me in new “trusted” vendors and safe file lists. I understand, that COMODO tries to get less and less alerts and this is urgently needed to reach less experienced users. And I welcome these efforts. But I would have preferred it if I could select which features I like to enable and which not.

Just to give an example: When the trusted software vendors were added, we also got an option not to use this list in CIS3. Now in CIS5 this option is missing, in addition the trusted software vendor list get’s automatically populated when you’re using the cloud scanning features.
So in the first COMODO changes my configuration without asking or documenting this, which may lead to unexpected and unwanted behavior. The second point is, that I can’t use the cloud features if I don’t like the trusted software vendors list. I don’t see a direct connection between cloud scanning and trusted software vendors on my local machine. So why updates of this list are pushed via the cloud scanning feature.

It’s the same here. But it’s not so obvious and I here I see a little connection: Why do auto-sandboxing policies influence D+ even if the sandbox is disabled? Why do they influence D+ in Clean PC Mode, but not in Paranoid Mode? But since the HIPS probably enforces the sandbox restrictions, I can at least see a connection here…

Kind regards,
Michael

That’s good. Makes sense - paranoid = not trusting ‘Trusted Apps’ in v3. Now this is extended to ‘Trusted Files’ I guess. So I guess my note should say you can EITHER use paranoid mode OR you can carry out the rest of the steps above.

I hope, that there will be a good documentation soon. This would have prevented this bug report and also the discussion. Unexpected and undocumented behavior is an absolute no-go for a security application in my eyes. I have no problems with no alerts for trusted files. The point is, that I like to decide which files I trust. And not some magic behind the scenes putting me in new "trusted" vendors and safe file lists. I understand, that COMODO tries to get less and less alerts and this is urgently needed to reach less experienced users. And I welcome these efforts. But I would have preferred it if I could select which features I like to enable and which not.

Just to give an example: When the trusted software vendors were added, we also got an option not to use this list in CIS3. Now in CIS5 this option is missing, in addition the trusted software vendor list get’s automatically populated when you’re using the cloud scanning features.
It’s the same here. But it’s not so obvious and I here I see a little connection: Why do auto-sandboxing policies influence D+ even if the sandbox is disabled? Why do they influence D+ in Clean PC Mode, but not in Paranoid Mode? But since the HIPS probably enforces the sandbox restrictions, I can at least see a connection here…
So in the first COMODO changes my configuration without asking or documenting this, which may lead to unexpected and unwanted behavior. The second point is, that I can’t use the cloud features if I don’t like the trusted software vendors list. I don’t see a direct connection between cloud scanning and trusted software vendors on my local machine. So why updates of this list are pushed via the cloud scanning feature.
Kind regards,
Michael

I agree a) that the help text must be updated - we have made a very strong point re this, but have no control b) that trusting vendors should be an option - again mods have said this to the devs. My feeling is that CIS’s new fixed policies prioritise anti-malware concerns over privacy concerns - this actually does reflect my emphasis, but that’s not true for everyone. Trusted not to drop malware is not the same as trusted with personal information, indeed people may validly want to choose who they personaly will trust with their information.

Anyway glad to have helped a bit

Best wishes

Mouse

Sorry, but for me, it’s not so clear with CIS behaviour, I think anymore, there is a faulty behaviour:

  • Defence+ is set to Paranoid
  • Sandbox off
  • “protected files and folders”: C:\dokumente und einstellungen\daniel\anwendungsdaten\mozilla\firefox\profiles******.default\prefs.js
  • firefox.exe and notepad.exe in “Defence+ rules” with “Ask” in “protected files and folders”
  • trusted vendor list is full of entries from Comodo.

Now, when I start firefox.exe, CIS asks me, if Firefox may modify prefs.js (how I expceted it), but CIS ask NOT, when ich modify preifs.js with notepad.exe.

I have notepad.exe in the “Defence+ rules” and all options “Ask” and in “Protected Files and Folders” the path "C:\programme\Mozilla Firefox*. In the Defence+ Security Level “Safe” AND ALSO “Paranoid” CIS ask me NOT, when notepad.exe modifies a file under “C:\programme\Mozilla Firefox”. When I block in notepad.exe rules the “Protected Files/Folders”, CIS blocks in Safe/Paranoid notepad.exe to modify a file in “C:\programme\Mozilla Firefox”.

Are there any news on this? Actually over one year has passed and I can’t see any efforts here. The top point at the description of “Clean PC Mode” is still “- Computer security policy is applied” while it’s clearly mentioned here, that this isn’t intended! I can’t find anything about this in the online help either.

If a software doesn’t behave according to the description, this is clearly a bug. If not in the program’s behavior, then in the GUI!

I feel like I should also file a bug report about automatically populating the “Trusted Files” list as I can’t find any documentation about this!

Sorry for the delayed reply.

No update I am afraid. Devs seem to be incommunicado ATM - presumably working on CIS 6. I have had no replies to recent communications from me. Another mod has had a similar experience.

Since we have told them, the best we can hope for, given absence of communication, is a fix in CIS 6.

Best wishes

Mouse

Ok, then let’s hope the best for CIS 6.
But actually I’m not very optimistic, that CIS 6 will bring any improvements for any long term problems - they persist from version to version and it seems no dev cares. Maybe mods have more information about the developement process, which permits another point of view.

Kind regards and thank you for the answer.

That’s OK, and I agree that there are persistent bugs that need to be resolved.

I suppose it’s a consequence of low development budgets in free software.

An automated bug reporting system is mooted, and this may help…

Unfortunately us mods have no control…

Best wishes

Mouse