Do not create "Custom Policy" rules for me

it has come to my attention that defense+ is creating all kinds of custom policy rules for me that i do not want. these rules are always created for applications that run when windows first starts. what makes the situation even worse is that even when i have created my own rules for these applications, comodo overrides the rules i had explicitly defined! most of the custom policy rules are for legitimate windows applications, but some of them are created even for programs that i installed myself. in so creating these rules, defense+ takes away a lot of control from users who wish to place certain restrictions on these applications for extra security. the rules seem to be based on some kind of “safe” list that comodo keeps. i therefore suggest that the user be given the option of whether to use this whitelist or not. for users who not only know which applications are safe, but what to do with each particular one, such an option would give them back the control that is rightfully due them

Would you mind posting an example of an application (not a system application/service) that you have installed that for which CIS has replaced your predefined rules. Please also define your current D+ settings.

so far, the only replaced rules i’ve found are for system applications. this is arguably far more damaging than rules replaced for non system applications because system applications generally have far more control over your system. as for the system applications, there are plenty on the whitelist: csrss.exe, services.exe, etc. an example of an application for which a rule was created, but not replaced, would be daemon tools. i am not saying of course, that the rule wouldn’t be replaced if i created one, but why would i do this unless defense+ prompts me first? that’s its function as a hips after all. i think, moreover, that it is very difficult to bear the onus of pinpointing a replaced non system application when the whitelist itself is a secret

my current defense+ setting is paranoid mode. CIS is set to proactive security. execution settings are at the highest notch. i’ve checked all the menus in defense+. there simply is no way those custom rules can be created unless there is a whitelist of some kind.

When you install CIS a number of essential predefined policies are created, these cater for the basic mechanics and allow for the basic interaction of the Operating System components. There are also policies that define rules for Windows Update and CIS updates. Thereafter, everything that requires access to some functionality of the OS or requires Interprocess communication or even access to your keyboard, will alert you in some way.

If you have D+ in Paranoid mode and you make a change to one of these application/service policies, that setting should be maintained. If, however, the application or service to which you have made the change sequentially requires a specific function that you have denied, you will be alerted.

If you want to install CIS, then, for what ever reason, delete the existing D+ rules, as soon as the functionality is required by any given component, you will receive an alert.

deleting all the existing D+ rules is in fact the very first thing i did after installing CIS. i then set it to paranoid mode, and after setting D+ to paranoid mode, i once again checked to make sure that all the application rules had been deleted. indeed, they were all gone. i then ran a few of my applications. as expected, D+ prompted me, asking me to create rules or simply allow/deny. all perfectly normal…until i reboot! because when i reboot, D+ no longer consults me about a lot of system processes, and even some non system processes. instead, it creates those custom rules that i mentioned without even popping up a window. the custom rules allow things that i do not want. in no way was i alerted. this was the case for many system applications. in fact, i can see it defying me when it tells me near my system tray that it is “learning”. the application that is learning is sometimes one for which there is no rule defined at all, and the behavior it is learning is not behavior that i have allowed. because D+ gives me absolutely no alert whatsoever despite my having set it to paranoid mode and deleted ALL pre existing application rules, i have to conclude that D+ is making the decisions without my permission. since it is able to do this, the most reasonable explanation seems to be that a whitelist is causing D+ to both defy my will and keep me in the dark about just what has been allowed, with the exception of that small window that rapidly goes away anyways. my suggestion is that total control be granted to the user, so that the user is truly alerted about every single application that tries to do an action there is a filter for. i know there were no rules for those applications because i personally deleted all rules that might have existed. i know i wasn’t alerted because the firewall learned actions without even asking me.

From CIS help:

Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. Comodo Internet Security will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity.

Please see the attached screen shots of what happened when I removed all rules from D+ and restarted. (Paranoid Mode) As you can see there are rules for critical service components which were added automatically, these are

csrss.exe
winlogon.exe
smss.exe
lsass.exe

Edit: services.exe is also automatically added

For everything else I received prompts, which I could have denied or allowed. If you are seeing something different you must be using a different configuration of there are problems with your installation.

[attachment deleted by admin]

your screenshots prove my point that there are at least some applications, whether system related or not, for which comodo creates custom rules without permission. the system you installed comodo on was likely a relatively clean system. on a system with more programs, comodo would create far more rules. the user should be allowed to decide what to do with applications, “system critical” or not.

Much ado about nothing. If they are safe apps, what’s the difference what rules are created?

your screenshots prove my point that there are at least some applications, whether system related or not, for which comodo creates custom rules without permission. the system you installed comodo on was likely a relatively clean system. on a system with more programs, comodo would create far more rules. the user should be allowed to decide what to do with applications, "system critical" or not.

if you take a few minutes to find out what each of the services are for, it would help you to understand why these rules were created.

This exercise was performed on my XP test machine, which has hundreds of application and services installed.

very well. take an example of a non system application that comodo creates its own rule for, overwriting even what i had expressly defined: syntpenh.exe. i know very well what this process does, and that it’s not a system process, but one i installed myself. it’s related to input devices.

i don’t understand why you are so averse to the idea of allowing users to configure their own settings for system services. surely the default configuration is not the only working one, or, in some situations, even the best one. i only suggested that it be given to the user as a choice, meaning that you don’t have to use it if you don’t like. as for the crashing and freezing and system startup, that is a simple matter to take care of. simply allow all the applications you feel are necessary to prevent crashing before the system is restarted for the first time. after that, the user should be freed to configure those processes however they desire. if i do it in a way that causes my system to crash, then i accept full responsibility for it. i don’t place the responsibility of my actions on comodo in any way. however, i would like the freedom to configure my system as i please.

Only allowed what I was alerted to for syntpenh screenshot.

Dennis

[attachment deleted by admin]

Very well. take an example of a non system application that comodo creates its own rule for, overwriting even what i had expressly defined: syntpenh.exe

Thank you. I know what this executable does as it’s installed on my wife’s notebook. Can you give me precise details of how you configured the rules for this and how D+ sequentiality changed them?

i don't understand why you are so averse to the idea of allowing users to configure their own settings for system services.

I’m not averse to allowing people to do what they wish on their own PC’s, I was merely pointing out that if one deletes all the predefined D+ rules and then restarts, a very small number of extremely critical system services are catered for. if those services are prevented from running you will have significant difficulty even logging on to your system, let alone using it.

Even though these services are automatically catered for by CIS, you are quite a liberty to make whichever changes to the respective policies as you wish. However, if you make a change that prevents the service from functioning correctly you should be alerted by D+ the first time that service requires that functionality. It’s your choice to allow or not, but uness you specifically understand the consequences of denying that functionality, I personally would leave things alone.

sure! i have syntpenh.exe allowed for everything except for the following: physical memory, computer monitor, disk, and keyboard (these are on ask). now here’s the interesting part. no matter what i set the default actions to, defense+ will always reset them for me when i reboot. comodo chooses to allow everything except run as executable, protected registry keys, and protected files/folders. if i delete the rule for syntpenh.exe, then defense+ automatically creates it for me with these settings. if i keep the rule but modify it with any of my own settings (it really doesn’t matter what i change it to), defense+ will have reset it for me after my next restart. why does it do this? this is not a system process, and it should exist only on laptops. i’m not saying it’s dangerous, but i would like to restrict it as i please instead of allowing defense+ to call the shots.

i’m not sure what you mean by “automatically catered”, but CIS definitely overwrites whatever changes i make for syntpenh.exe, even though it’s not even a system process. defense+ doesn’t alert me at all, even though i didn’t make a change that prevents the service from functioning correctly. in fact, defense+ doesn’t alert me even if i make changes that grant MORE permissions to syntpenh.exe and defense+ wants to take them away. at this point, it’s definitely not my choice to allow or block certain actions of the process. the changes i made to syntpenh.exe certainly do not prevent it from running; nor do i think if it were prevented from running, my system would lock up as a result. we can then ask the question: if one non system process is on a mysterious whitelist somewhere that we have no control over, what else is? giving users the ability to see what is on this list and to turn it off if desired would answer such questions, and far more, thereby increasing our confidence in defense+.

I wasn’t referring to syntpenh.exe, I was referring to the services I mentioned earlier. But the same rules apply.

By the way, I did ask you to provide us with specific details regarding your rules for syntpenh.exe and how they are changed by CIS.

With the difficulties you seem to behaving, I am beginning to think your installation of CIS is broken in some way. As Dennis demonstrated in his screen shot and as I have tried to demonstrate, if you make a change a and apply the changes, they are kept.

i made some mistakes in my post and had to fix them. my edited post now provides specific details about my rules for syntpenh.exe and how they are changed by CIS.

i reinstalled CIS as you suggested. the effect of this is that my rules for system applications are no longer overwritten, but the problem still persists for syntpenh.exe. what else should i do to ensure my install of comodo is clean besides uninstalling?

UPDATE: never mind. my settings were not overwritten this time. i think i made the mistake of deleting the rules and assuming they were overwritten instead of being created anew. sorry for the confusion!

this still leaves 2 questions:

1. does comodo overwrite the rules users define for any application, or was this due to a bug in my installation?
2. where can we find a list of applications for which comodo creates a “custom policy” rule if there is not already a pre-existing one? i’m particularly interested in this because syntpenh.exe is on this list and on a non laptop computer, comodo would allow syntpenh.exe as long as it was in the right directory, even if it wasn’t a legitimate file.

I glad the new installation is working correctly

1. does comodo overwrite the rules users define for any application, or was this due to a bug in my installation?

CIS should respect your rules, however, if the rule you have defined restricts the functionality in some way that the application requires, you should receive an appropriate alert. This is assuming you’re running in Paranoid mode.

2. where can we find a list of applications for which comodo creates a "custom policy" rule

I’m afraid there’s no published list and I have no way of knowing what’s considered safe until I actually run an application myself. You could look at the Trusted Vendors list in D+ this will provide some information regarding who are considered to be safe Vendors.

At forcespawn. You started several topics here at the forums as well as one at the Wilders security forums. Do the problems you described in those topics still persist after the clean installation you did? If this is not the case would you be so kind to rectify this?

On as side note. In your posts you hardly make any use of paragraphs and capital letter at the beginning of sentences. This makes your elaborate reasonings needlessly hard to digest. Please keep that in mind next time you post…

Actually, I spoke too soon. After further tests on the new installation, I was able to show an example of syntpenh.exe actually overwriting my rule. I set everything to “ask”, and syntpenh.exe “learned” screen access without consulting me at all. Everything is set to allow, except for “Run an executable”, “Protected Registry Keys”, and “Protected Files/Folders”. why was i not consulted? All settings were on ask prior to the reboot and the overwriting of my rule, and I am indeed still in paranoid mode. To replicate this, simply set everything to ask on syntpenh.exe, then reboot. After rebooting, the changes will be revealed.

If you’re referring to Virtual CD 9 drivers not being detected when installed; yes, that still persists. I already supported a suggestion in the Whitelist section here to separate registry modifications from driver installs, but there has been no reply. The reason I did not reply to my Virtual CD 9 thread on Comodo’s forum is because you stated that you remembered very clearly that you did indeed recall “Device Driver” alerts for Virtual CD 9’s installer. I do dispute this, because I had a different experience. While there may have been many alerts, only one was a device driver alert. Upon retesting, none of them gave driver alerts.

I did not reply to the “Defense+ fails to stop driver loading thread” here on Comodo because of our conflicting accounts. It seemed we were at an impasse, and nothing can resolve two different experiences under the seemingly same circumstances. I believe, however, that the “conflicting account” is a misunderstanding. I think if you were to go back and test Defense+, making sure to uncheck all boxes except device driver alerts, you would find that Defense+ indeed fails in this area. Furthermore, I note that nobody has replied to my remark on the thread “On Driver install - Say driver install, not registry modification!”.

If you feel there are specific threads that contain issues that are now resolved but I have failed to reply to either on here or Wilders Security, then please name the specific threads here and provide a link. I maintain, however, that the only such issue you may be thinking of is that of Defense+ failing to detect the loading of drivers; specifically, the drivers from Virtual CD 9. I maintain also that this issue has not been rectified.

Thank you also for your suggestion to use capital letters at the beginning of sentences. I was not aware it prevented you from understanding my “elaborate reasoning”, but if it matters so much, so be it. I will honor your request to use capital letters on Comodo forums.

I’m not sure if it’s a bug or a feature but i have seen this happen also to Firefox on a previous release.
Not sure what happens now, haven’t tested that lately, I’ll see if i can wonder around my policy a bit
Running Paranoid also… and the help file seems to be “out-dated” on this, or it’s really a bug.

Thanks Ronny! I’ll be checking in here periodically. Please let me know of your results, or if you need any more information from me. Before, it was a mixture of not knowing whether the rules were simply created when there wasn’t a pre-existing one or whether my own rules were being overwritten. It is clear now that in some cases, my rules are in fact being overwritten; it happens when I see a message popping up near my system tray telling me “Defense+ is learning”. In the case of syntpenh.exe, Defense+ only tells me that it’s learning screen access, but in reality, Defense+ is allowing all but 3 options, which are on “Ask”.

UPDATE: “Block all the unknown requests if the application is closed” seems to prevent anything from being added as a custom policy; even system applications, and even syntpenh.exe. Furthermore, it also seems to prevent rules from being overwritten. I consider this issue resolved for now. I haven’t seen any new items being added to the list without prompting me now that I have unchecked the box that Ronny suggested, but I will report back if I do.

We were all wrong. It seems only Ronny knew about this box. For those who said that “critical system applications” are automatically added for you, please reconsider :). Delete all rules form your list, and uncheck that box, then try again.

By the way, thanks for your help too EricJH. I would never have found that quotation by myself.