I’m using CIS with Defense+ in Paranoid mode. I was under the assumption that in this mode, Comodo would ask you whenever an application tried to perform something. However, after using the mode for a while, I no longer get alerts to several applications.
Under Computer Security Policy, there are some applications at the top that are treated as ‘Custom policy’. Applications such as taskmgr, Firefox, cmd.exe, mmc.exe etc. When clicking ‘Edit’ and then ‘Customize’, I can see that these applications now have all the access rights apart from ‘Run as executable’, for which they are set to ‘Ask’. Under the ‘Protection Settings’ tab I can also see that all the protection types are set as ‘inactive’.
What if a Windows system application somehow got infected without CAV being able to detect it, and you’d want to control what actions it performs? How can I make Defense+ ask for access rights for all applications when using Paranoid mode? It seems that it ‘learns’ that some applications are safe after a while, correct?
Have you by any chance in Defense+ Settings > General Settings, the option “create rules for safe applications” enabled? If yes, disable it and remove the previous application rules - except of course the default ones for Windows System Applications, Windows Updater Applications, Comodo Internet Security, explorer.exe and “All Applications” - and see if it makes a difference. Normally now Defense+ will popup each time you launch a program.
No, I have not had “create rules for safe applications” enabled, nor have I used “remember my answer” when allowing those applications in Paranoid mode. Is the fact that those applications still have access rights a sign of something wrong with CIS installation or something?
I can list all the applications that are displayed there:
These are all treated as ‘Custom Policy’, they have full access rights aside from ‘run as exectuable’, and all protection types are inactive. Under ‘access rights’ tabs, each access name has exclusion "Modify (0\0) written in blue. This exclusion is not for dns client service, physical memory, computer monitor, disk or keyboard, however.
When Defense+ is set on paranoid mode, CIS should alert the user unless it find an application telling it what to. As you haven’t made rules for the files you mentioned, it is not normal behavior from Defense+ in paranoid mode to make by itself rules for certain files allowing them to do nearly everything.
Your configuration could have been corrupted. To see if that’s the culprit, first save your configuration after having removed the “offending rules”==> More > Manage My Configurations > export (give the file another name than one of the 3 default ones).
Now import a clean one ==> same path > import > Comodo > Comodo Internet Security and chose between the 3 *.cfg files.
Do Defense+ stop making unwanted rules under the new config?
I did as you suggested, and so far it seems to have fixed the problem. Defense+ no longer makes the unwanted rules.
What do you think might have caused the problem in the first place? Should I suspect malware of some kind may have messed with the configuration? (I have done scans with multiple security software and found nothing, however.)
Something that I noticed lately that I haven’t spotted before, is that Defense+ says Windows Live Messenger tries to access svchost.exe every now and then, even when I’m not using the application. And when I do use it, I notice a blocked entry in the firewall logs: ICMP from 192.168.100.1 Type(3) to my IP address Code(3). Is this normal?
Either way, your suggestion seems to have worked. Thanks!
No I wouldn’t suspect malware. Did you by any chance encounter a crash of CIS before the occurrence of the problem?
ICMP Type (3) Code(3) means that Destination and Port were unreachable. 192.168.100.1 is probably the address of your router.
I had WL Mail but have removed it because I was tired of his perpetual attempts to connect to MS server at each launch.
If I remember well, when you install a component of Windows Live, it installs a service hence the triggering of svchost.exe each time you launch WL Messenger. I’ve never used WL Messenger and can’t explain why it triggered svchost.exe when you’re not using it. May be another member will be able to help you on this point.
If the system recovery was with the restore function of Windows, I think it could have corrupted your CIS config. If it was with a third party back & recovery soft, I’m very doubtful it could be the case.
Yes, it is, from my point of view at least, possible that the configuration’s corruption may have also altered the FW’s behavior.
If the system recovery was with the restore function of Windows
It was, indeed.
Today I tried to add a file (FlashPlayerUpdateService.exe for Macromedia Flash) to ‘Unrecognized Files’ so that it would run in Sandbox, and it said: “FlashPlayerUpdateService.exe is a safe file and could not be added to the Unrecognized Files.” Is this normal? I couldn’t even find it from the Trusted Files list. And how can I make it un-safe so that it can be added to the unrecognized list? I tried blocking the file with Defense+ to see if it would help, but nope.
Also, when going to the Defense+ tab and selecting ‘Trusted Files’, there are A LOT of files on the list. Should I remove all of them, since I want to run things in Paranoid mode, or would that cause problems?