Defense+ Driving Me Crazy!

After running Comodo firewall only for 6 months, decided to try Defense+ again. I tried it a couple of months ago and it drove me to the edge then.

I am running WIN XP Pro SP2 and Comodo ver 3.13. I switched to Comodo Proactive setting. I have left the new firewall rules as is except for any new Comodo generated ones.

I have left Defense+ set at safe mode. In this mode, it of course, will generate rules for any existing apps on your PC.

I noticed that the default action selected by Comodo Defense+ rules is to allow as an Installer or Updater.

My specific question is I later attempted to change this installer/updater status to trusted application. I did this initially for my AV, Symantec Endpoint 11.5. What is happening is Defense+ keeps changing the trusted application status back to installer/updater. It appears to do this primarily for applications that call out or spawn another process; e.g rtvscan.exe. Should I just leave these apps statuses as is - installer/updater?

I realized after I posted this that the Defense+ Allow selections work just like the Firewall does; you have to scrolll up and down to select the option to apply.

No, I am not in Installer mode. I am safe mode with low level alerts for the firewall and safe mode and normal alerts for Defense+. When I allow something in Defense+, it is created by Defense+ as a custom rule. Most have been created as installer or updater since that was the first option on the allow action.

Again, I can change these original Defense+ generated rules to trusted. But as I stated in my first posting, some of these updated trusted rules revert back to installer or updater with their originally assigned permissions the first time the application is run.

I think I will just stick with Comodo firewall and forget about Defense+. I might try DefenseWall HIPS that uses only only two statuses; trusted or untrusted, provides a virtual sandbox environment, and is much easier to maintain.

Defense+ in Safe Mode will generate rules for apps which are in it’s safe list. If you want rules for all your existing programs without asking, you should be in Clean PC mode.

When you get a Defense+ alert you do not have to select any special mode, just OK it with Remember selected.

If you delete all the rules you have made, you can start again and soon have a quiet installation.

Once you have run all your programs simply switch back to Safe Mode.

Not if you want to gain the benefit of installation mode… (Which is no D+ alerts during installation)

By saying no, you’re telling CIS: “I want to enter installation mode”. It asks, are you sure? And you then tell it “No”… 88)

By selecting no, there is literally no reason to tell CIS to treat an application as an installer/updater.

Not quite if you chose installer/updater for a application that application runs as a installer/updater but does not transfer that right to child processes.

You will receive further alerts, but not for the process you have allowed.

Dennis

Right, so you can get additional alerts, as opposed to telling it to enter installation mode in which you will not have any further alerts.

Great discussion on installation mode! However my original question remains unanswered. So let me repeat it again.

“My specific question is I later attempted to change this installer/updater status to trusted application. I did this initially for my AV, Symantec Endpoint 11.5. What is happening is Defense+ keeps changing the trusted application status back to installer/updater. It appears to do this primarily for applications that call out or spawn another process; e.g rtvscan.exe. Should I just leave these apps statuses as is - installer/updater?”

I was looking at the user manual and wonder, if I have to add applications manually like my AV to My Safe Files List? I originally assumed that Defense+ would do that automatically when you allow the application or program but I guess not. Symantec Endpoint 11 spawns all kinds of subprocesses when its running. I am running Proactive Threat Protection which uses both signatures and hueristics to detect malware and keyloggers, etc. It also protects all internal Symantec files. Unfortunately, the network protection functions are part of it’s firewall feature that I don’t want anything to do with. This is the primary reason I am running Defense+. I really wish Comodo would go back to the pre-version 3 architecture where network protection was part of the Comodo firewall.