I have been using CIS V3.9 in Clean PC Mode. If I understand correctly, apps on my PC when installing CIS are considered safe. When I look at the security policies automatically created by CIS for safe apps, I see that their access rights allow everything except for ask on run an executable, protected registry keys and protected files/folders. This does not match any of the predefined security policies on my PC.
I prefer to block certain access rights by default, which increases security. I realize that this would block some safe apps from doing safe things initially, but it is less work for me to click allow on access rights for few apps (after observing the event log) than to change to a predefined security policy for hundreds of apps.
How do I predefine the security policy applied by default when an app is first run by CIS?
The whole point of Clean PC Mode is to allow applications already installed on your computer but to request permissions for new applications. The reasoning is simple, you have chosen Clean PC Mode because you know the current state of your PC and the applications/services installed, ii.e. it’s free of malware.
If you want more control, use a different mode. Perhaps Paranoid would be better for your usage. With this you can create as many pre-defined polices as you wish and apply them when you get a pop-up.
In the world outside of CIS, trust is not so simplistic. For example, when accepting someone as a roommate, people typically give partial trust. I wouldn’t give a new roommate my bank account number and PIN code (total trust), nor would I put an alarm system on my bedroom door (paranoid). I partially base my trust on observations of behavior over time. I want to do the same with apps on my PC.
CIS is not even as simplistic as total trust or paranoid. Notice that safe apps on my PC are not allowed to run an executable or write to protected registry keys/files/folders without an alert. I would like to decide on the trade off between security and usability in regard to access rights.
Comodo has coded somewhere what the default security policy is for safe apps. Is it in the registry? If so, where?