How To Achieve Max Security With ZERO Alerts! - Disccusion

Original Thread:
How To Achieve Max Security With Zero Alerts!

Just one question, how do I set ''Updater Configuration"

Ok, Lets say you configured the ‘Proactive Security’ configuration into your parental configuration. Now switch to a different default COMODO policy, say the “COMODO - Internet Security” configuration and config that to allow all your updaters. Now you can switch back to your parental config (called Proactive Security) and whenever you want to update an application that is not on COMODO’s trusted vendor list you can switch to your updater config (called Internet Security) to update it. :slight_smile:

Thanks for the respond, I did that but still I don’t know how to configuration “COMODO - Internet Security” to allow all your updaters.

I would set the Firewall and D+ both to “Safe Mode”.
Then in D+ > Advanced > Computer Security policy > set all of your updaters to “Installer or Updater” and in Firewall > Advanced > Network Security Policy set them to “Trusted Application”.

Thanks got it

I would also recommend setting the child/novice user up as a limited user on windows.

If they are limited users then another easy change if to set up a new program group called safe applications containing:



C:\program files*

and changing explorer in computer security policy to only be allowed to run safe files and not any file. This will stop them downloading programs that do not install and running them.

Excellent work guys! Indeed, you seem to have mastered CIS! Keep up the god work! :-TU

I tried this but it still managed to make a process then it kept trying over and over to access a file. It was a piece of a malware. It was on a vm so maybe that’s why it didn’t work.

When it was tested, it was reported that the malware could start but it couldn’t do any harm. For example, a rogue installer would be able to load into memory, but it wouldn’t be able to access any files/resources on the PC. It would even say “installation complete” afterwards but it hadn’t modified anything in Windows.

Is this what happened?

It just kept trying over and over to modify winlogon.exe until I killed it.
There’s load of Access Memory, Block Virus, Suppressed then there’s a few just Access Memory does that mean it managed to modify it?
There must of been about 50+ attempts in under a minute which made the computer run slow.
Is there anyway to stop it even creating a process?
I’m using the beta version of 3.9. The virustotal scan of winlogon.exe is clean.

No. if D+ logged it, that means it blocked that action. :wink:

Add the malware file to D+ > My Blocked Files

I’m trying this with Windows Update. In some case, “%windir%\SoftwareDistribution*” must be excluded from my protected files in defense+ in order to made Windows Update working properly.

This may reduce some security but it don’t need switching configurations for “automatic windows update” in my notebook.

(It also seems that there’s a bug in editing protected file group, alert still occur even “%windir%\SoftwareDistribution*” is removed from “Important Files/Folder” group. I need to remove the whole “Important Files/Folder” group and then add back the other important Files/Folders individually to eliminate the alert.)

Flipping between two configurations implies that manual changes have to be done twice, and learned rule changes in the Updater Configuration must be somehow copied to the Parental Configuration. Wouldn’t it be simpler to use one configuration and toggle the “Enable password protection for the settings” under Parental Control to achieve the two modes?

I like to change other settings for big updates (e.g. OS service packs) such as removing “block all unknown requests when the application is closed”. Who knows what Microsoft may run while rebooting after installation and if a new Microsoft file is not signed it might get blocked wrecking the update.

As long as Comodo it told the installed programs are safe there is no need to copy rules. In clean PC mode “My pending files” appears to be common across all configurations so it only need to be changed once.

You bring up a good point, which may apply to some non-Microsoft installers also. What other differences do you use between the Updater and Parental configurations?

I have special rules to stop running any program or DLL outside c:\windows and c:\program files. I take this rule out. I also reduce image execution control from aggressive but this is probably not needed. Otherwise it is just a copy of my main config.

I may make more changes to my normal config some time so nothing can be installed and windows update will not run to make sure I remember to change configs.

I plan to upgrade from CFP 3.0 to CIS 3.9 when it is released. I really appreciate help from the forum to think through my new strategy to avoid the pain of Paranoid Mode. I do not look forward to the extra effort needed to maintain two configurations. It would be less effort for me to toggle two checkboxes instead (“Enable password protection for the settings” and “Block all unknown requests when the application is closed”).

If the reason for your extra rules is to prevent the inexperienced user from running any new programs, then the policy enforced by first post in this thread achieves this. If the reason for your extra rules is to prevent execution of admin-installed programs outside c:\windows and c:\program files, couldn’t this be achieved through putting the inexperienced user on a LUA, which does not have execute privileges outside these folders for admin-installed programs?

To stop users (LUA) running any program downloaded additional rules are required or the programs will only get blocked if they do something monitored by defence+. It is safer to stop any downloaded program from even running. A program could encrypt all of “my documents” without alerting defence+.

I actually do not need this as I have a software restriction policy set up but I am experimenting as not everyone has access to this.

MrBrian kindly gave us info on how all XP/Vista/Windows 7 users have access to an SRP:;msg262594#msg262594

I too currently use an SRP, but I plan to replace the SRP with CIS 3.9 emulation of the SRP to avoid this vulnerability:

Maybe I misunderstand the Image Execution Control feature of Defense+. I believe the Parental configuration from the first post in this thread, including starting with the Proactive Security configuration, would prevent users from executing any new program they download. Here’s an excerpt from page 166 of the CIS 3.8 User Guide:

[i]Image Execution Control is an integral part of the Defense+ engine. If your Defense+ Security Level is set to ‘Safe mode’ or ‘Clean PC Mode’, then it is responsible for authenticating every executable image that is loaded into the memory.

Comodo Internet Security calculates the hash an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is ‘unrecognized’ and you will receive an alert.[/i]

Please explain if I misunderstand.

I want to stop all programs, even safe ones.