Defense+: In which order are the conditions exercised?

CIS 5.3
Windows XP Pro SP-3

Under the Defense+ configuration, the following conditions are listed when I select “Safe Mode”:

  • Computer security policy is applied.
  • Every action of safe executable files is learned.
  • Every action of unknown executable files is alerted to the user.

In which order are these conditions excercised. Is it top-down (as I assumed) when has policies enforced first before anything about safe files is excerised? Or is it bottom-up which means safe files will get their behavior learned first and only afterward are policies enforced?

I ask because I’ve installed programs that were considered safe by CIS; however, they added startup entries to the Run registry key. I never got notified that there was a change to the Run key (for another data item added under it). Yet the Run key is a protected registry item. If the order of conditions exercised was bottom-up (which would be a non-intuitive ordering) then, yes, the safe program would be allowed to modify the Run key without alerting the user and the policies would get exercised too late.

While I like the idea of using the whitelist of safe programs to eliminate having to deal with lots of prompts, I still want to know when a program is modifying the startup behavior or load state of Windows. Even for safe programs, I want to know when they add, for example, a startup item under the Run key, in the Startup folder, as a WinLogon event, as a scheduled event on login, etc. Just because Comodo considers, for example, Quicktime to be safe program doesn’t mean that I want it adding a Run key to run its superfluous qttask.exe program on Windows login. If a safe program defines an NT service or adds a web browser add-on, I’d still like to know about it. I don’t want to reinstall WinPatrol to overcome this deficiency.

Does this mean I have to go to the more painful and nuisancesome paranoid mode for Defence+? Since most of the changes to which I want to be alerted occur during the installation of the program, can I configure CIS to not condsider any installer as a safe program? That is, use the safe program whitelist to reduce prompts but NOT for installers?

Even if this were possible, some programs modify the startup items when they are executed. For example, Quicktime may re-add its qttask Run key when you modify its configuration settings (or maybe it gets re-added by an update which comes back to not trusting installers but still trusting safe programs). There is no Untrusted Files section to Defense+ to alert me anytime that particular program violates my security policies, and I don’t want it listed as an Unrecognized File to gthen get sandboxed (iis not an unrecognized file but I don’t fully trust trust it, either).

I figured if the conditions listed for Safe Mode were exercised in the top-down order in which they are listed, enforcing the policies would occur first and alert me to changes on protected registry keys before anything regarding the condition of whether a program was safe or not got exercised. Doesn’t seem to work that way though since installers known as safe programs get to make changes that violate the policies.

I don’t want to trust installers. For them, I’d like Paranoid mode. I do want Safe Mode after the program has been installed and is considered safe - except for some programs that I want to remain untrusted (and NOT unrecognized). I don’t want to be manually switching Defense+ modes for installers since that is error prone (not rememberbering to do it) and then having to remember to return to Safe Mode (and still doesn’t handle the case of untrusting specific programs).

How do I remove just installers from Comodo’s safe list? Or, how do I get installers (and not already installed safe programs) to run under Paranoid mode?

How to I untrust (or not trust) a program (which is known, not unrecognized)? Do I have to contrive a policy for it? If so, will that policy get enforced despite the program is in the safe list? It doesn’t happen that way for safe installers.

I just looked around again inside CIS. I noticed when defining a policy (rule) for a program that you can pick from pre-defined policies (which can be edited). One of the selections was “Installer or Updater” pre-defined policy when defining an app rule. Yet when I looked under the PreDefined Policies tab for Defense+ settings, there was no such pre-defined policy defined there by that name. So there is a pre-defined policy selectable when defining an app policy (rule) but no way to edit that policy (so I could change it to alert on the protected areas). The one pre-defined policy that I’d like to change but can’t. I figured that policy got used by default for installers on the safe list but maybe not. So I still haven’t found a means to remove installers from the safe list or to modify the policy under which they are controlled.

NOTE #2:
There is no documentation that I have yet found to defined just what conditions or criteria are covered by the “Installer and Update” policy. This is a HIDDEN predefined policy which users cannot not review its settings to see how it manages installer or updater programs. Users can’t edit a predefined policy they can’t see or select. I don’t want to use Paranoid mode for installed programs, only for installer/updater programs. Having to manually flip to Paranoid mode for an installer and remeber to flip back to Safe mode after the install is not just too much hassle but error prone.

Since the changes to which I want to be alerted are those typical of installers, and since Comodo appears to include installers in their safe list, and because I cannot edit the predefined but hidden “Installer or Updater” policy, it looks like I have to reinstall WinPatrol to tell me when these changes have been made. CIS Defense+ in Safe Mode would cover the non-safe programs while WinPatrol catches the changes made by installers that CIS refuses to alert on (unless I choose to get really super nuisanced by D+ by using Paranoid mode).

The changes are prevalently experienced during an install. CIS won’t issue alerts for installers. I have to use WinPatrol for that. I was hoping to get rid of WinPatrol when I elected to use CIS.

To cover some of your questions, read here. I did some experimenting whilst trying to set a Defense+ rule for trusted file AvastSvc.exe.

I’ve found Whitelisted and Trusted files have absolute rights to do everything - Defense+ rules set for these CRC checked files are ignored/over-ridden unless you go into paranoid mode. You can also disable cloud lookup so unknown files are forced to use Defense+ rather than immediately get Trusted status from the cloud.

If you disable the automatic sandbox, you can use Defense+ rules for unknown files under the safe policy and below (rather than them being listed in Unrecognized files) but Whitelisted and Trusted files still have absolute rights to the system and over-ride defense+ rules.

I agree, it would be better to be able to process Defense+ rules/policy for whitelisted and trusted files also.

EDIT: this is a suggestion for CIS to add to future versions:

If this causes problems the solution is simple - have a separate tab that contains a Defense+ policy for trusted/whitelisted files, so you can specify a rule that all files notify you when certain events occur (like protected startup keys). You end up with the current Defense+ policy tab for unknown files, and a Defense+ tab for whitelisted files.

I’m ■■■■■■■ because the installers are in the safe program whitelist. I’m ■■■■■■■ because the “Installer or Updater” pre-defined policy that can be selected when defining a rule is hidden under the Predefined Policies tab so I cannot edit it (so I could affect all installer category programs and hopefully even those in the safe whitelist). I’m ■■■■■■■ if I go to Paranoid mode because of the extreme nuisance of having to make all the decisions that the safe whitelist affords (for the installed programs, not for their installers that I want NOT safe whitelisted). ■■■■■■■, ■■■■■■■, ■■■■■■■.

The suggestions in the other thread were:

  1. Use Defence+ exclusively (Paranoid mode)
    A pain in the ■■■■ to use. I want to use my host, not spend a couple weeks answering prompts until it settles for awhile until later when I run a less used program and get prompted all over again. With the prompts, I have to research on what it alerts so I can make an educated decision; however, the alert may lock me out from connecting to sites to search for help on making that decision.

  2. Use Defence+ plus trusted files/whitelist - requires automatic sandbox to be disabled through unticking “Treat unrecognised files as”.
    I thought in this setup the safe whitelist still gets used, so installers in the safe whitelist would still get full privileges. Not using the sandbox would get rules to work on unrecognized programs but the rules would still be ignored for installers in the whitelist.

  3. Use Automatic Sandbox, but Defense+ rules are ignored/disabled and files have either partial/limited/restricted/untrusted/blocked rights or ALL rights when added to the trusted/whitelist area.
    This is the current (and default) setup. Sandbox on, Safe mode selected. Safe installers are trusted so they get to do whatever they want without any alerts or prompts.

Since #1 appears the only usable solution to untrust the whitelisted installers, but because I don’t want to waste all the time on the prompts and researching on how to answer them, a better solution seems to be to use CIS in Safe Mode with sandboxing enabled and rely on WinPatrol to tell me when a program (installer or otherwise) makes a change to startup items. CIS in Paranoid mode alerts on way more than just adding startup items or web browser add-on and the like. Some of those prompts are daunting to even seasoned Windows users. I was thinking of writing a D+ rule that checks if any program makes changes to the protected area but it appears it won’t work in D+ Safe Mode with those damn whitelisted installers.

I lost you on creating “tabs” for untrusted and another “tab” for whitelisted programs. Did you mean to say to create a new group under the “Defense+ Rules” tab and rules under each to handle untrusted or whitelisted files? Those rules, per your arguments, are not honored if Safe Mode is selected and the program is in the whitelist.

Sorry, I was just explaining how I found the system to work in that other thread. It doesn’t help solve your problem.

And as for the tab bit, I was suggesting that they need to add an extra tab for whitelisted/trusted files to CIS and give us back control. At the moment, we can’t control what trusted/whitelisted files do unless we use paranoid mode.

My issue would be mostly satisfied if they just unhid the “Installer and Updater” pre-defined policy so I could edit it … if it also gets applied against whitelisted installers, that is.

Hi VanguardLH

yes, D+ in safe mode is creating confusion but it has reduced prompts dramatically, CIS team should be praised for this. However to elevate this problem in my opinion the Best and simple solution will be to allow"CIS white listed apps as such" without prompting the user and Log their activities as and when they are violeting D+ rule

this will enable users like you and me to undo the change later, once the application is profiled by D+logs. A custom policy for that application can be created later.

-Another solution will be alert similar to sandbox alert notifying user : a safe/whitelisted app has started.