Defense+ own predefined policies

After being confused by all the Custom Policy entries and the Modify buttons, I’ve decided to make my own predefined policies, without having anything under “Modify”.

I realized that D+ only shows predefined policies that are matching with what the app is asking for, when there is a popup. For example, if an app asks for keyboard access then only those policies that allow it appear as an option.

So I made some policies which go in stages, or levels, where level 1 has the least amount of allows and level 5 allows everything. When there is a popup, I can give it level 1 for a start (if level 1 covers it), and if the app asks for more access then I will give it level 2 (or as the case may be). Only very few apps will ever need level 4 or 5, such as anti-rootkit etc.

Right now I don’t have any (well there is 1) “treat as Custom Policy” entry. Everything is a level 1 to 5. I can clearly see which apps are getting what. No more meaningless custom policy all over the place.

At the moment I set it like this:
level 1 allows: run exec, mem, COM, Reg.
level 2 allows: level 1 + hooks, files/folders.
level 3 allows: level 2 + monitor, disk, keyboard.
level 4 allows: level 3 + proc terminate, driver, win msgs, loopback, DNS.
level 5 allows: level 4 + physical mem.

I like it this way, because I don’t want to micro manage D+.
What do you think about the level allocations? Don’t mind some comments :slight_smile:

Hey Blatug. This is a really great idea :slight_smile: Probably won’t be in the default CIS because the average user wouldn’t understand it, But I like the idea :slight_smile:

I agree with both of you. Too complex for the average user but being a not totally average user I like it. :-TU

I would like to suggest to put the permission to install a driver at the very last and by its self because that is how rootkits get installed (if I understand things correctly).

Glad if you guys like the idea.

About the user friendliness though, I think that D+ is already not for the average users in the first place (:NRD)

EricJH, thanks for the suggestion. I agree about the device drivers, the reason it’s not last is there seems to be some legit apps that like to install drivers, so I put it in level 4 which is pretty high in this case and it could might as well be the last level. I added level 5 with physical memory direct access because very rarely apps trigger this, and direct access to memory sounds the most dangerous to me :slight_smile:

Btw, if anyone has made something similar to this, hope you can share it here.

Your post saved right into the folder where I keep the CIS installer (:NRD)
An OUTSTANDING idea, thanks a lot!

do you not mean, level 3= level 1+ level 2+ monitor, disk, keyboard. and so on?

also, how do you know what is level 1, level 2 or level 3? ???

Nice, maby add a level 0 to that…
Allow, NOTHING… heh. (:TNG)

Hi DaRtH VaDeR, yes Level 3 = level 1 + level 2 + etc.
But since Level 2 already includes whatever is in level 1 so it’s the same as just Level 3 = Level 2 + etc.
You mean how do I know which app is level 1 and so on? Well, first you create the levels in “Predefined Security Policy”, then when an app triggers a popup for D+, look under “treat as” and you will see the levels you just created in there. Eg. Winword.exe (in my case) shows level 3 as the lowest level you can pick (so levels 1 & 2 won’t appear). Of course levels 4 & 5 show up as well, but you know that level 3 is enough, so you pick level 3.

Hi Monkey_Boy=), logically there should be level 0 allow nothing. I haven’t encountered any that deserves level 0 though, and if I do I think I will delete that file rather than giving it level 0 :slight_smile:

passerby, hey nice, thanks.

Yes I see. hmmm… :THNK…

How do you know level 1 is this: run exec, mem, COM, Reg.? ???

How do you know run exectuable is less dangerous than a hook?

I mean to specify this, one needs to have knowledge about what all these actions mean and what their consequences are… I mean, have you let someone who has knowledge about the windows OS take a look at your layered setup? ???

Hey, no offense… I like your idea a lot! I just want to know the background about your idea.

Thanks! (:SMLR)

Those are just my own allocations of course. I was only presenting the idea of making something like this, what you put in level 1 etc is your own choice. But I listed mine here just to show examples pretty much, and if anybody doing the same I’m interested in what they put.

I didn’t have anybody else to look at my setup :slight_smile: Why my level 1 is like that because too many apps access reg, COM, and run exec, and I still only give level 1 to apps that I ‘trust’. If you compare to the normal way, you get asked many times, how do you know when to allow or block each time? It’s actually the same thing, whether you simplify like I did or allow them 1 by 1, you will allow all of them in the end, otherwise your app won’t function properly. So as a D+ user yourself, you’ve been doing the same thing anyway, right?

It’s probably too long to write here why I decided to level it like that, but 1 example: I think that direct access to physical mem is very dangerous because of buffer overflow (as mentioned in the help), so it’s in level 5.

If you want somewhere in between, you can make 10 levels, for example.

But in the end, I’m not a malware expert, only let’s say an above average user. In my opinion anybody using D+ is an above average user. Sorry if my answer does not satisfy you :slight_smile: Maybe an expert or even a Comodo dev can give better suggestions.

Hey man, no problem!

I am myself no expert! I do like your idea, because it is much more userfriendly than the way we handle alerts now…

But it has a downside of course: each level, gives acces to much more system resources than for example clicking 1 time allow…

But you can also say: clicking trusted application, is less safe, than your approach of choosing a level…

hmmm… :THNK…

Anyways, you have a very interesting idea! We just need a way of making it as safe and trustworhty as possible…