Defense+ modes problems

There is a problems in Defense+ modes:

“installation mode” - after attempt to install file from (be careful, trojan.pws.dybalom by DrWeb in installer) got no request to start new.exe from temp folder (got request from Windows to allow DEP, my DEP set to all files)

when I trying to install PostrgeSQL 8.4 I have requests from Defense+ in “installation mode” again and again, some programs have no “trusted” option and finally “setup failed” because I’m not fast enough to respond.

Removed link .Please don’t post links to warez/possible malware.

Moved.

Could you rephrase what you wrote? I have a very hard time following what exactly you did and what is going.

Installation with trojan inside:

  1. Installing file (1 file executable)
  2. Comodo Defense+ asks about permission.
  3. Mode set to “installation mode”
  4. No more requests.
  5. Install executing file new.exe from temp folder (no requests from Comodo)
  6. Windows DEP raised with request to allow DEP permission for new.exe

Postgres installation:

2. during setup install files trying to write to registry (same files) but I have no option “trusted” to allow do same things (I think set to “Windows system” is bad idea), so I have endless dialogs for same things (“remember my answer” checked)
3. applications have timeouts and while I clicking “allow” timeout happens and “install failed” message

Is this new.exe file part of the installation package you were referring to.

Postgres installation: ... 2. during setup install files trying to write to registry (same files) but I have no option "trusted" to allow do same things (I think set to "Windows system" is bad idea), so I have endless dialogs for same things ("remember my answer" checked) 3. applications have timeouts and while I clicking "allow" timeout happens and "install failed" message
Are you manually installing here?

If applications have timeouts then they are not happy with the presence of a HIPS. I remember egemen, the main developer, telling was testing a rootkit that would crash as it got stopped by a D+ alert.

That is by design i guess. Because in installation mode execution of ALL programs that are called by installer is allowed silently. If you wish to control this aspect you would need “trusted application” predifined policy to be used for installer.

Yes. Dr-web also reported installation executable as infected (checked after that happens, Cure-it not instant antivirus, Microsoft Essentials found nothing)

Mode was set to “installation mode”. You can get fresh install from http://www.postgresql.org/download/windows (download and did yesterday, Win7-64 Ultimate) to check yourself. Probably script execution timeouts or socket operations.

As for me “trusted” sounds like I trust to manufacturer. There probably very few to trust. And “installation mode” sounds like “some install started”. Maybe more options required like “installation trusted” and “installation monitored” with monitoring levels from “silent” to “paranoid”. As for me - I would like to have monitoring of registry changes done in case of antivirus report infected 2 weeks later (common antivirus response time on new threat). I.e. log option.

“Installer or updater” is much more powerfull than “Trusted application”. I suppose this is what happens when “Installer or updater” mode is used.

With the Installer/Updater policy is pretty much a carte blanche… If you want to monitor you cannot use Installer/Updater policy and have to answer alerts one by one… which is a tedious job.

I do like the idea though of levels of Installer/Updater policy. Only get alerts for important changes f.e… With regards to monitoring of registry changes that’s a whole new ball game.