I have been trying to protect the “c:%windir%\system32\drivers\etc\hosts” file. This file is in the list of protected files by default (with Comodo Optimum Security by the entry under Important Files/Folders (%windir%\system32*)). I noticed in the Computer Security Policy that notepad.exe has “Allowed” access right to protected files and folders “*.bat” and “C:\WINDOWS\system32*.” I removed access to “C:\WINDOWS\system32*,” but as soon as I modified the hosts file with notepad (which wasn’t denied by Defense+), the access right was again grated to this path.
The help file gives the example of how to protect the hosts file. It makes it sound so easy and so sure:
“A good example of a file that ought to be protected is the your ‘hosts’ file. (c:\windows\system32\drivers\etc\hosts). Placing this in the ‘My Protected Files’ area would allow web browsers to access and read from the file as per normal. However, should any process attempt to modify it then Comodo Firewall Pro will block this attempt and produce a ‘Protected File Access’ pop-up alert.”
This is not correct. It is not this simple, and I have gotten no pop-up alerts when trying to modify the hosts file with notepad. I even stripped notepad of this access right, and it was granted this right again when I tried to modify the hosts file. Even Paranoid mode did not help. The only way that I found was to add hosts to the blocked files group, but I don’t want to do this. Mainly, I am trying to understand why Defense+ is working this way. Is it because notepad is trusted in some way? Notepad is not listed in My Own Safe Files. The only way that it could be getting this elevated privilege is from it being a signed executable (and it isn’t) or from the Computer Security Policy, which I edited to deny it access (this did not help a bit).
I would appreciate your input. Why can’t I follow the example of the Help guide with success?
This is because notepad is “trusted” and CIS knows this is “normal” behavior.
If your browser is exploited and should change you host file it’s not using notepad to do it so this is “safe”.
If you would edit hosts with an other editor it should prompt you for it.
If you would like to block it for all apps then put it on the “My blocked files” group.
Notepad is trusted how? Like I said earlier, it does not appear in the My Own Safe Files list, and it is not digitally signed. So, why would it be trusted? Why would it be given an access right that I removed from it?
Also, it is not true that I would have this alert with another editor. I tested this with the “edit” command from a cmd prompt – same result (no alert from Comodo). I had already pointed out the the file blocking worked, but this is not what I want to use. This would block access to the file completely, including read access. I am just trying to do what is in the Help file. It doesn’t work.
I think it’s because of the internal whitelist Comodo created, notepad en edit.com are in there.
Some of the Dev’s explained it in some post, if i’m correct CIS should alert you if Spybot Search & Destroy wants to edit your host file if you use the immunize option, you could try to test that.
Ronny: Thank you. That probably closer to the answer that I need. I had forgotten about the implications of the white list. However, this really doesn’t explain the behavior, does it? I thought that even though an application is on the white list, Defense+ should cause a prompt to appear, but indicating that Notepad.exe is a safe application (because it is on the white list). This does not happen in this instance with notepad editing the hosts file (even with Paranoid Mode active). I may try another editor, if I can find one that is not on the white list (which I don’t have access to – or do I??).
Comodo is trying to make CIS and especialy the D+ hips less noisy so that it only needs to alert when something is seriously wrong. White listing is part of that and i guess well never see that list
Maybe it would be a nice feature for us control freaks to have an option, disable white list usage (:WIN)
But the average user will hate 2 alerts in a row, if they get to much alerts they will simply click allow on everything and that’s where things start to go wrong.
When you say notepad.exe has “Allowed” access to Protected files and folders, do you mean the radio button for protected files/folders is checked for “Allow”? This is allowing all access to protected files/folders (ignoring the modify options). It should be selected for “Ask” (with system32* not in the allowed modify options.
No. That is not what I mean. The selection for notepad in the Computer Security Policy for Process Access Rights // Protected Files/Folders is set at “Ask.” However, within the “Modify” section for Protected Files/Folders, “C:\WINDOWS\system32*” is listed under Allowed Files/Folders. This is the entry that is causing the problem. Removing this one entry does not help, though, because as soon as I edit the host file with Notepad (which is allowed even with this entry removed), the entry is placed here again, so that Notepad always has “don’t ask” access rights to the host file. I find this very strange.
Others:
The safe-list is a great idea. I am not sure that it is the cause of this problem, though. Like I said, I thought that even for applications on the safe-list, a pop-up should appear (if the other options are set accordingly). The pop-up would probably be yellow, though, because the application is known to be safe, with the Allow option selected, and the option to remember this answer selected. I think that this is mainly the affect that the safe-list has – to determine how the warnings are to be presented. This is from the manual. I don’t think that an application’s being on the safe-list is meant to result in all of the applications activities being “trusted” or ignored.
When i checked under my protected files in defense+, hosts wasnt located there!
is this normal! i added it manually by browsing.
i get no alert on creating a text file in system32 folder…even after removing it from security policy.
did you set D+ to safe mode?
There may be two policies for notepad.exe (there are two different notepad executables on windows xp at least) so it is also possible that the notepad involved in the test already got an allow rule.
yes d+ = proactive with safe mode
but i noticed that after i remove notepad from security policy it doesnt ask for it but auto allows keyboard access to it!
this is a security risk !
Also, after i set notepad to isolated it still allows notepad to open and save a file on desktop! can some1 plz try.
could it be that comodo auto-trusts notepad?
At least this issue is consistent. This is looking like a bug to me, or at least, if is by design, then the design needs to be better explained. The manual for CIS details how one may protect the hosts file, but this process does not seem to work (at least with notepad.exe), and it is not clear why the application (CIS) would make such a distinction between notepad and other applications, if in fact other applications are blocked from editing hosts, which I haven’t tested. So, I don’t know whether a patch or a better explanation of Defense+ is needed – but I am leaning toward a patch at this point.
Someone mentioned trying SpyBot. I may instead try to find an obscure text editor that hopefully CIS won’t be aware of and test with this. Is anyone else testing with other editors?
