How to effectively block folder access in CIS ver6.3?

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

Hi,

Just went back to using CIS this week and I see that blocking folders is a pain unlike before. Previously when I wanted to block folders in CIS ver5 I would just create a new folder to “File Groups” and then add the folders I want to block in there. From there I would block it by,

Computer Security Policy>Block Files>Add>File Groups
Select “Folders to Block”

See images.

Now I am at a loss in CIS ver6.3. I tried doing this:

(a)
Defense+ > Protected Objects>Protected Files>
Add>Groups> New Group
Named New Group “Folders to Block”
Add>C:\Users\XXXX\Desktop\DESTROYER

(b)
HIPS Ruleset created
Defense>HIPS>Rulesets>
Name “Rulest for Blocked Folders”
Access Rights>Block All
OK

(c)
HIPS Rules>Browse>File Groups>Folders to Block
Use Ruleset>Select “Ruleset for Blocked Folders”
OK

(a) (b) (c) did not block the folder “Destroyer” for being accessed. See images below. I believe this should have done it because Access Rights were all in “Block”.

1740×590 238 KB

I also tried what was posted here, https://forums.comodo.com/defense-sandbox-help-cis/block-a-folder-using-cis-t99450.0.html;msg721360#msg721360
but it too was not successful in blocking the folder access(I honestly thought that this would work also but it did not). See images below.

[i][b]posted by Sanya IV Litvyak Re: Block a folder using CIS « Reply #2 on: November 21, 2013, 01:19:29 PM »[/b][/i]

Block ALL actions:

  1. Advanced Settings
  2. Security Settings
  3. Defense+
  4. HIPS
  5. Protected Objects
  6. In the window to the right you’ll now see “Blocked Files” next to “Protected
    Files” click this
  7. Add whatever you want to be blocked (it will be blocked from everything, even reading).

Only block modification like moving, writing or deleting from explorer.exe
(won’t affect reading):

  1. Advanced Settings
  2. Security Settings
  3. Defense+
  4. HIPS
  5. HIPS Rules
  6. Locate “%windir%\explorer.exe” in the list
  7. Edit the rule
  8. If it’s set to “Use Ruleset” then change this to “Use a Custom Ruleset” (copy
    from Allowed Application if you want)
  9. Scroll down under “Access Rights” and find “Protected Files/Folders”
  10. Click “Modify”
  11. Click “Blocked Files/Folders” in the new window
  12. Add the files/folders/groups to be blocked.
  13. Optional: Repeat for any other applications like cmd.exe and notepad.exe etc

850×490 274 KB

Now I tried blocking specific files and it’s okay and working okay. See image below.

849×441 241 KB

Now how can I effectively block a whole folder from being accessed now in CISver6.3? Blocking file types is okay but if the user will use this to block folder contents then that is a very tiresome deed. I have also uninstalled and re-installed CIS, tried it all again to no avail.

I believe this should have been included in Blocked Files>Add>Folders instead of just,

Blocked Files>Add> Applications
Blocked Files>Add> Running Processes

In addition as I was reading the user guide earlier I also have a question on Protected Files(user guide page 287 --quoted below). It seems obvious I need to create a new group to house the folders I intend to block but it says there that “protected files” can still be accessed and read. A pop-up will only be thrown when an attempt to modify it.

6.2.2.4.1. Protected Files The Protected Files tab displays a list of files and file groups that are protected from access by other programs, especially malicious programs such as virus, Trojans and spyware. It is also useful for safeguarding very valuable files (spreadsheets, databases, documents) by denying anyone and any program the ability to modify the file - avoiding the possibility of accidental or deliberate sabotage. [b]If a file is 'Protected' it can still be accessed and read by users, but not altered. A good example of a file that ought to be protected is your 'hosts' file (c:\windows\system32\drivers\etc\hosts). Placing this in the 'Protected Files and Folders' area would allow web browsers to access and read from the file as per normal. However, should any process attempt to modify it then Comodo Internet Security blocks this attempt and produce a 'Protected File Access' pop-up alert.[/b]

Now as you cannot add a folder to the Blocked Files( as mentioned earlier you have only two options re: Blocked Files>Add> Applications and Blocked Files>Add> Running Processes) does this mean that creating a new file group /adding that new group in the Protected Files and then blocking that new group in HIPS Rules it will still inherit the Protected File rule…?

HIPS rule applied:

HIPS Rules>Browse>File Groups>Folders to Block
Use Ruleset>Select “Ruleset for Blocked Folders” (or Use Ruleset>Isolated Application --Access Rights are all Blocked here as what I have created in “Ruleset for Blocked Folders”).

On Custom Ruleset>Access Rights. Will a pop-up be thrown when you set 'Block" to all the categories there? Blocking is denying access correct?

I also see that Isolated Application in HIPS Rulesets that Access Rights are all in “Block”. This is the same as the contents of the ruleset I created in “Ruleset for Blocked Folders”. Using both in HIPS Rules>Use Ruleset does not block the folder also. See image below.

1343×1027 274 KB

I need to block folders instead of singular file types can you guys help me with a workaround please.

2

I think you’re trying to prohibit even viewing certain folders? If so I have no idea how to do that, “Blocking” a folder will essentially block whatever it contains but the user or programs can still enter the folder and read the names of the files but they can’t read/modify the contents of the files, this is just how CIS works and I do not believe there is a workaround for this except using other programs.

Protected folders… The rule you have created in the HIPS rules essentially says that files in “C:\Users\XXXX\Desktop\DESTROYER*” are not allowed to modify files in “C:\Users\XXXX\Desktop\DESTROYER*” (and the other rules that comes with the ruleset)

So this is where it gets tedious if you want to block protected files from trusted applications. In order to apply this rule to all applications (remember they will still be able to read, but not modify) you go into HIPS > Rulesets > Edit “Allowed Application” > Modify “Protected Files/Folders” > Click “Blocked Files/Folders” tab > Add the file group. After you’ve done that, you repeat the process for the rest of the rulesets like “Windows System Application” “Isolated Application” (Why? shrugs iunno, good measures?) “Limited Application” & “Games and Media Players Policy”. Once you’re done with that you go into HIPS Rules and you edit every single entry in the way I described before i.e “Modify Protected Files/Folders > Click Blocked Files/Folders tab > Add the file group

This will make every single program unable to modify the contents of that folder but still able to read them, this is what I’ve done with my backup folder so only my backup program can have access to it, in case of malware that encrypts files… however they now would get passed HIPs… I guess if they signed in TVL. 88)

Sorry I’ve run out of time here so I can’t go into more detail at the moment, I hope it clarified something at least or perhaps I just repeated things you already know :stuck_out_tongue: Either way feel free to ask any questions and I’ll try to answer them when I get back.

Edit: Sorry for the bold >_< Thought it would make the “important” pieces easier to find but it just made it look messy, no time to fix now.

3

This used to be just a simple operation in the previous versions but now seems the developers have disregarded that. This seems like Emsisoft OA Premium’s File and Registry (but it’s more easier setting it up with OA) where you can view the contents but you cannot access it. If I can remember right CIS ver5.12, Outpost Firewall Pro had this feature of blocking folder access. I hope in the next version the developers will consider this one and not just singular files.