HIPS rules configuration ('All applications' especially)

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

Hello everyone,

I’ve had Comodo Firewall installed for about 3 years and I’m currently reviewing my whole configuration after a little security scare.

(My system: Comodo 8.1.0.4426 ; Windows 7 Home Premium Service Pack 1 (x64) ; Avira Antivir, MBAM and a few diagnostic tools downloaded this week)

I have 3 Defense+ questions:

  1. When applications I do use don’t have an entry under HIPS rules, do they fall under ‘All applications’?

  2. Is this configuration okay for ‘All applications’ at the very bottom of the HIPS rules window? There are quite a few exceptions! :confused:


http://img11.hostingpics.net/pics/210506ComodoHipsRulesAllApps.png

Here is the relevant part of the exported configuration:

<PolicyItem UID="{7EE3...}" Flags="1" DeviceName="All Applications" Index="39" TreatAs="">
	<Rules>
		<Rule Flags="16" DefaultAction="0">
			<Allowed>
				<File UID="{99556...}" Flags="1" DeviceName="Temporary Files"/>
			</Allowed>
			<Blocked/>
		</Rule>
		<Rule Flags="8" DefaultAction="0">
			<Allowed>
				<File UID="{FB1F1...}" Flags="1" DeviceName="Temporary Keys"/>
			</Allowed>
			<Blocked/>
		</Rule>
		<Rule Flags="2" DefaultAction="0">
			<Allowed/>
			<Blocked>
				<File UID="{386F35...}" Condition="Os==Vista || Os==Win7" Flags="0" Filename="?:\$Recycle.Bin\*" DeviceName="?:\$Recycle.Bin\*"/>
			</Blocked>
		</Rule>
		<Rule Flags="2048" DefaultAction="0">
			<Allowed>
				<File UID="{6F3E9...}" Flags="0" Filename="%windir%\system32\msctf.dll" DeviceName="C:\Windows\System32\msctf.dll"/>
				<File UID="{67BFE...}" Flags="0" Filename="%windir%\system32\shell32.dll" DeviceName="C:\Windows\System32\shell32.dll"/>
				<File UID="{EBAC...}" Flags="0" Filename="%windir%\system32\browseui.dll" DeviceName="C:\Windows\System32\browseui.dll"/>
				<File UID="{948D3...}" Flags="0" Filename="%windir%\system32\ieframe.dll" DeviceName="C:\Windows\System32\ieframe.dll"/>
				<File UID="{B3BC1...}" Condition="Platform==x64" Flags="0" Filename="%windir%\SysWOW64\msctf.dll" DeviceName="C:\Windows\SysWOW64\msctf.dll"/>
				<File UID="{AE2A...}" Condition="Platform==x64" Flags="0" Filename="%windir%\SysWOW64\shell32.dll" DeviceName="C:\Windows\SysWOW64\shell32.dll"/>
				<File UID="{0C387...}" Condition="Platform==x64" Flags="0" Filename="%windir%\SysWOW64\browseui.dll" DeviceName="C:\Windows\SysWOW64\browseui.dll"/>
				<File UID="{3D17C...}" Condition="Platform==x64" Flags="0" Filename="%windir%\SysWOW64\ieframe.dll" DeviceName="C:\Windows\SysWOW64\ieframe.dll"/>
			</Allowed>
			<Blocked/>
		</Rule>
		<Rule Flags="1" DefaultAction="0">
			<Allowed/>
			<Blocked/>
		</Rule>
		<Rule Flags="4" DefaultAction="0">
			<Allowed>
				<File UID="{3F50C...}" Flags="0" Filename="*" DeviceName="*"/>
			</Allowed>
			<Blocked/>
		</Rule>
	</Rules>
	<Protections/>
</PolicyItem>
  1. Could it be safer to create new specific - and more restrictive - application rules for the applications I’m not sure to trust?

Thank you!