Defense+ - Paranoid or Safe Mode? Safe Files or Trusted?

Q1- I get more alerts when using D+ in Safe Mode than I do when using Paranoid. Why?

Q2- For D+, what is the difference between placing a given process within “trusted” category VERSUS adding that process to “My Own Safe Files”?

I never put anything in my own safe files. Read the help file under miscellaneous and it will tell you all you need to know about D+.

Thanks for nothing. I already read the Help, & I do not need you to tell me what you do or don’t do. What I want is a civil answer to my questions.

Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. The firewall will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity. Similarly, the firewall will not automatically create ‘Allow’ rules for any executables - although you still have the option to treat an application as ‘Trusted’ at the Defense+ alert. Choosing this option will generate the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.

Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing ‘Treat this application as a Trusted Application’ at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in ‘Clean PC Mode’ then Safe Mode’ is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Comodo Firewall Pro allows you to define a personal safelist of files to complement the default Comodo safelist.

Files added to this area are automatically given Defense+ trusted status. If an executable is unknown to the Defense+ safelist then, ordinarily, it and all its active components will generate Defense+ alerts when they run. Of course, you could choose the ‘Treat this as a Trusted Application’ option at the alert but it is often more convenient to classify entire directories of files as ‘My Own Safe Files’.

By adding executables to this list (including subfolders containing many components) you can reduce the amount of alerts that Defense+ generates whilst maintaining a higher level of Defense+ security. This is particularly useful for developers that are creating new applications that, by their nature, are as yet unknown to the Comodo safelist. Files can be transferred into this module by clicking the ‘Move’ button in the ‘My Pending Files’ and ‘My Quarantined Files’ areas.

@ Vetteteche - Since I already commented that I have read the Help files, your quotations thereof amount to sheer, unhelpful, disdainful sarcasm. Is this what Comodo’s support forum is all about? Please get out of the way so that someone will answer my questions.

For your info I help tons of people out in here and get alot of thanks from users. I don’t know what else to tell cause all you need to know is right in front of you.

Hi bellgamin, welcome to the forums.

Q1: Personally, I’m not sure why Paranoid Mode is generating less alerts than Safe Mode. It should be the other way around. Maybe it’s due to D+ modes being changed & some processes already being addressed in a previous mode, but I’m not certain of that. I’ll leave that for someone else to answer (unless I think of something).

Q2: Nothing, they are essentially treated the same by D+. But, a process with trusted status could loose that status… either because D+ Mode was changed (impacting the processes status), or the process was updated (and subsequently changed as a result of user responses) or because it was removed (and subsequently purged from D+). But, processes (files) stay the My Own Safe Files until they are manually removed or purged. So, My Own Safe Files is a separate, self-contained, area for trusted software.

On the other issue: Perhaps, you two should just accept that you don’t get along very well (differing styles maybe?)… and leave it at that. What say you?

I think if you look at these 2 screen shots it may help you. If you used paranoid mode from the start it would be different but if you started with safe mode then Comodo has already leaned most of your apps.

[attachment deleted by admin]

Thanks. Finally a friendly voice.

Q1: Personally, I'm not sure why Paranoid Mode is generating less alerts than Safe Mode. It should be the other way around.
That's what bothered my IT. Oddly enough, 90% of SafeMode's numerous alerts had to do with parent-child, whereas Paranoid mode never peeped once concerning parent-child.

By the way – is there a way to directly specify parent-child relationships within D+, somewhat along the same lines as can be done within System Safety Monitor?

Q2: Nothing, they are essentially treated the same by D+.
My IT figured that this would be the case. We wanted to make sure, however, that "trusted" and "safe" are essentially synonymous states within D+.

Using “My Own Safe Files” to “trust” a large number of apps is much more efficient than using “Computer Security Policy.” REASON: with “My Own Safe Files” you can “trust” entire folders (& all processes therein) all at once, whereas using “Computer Security Policy” requires trusting individual processes one at a time.

Yes, that is odd. Did you use Safe Mode before Paranoid Mode or try Clean PC Mode before Paranoid Mode?

Yes. Open CFP, Defense button - Advanced - Computer Security Policy. Find the parent application in question, edit the application (double click) - Access Rights - Run an executable - Modify. Two tabs; Allowed Applications & Blocked Applications. You can add applications to the Allowed or Blocked lists depending on your requirements. You’ll probably find some entries already there if you’ve previously allowed Parent-Child executions for that particular application.

The options on the Access Rights screen are fairly powerful & detailed. For instance, amongst other options, it allows you to either allow or block a processes ability to write to certain disk locations (or not), including the ability to use wild-cards (eg. C:\Directory*).

Yes, I believe they are the same… just managed differently from the users perspective.

Yes, you’re right. You can bulk add software this way & it will be easier to manage.

After installing FWP, we ran D+ training mode for a few hours while putting the computer through all its normal routines. Then we switched to paranoid. It ran smooth as silk - just one pop-up in 2 full days of usage. Out of curiosity, we switched to safe mode & the pop-ups started coming in droves. When that happened, we put most of our apps into safe files. Now it’s running sweet & steady again. But my IT got curious, so asked the 2 questions.

Yes. Open CFP, Defense button - Advanced - Computer Security Policy. Find the parent application in question, edit the application (double click) - Access Rights - Run an executable - Modify. Two tabs; Allowed Applications & Blocked Applications. You can add applications to the Allowed or Blocked lists depending on your requirements.
A tad cumbersome, but it works. Thanks!

BTW stay out of Wilders. I saw your post. Wilders is a safe heaven for OA.

Ahem… In my opinion, there is nothing wrong with Wilders (or OA for that matter). As far as I know, there are some very good people at Wilders, very knowledgeable & very experienced.

you haven’t heard my voice
http://img03.picoodle.com/img/img03/4/5/17/f_beatenm_9af4ed7.gif

ooops !ot!
OK, right back on track
what was it again? (:NRD) …err i have no clue about it (:TNG)

sorry, just trying to break the ice (or put the ice to hot lava ??? ) ;D

Is it possible that you updated to a higher operating system service pack around the time you switched to Safe Mode?

These are not synonymous states. If you’re in Paranoid Mode, you’ll notice the difference. Whether a program is whitelisted (whether by Comodo or by manually adding to ‘my own safe files’) or not makes no difference in Paranoid Mode, for example. Also, a ‘Trusted Application’ can modify any protected file without alert, while a whitelisted program attempting to change a protected file will generate an alert.

Here is how I use Defense+:

When I first started out, I used Safe Mode for awhile, to reduce the number of alerts. Then, I thoroughly reviewed every program’s policy, and then switched to Paranoid Mode. I usually get alerts now only when I install a new program. Since an app’s whitelist status doesn’t affect the number of Paranoid Mode alerts (however, you are shown in an alert that a program is whitelisted or not), I don’t use ‘My Own Safe Files’. Also, I use the ‘Trusted Application’ predefined policy very sparingly, as I feel it gives too much power. If you happen to use ‘Trusted Application’ on a program that suffers a buffer overflow exploit, the program will be allowed to change protected files, among other things.

No. I checked our logs. We went to SP3 several days before installing FWP. (All our boxes are XP)

Also, a 'Trusted Application' can modify any protected file without alert, while a whitelisted program attempting to change a protected file will generate an alert. ...If you happen to use 'Trusted Application' on a program that suffers a buffer overflow exploit, the program will be allowed to change protected files, among other things.
Such being the case, I now prefer to use "My Own Safe Files" (MOSF) in preference to trusting ANY process.

That is, following a brand new install of FWP to a test/clean computer:

(1) Put entire folders of all safe apps into MOSF
(2) Go Training mode for D+
(3) Have a worker bee thoroughly & carefully exercise test box through its full scope of normal routines
(4) Go Paranoid mode

Comments?

I have Comodo running on my laptop and desktop. Never one problem. All I ever do is install Comodo and thats it. I dont use D+ in clean pc mode so the only adjustment I make is put D+ in safe mode. To avoid pop ups I manually add all my programs to the firewall and D+. I nevdf saw the need to add files to “my own safe files”. That to me was an option when you use clean pc mode and have pendinf files. The files that are safe you can move them to “my own safe files”.