Hi,
Just went back to using CIS this week and I see that blocking folders is a pain unlike before. Previously when I wanted to block folders in CIS ver5 I would just create a new folder to “File Groups” and then add the folders I want to block in there. From there I would block it by,
Computer Security Policy>Block Files>Add>File Groups
Select “Folders to Block”
See images.
Now I am at a loss in CIS ver6.3. I tried doing this:
(a)
Defense+ > Protected Objects>Protected Files>
Add>Groups> New Group
Named New Group “Folders to Block”
Add>C:\Users\XXXX\Desktop\DESTROYER
(b)
HIPS Ruleset created
Defense>HIPS>Rulesets>
Name “Rulest for Blocked Folders”
Access Rights>Block All
OK
(c)
HIPS Rules>Browse>File Groups>Folders to Block
Use Ruleset>Select “Ruleset for Blocked Folders”
OK
(a) (b) (c) did not block the folder “Destroyer” for being accessed. See images below. I believe this should have done it because Access Rights were all in “Block”.
I also tried what was posted here, https://forums.comodo.com/defense-sandbox-help-cis/block-a-folder-using-cis-t99450.0.html;msg721360#msg721360
but it too was not successful in blocking the folder access(I honestly thought that this would work also but it did not). See images below.
[i][b]posted by Sanya IV Litvyak Re: Block a folder using CIS « Reply #2 on: November 21, 2013, 01:19:29 PM »[/b][/i]Block ALL actions:
- Advanced Settings
- Security Settings
- Defense+
- HIPS
- Protected Objects
- In the window to the right you’ll now see “Blocked Files” next to “Protected
Files” click this- Add whatever you want to be blocked (it will be blocked from everything, even reading).
Only block modification like moving, writing or deleting from explorer.exe
(won’t affect reading):
- Advanced Settings
- Security Settings
- Defense+
- HIPS
- HIPS Rules
- Locate “%windir%\explorer.exe” in the list
- Edit the rule
- If it’s set to “Use Ruleset” then change this to “Use a Custom Ruleset” (copy
from Allowed Application if you want)- Scroll down under “Access Rights” and find “Protected Files/Folders”
- Click “Modify”
- Click “Blocked Files/Folders” in the new window
- Add the files/folders/groups to be blocked.
- Optional: Repeat for any other applications like cmd.exe and notepad.exe etc
Now I tried blocking specific files and it’s okay and working okay. See image below.
Now how can I effectively block a whole folder from being accessed now in CISver6.3? Blocking file types is okay but if the user will use this to block folder contents then that is a very tiresome deed. I have also uninstalled and re-installed CIS, tried it all again to no avail.
I believe this should have been included in Blocked Files>Add>Folders instead of just,
Blocked Files>Add> Applications
Blocked Files>Add> Running Processes
In addition as I was reading the user guide earlier I also have a question on Protected Files(user guide page 287 --quoted below). It seems obvious I need to create a new group to house the folders I intend to block but it says there that “protected files” can still be accessed and read. A pop-up will only be thrown when an attempt to modify it.
6.2.2.4.1. Protected Files The Protected Files tab displays a list of files and file groups that are protected from access by other programs, especially malicious programs such as virus, Trojans and spyware. It is also useful for safeguarding very valuable files (spreadsheets, databases, documents) by denying anyone and any program the ability to modify the file - avoiding the possibility of accidental or deliberate sabotage. [b]If a file is 'Protected' it can still be accessed and read by users, but not altered. A good example of a file that ought to be protected is your 'hosts' file (c:\windows\system32\drivers\etc\hosts). Placing this in the 'Protected Files and Folders' area would allow web browsers to access and read from the file as per normal. However, should any process attempt to modify it then Comodo Internet Security blocks this attempt and produce a 'Protected File Access' pop-up alert.[/b]
Now as you cannot add a folder to the Blocked Files( as mentioned earlier you have only two options re: Blocked Files>Add> Applications and Blocked Files>Add> Running Processes) does this mean that creating a new file group /adding that new group in the Protected Files and then blocking that new group in HIPS Rules it will still inherit the Protected File rule…?
HIPS rule applied:HIPS Rules>Browse>File Groups>Folders to Block
Use Ruleset>Select “Ruleset for Blocked Folders” (or Use Ruleset>Isolated Application --Access Rights are all Blocked here as what I have created in “Ruleset for Blocked Folders”).
On Custom Ruleset>Access Rights. Will a pop-up be thrown when you set 'Block" to all the categories there? Blocking is denying access correct?
I also see that Isolated Application in HIPS Rulesets that Access Rights are all in “Block”. This is the same as the contents of the ruleset I created in “Ruleset for Blocked Folders”. Using both in HIPS Rules>Use Ruleset does not block the folder also. See image below.
I need to block folders instead of singular file types can you guys help me with a workaround please.