Hash check for programs with rules already created

Edit: if a moderator sees this post, please move it to the defense+ wishlist section. sorry for posting incorrectly, but i can’t delete my own post!

this suggestion is actually for both the firewall and the defense+ components of CIS, but i don’t think i should post in both sections of the forum without moderator approval. basically, this feature, if implemented, would do a hash check on all programs for which rules have already been created. let’s say you have the program XYZ installed, for example, and assume that its main executable file is xyz.exe. when you update the program, xyz.exe changes. my suggestion is that whenever any change occurs to the program, the user will be informed that the program has changed, and should be asked whether the existing rule should be kept. this feature is already implemented in zonealarm pro, which is another firewall with a hips.

i realize comodo already alerts the user if a malicious application tries to modify a legitimate application that has already been added to the rule list. however, i believe adding a hash check would be beneficial in at least 2 ways nonetheless:

  1. in case, the filter that prevents the modification of a legitimate application is bypassed by a new exploit, the hash check would still detect that the legitimate application has been modified and alert the user to this fact, allowing him/her to take appropriate actions to contain the threat.

  2. a user that wants to answer less popups but still receive the same protection against the modification of allowed applications would only be alerted if the modification has actually been modified.

for these reasons, i believe comodo should implement this hash check. thanks for taking this into consideration :slight_smile:

I believe CIS does just that for some time already. All the files that are modified (i.e. by an update) are moved to My Pending files.

It does not. It monitors for anything that could change the program and adds them to my my pending files if detected. There is no hash. Hash is only used for the safe list.

It only does so for files on the Safe List not for all files. The latter is what is requested.

nope. see help manual: Defense+ section-> advanced (tasks) → Defense+ settings → “Clean PC mode” paragraph.

files in the pending list are not considered safe. user is who decides whether to move file(s) from “pending” list to local whitelist (my safe files).

Let me rephrase. Topic starter requests a hash check for all files. That’s a different situation.