Okay, so I’ve been having some shenanigans while trying to secure my system. >:(
Basically I’m trying to configure CIS10 HIPS to cover all programs except those on the trusted files list. I recall this was how I successfully did it back in CISv8.2 on my other computer. The task involved clearing the trusted vendors list while keeping only some basic vendors i.e. Microsoft on the list, otherwise the system became unbootable. Next, a lot of features (including all cloud lookup functionality) had to be disabled - this prevented new trusted vendors (and thus files) from appearing in the list. Finally, the trusted files list was cleared and HIPS enabled to Safe Mode.
The reason I endorse this setup is due to early warning against malware and exploits. Afaik, HIPS does not watch over processes or files in the trusted files list, but treats them as trusted and does not show any alerts. This is a potential problem - suppose one of these “trusted” programs gets compromised by an exploit and starts doing something fishy. If HIPS watched over the program, it would show an alert whenever the program tried to do unpermitted stuff i.e. change some files on my disk or maybe mess with the registry.
Anyway, I’m trying to configure CIS10 on my newely formatted Windows 7 laptop in this manner. I’ve disabled all cloud lookup functionality that I could find (even in the anti-virus scans), I’ve cleared the trusted vendors list and only included some critical vendors like Microsoft, Comodo and some others. HIPS is set to Safe Mode, and the trusted files list has been cleared empty + laptop rebooted. The goal is that HIPS should monitor all programs not in the trusted list, and new files should only be added to the list in one of the following cases:
I manually add them to the list
The files are signed by a trusted vendor in the trusted vendors list
But there’s a problem with this setup. I’ll use my browser Firefox as an example here. No matter what settings I tried, Firefox will always appear in the list, despite me having removed it several times. The only thing I do is run firefox and close it immediately after and boom! Firefox.exe is back on the list. I’ve almost started pulling my hair out when I finally found the culprit in the logs. It was the “COMODO rating” that always added it back (see attached images).
How the hell do I disable this “COMODO rating” or at least stop it from adding new files to the list? ???
I know this was possible to do in CIS 8.x, but I’m using the latest version CIS10. Is there a setting I missed somewhere?
Do you have the AV installed? Because if you do then the database also contains a white-list that will trust files based on a signature. I just checked and here is the sig info for firefox.
I am using Comodo Internet Security Free v10.0.1.6258. It comes with all components installed i.e. Anti-Virus, Firewall, HIPS, Sandbox, VirusScope, etc. I had originally suspected the Anti-Virus to be the reason behind this because I’ve had some trouble with it in the past i.e. I forgot to disable the cloud lookup feature that was “hidden” in the scan settings (see link in my first post). That resulted in new vendors appearing in the trusted list, and thus more trusted files. This time however the trusted vendors list looks fine (no new trusted vendors). I had suspected the Realtime Scan would have something to do with it because (afaik) it scans the files before they are accessed and executed.
Anyway, today I tried disabling individual CIS10 components to see, if any of them will change the given behaviour. Disabling Anti-Virus had no effect because as soon as I opened and immediately closed Firefox, the file was back in the list and marked as trusted (yes, I removed the file from the list each time before performing a new test). Disabling VirusScope had no visible effect either and neither did HIPS or Firewall. The only thing that had any visible effect was disabling the Auto-Containment. This reduced the frequency, but it did not eliminate it completely. For example opening and closing Firefox no longer made it appear in the list, but I had to leave it up and running while doing some browsing, menu configuration, minimize/maximize the window, etc. But in the end it still appeared in the list. Website Filtering was disabled all the time.
Disabling every component except Auto-Containment didn’t help either - Firefox appeared as soon as it was started. Disabling every component including Auto-Containment gave me some inconclusive results i.e. I was unable to make Firefox appear in the list in my short tests, but I cannot yet rule out that it will not appear again sometime in the future. So by the looks of it I am guessing there are two places that cause the files to appear as trusted in the file list.
One is hidden somewhere inside the auto containment
The other is at some more obscure location
I’m also uploading my full CIS10 Configuration file (see attachment) that I exported from the advanced settings window, if anyone is interested.
The behavior you see is because of reason explained by futuretech.
We have safe sign for firefox.exe in local AV database. So if you can block AV database update and then execute Firefox after disabling other components like you expected, you should not see it in white list automatically.
I think you should simply use paranoid mode, best fit for you.
Paranoid mode has way too many alerts IMHO, which is why I wanted to avoid it, and the HIPS Rules list becomes a mess after a while - too many entries and no way to sort them into groups i.e. System, Programs, Games, Suspicious, Blocked, etc. Blocking antivirus database updates doesn’t sound like a good idea either.
Is there any chance for someone at Comodo to put in an option in the CIS10 advanced settings i.e. a “Trust files deemed safe by Comodo” tickbox that disables updating of trusted files based on the antivirus signatures alone? Who do I have to nag about it (any contacts)? Maybe send a donation?
I am sure you thought of this, but you can simply uninstall the AV component of Comodo, and leave the rest.
Then go and get yourself a different free AV, such as Avast or anything else. (It might even be better than Comodo AV, which never won very many prizes.)
And then delete Comodo from Trusted Vendors list, and make sure you trust all the Comodo Firewall files. I recommend this deletion, because Comodo is a second signer on a lot of software, and you will be surprised why certain programs are trusted, seemingly against your will. It is because Comodo is a second signer.
Maybe I am missing a point here, but what you are trying to achieve sounds pretty close to what I am doing with Comodo.
Comodo checks for updates of the AV database automatically.
AV is enabled for real-time scan with optimizations (“stateful”).
HIPS is on paranoid mode with verbose pop-ups.
HIPS does not create rules for safe applications.
File Rating is without Cloud Lookup and I do not trust files signed by trusted vendors or installed by trusted installers. This list is far too long for my taste.
A file group “Locally-installed, trusted software” is defined and used to exclude alerts in HIPS.
A subset of the file group (for Cygwin utilities) I also use with setting “Ignore” in Auto-Containment.
VirusScope only affects files in the containment.
If I run Firefox, it will run without problems. If I run again, it will run again. No entries in the blocked or untrusted applications list. No pop-ups.
When Firefox is updated, I get the prompt again and confirm this is trusted. That’s reasonable because any such “update” may also be a malicious alteration not initiated by me.
This runs stable. The only annoying thing here is Windows 10 updates. In the course of those, a copy (!) of DismHost.exe together with some other files will be created in a temporary directory and run (!). Bad practice. Very bad practice.
Along the same lines, this will create prompts with some “portable” software packages that create a new, temporary executable when they run. Again. bad practice. I don’t use such stuff.
Ah, and before the system reboots after major Windows 10 updates, I set HIPS into training mode and reboot. Then I set it to paranoid settings again This procedure avoids having to go to safe modes and fiddle with Comodo and Windows to get everything up and running again because Comodo just blocked some essential Windows components. I still keep MpCmdRun in “Run Restricted” mode… and a few others
Now, did I miss a point or did I achieve what you wanted to try?
I would like to correct your understanding of following statement:
If you look at a digital certificate, there are two fields “Issued to” and “Issued by”. We add a vendor into trusted vendor list after analyzing vendor and putting his name as seen under “Issued to” into Trusted Vendor List. This means Comodo may be issuing digital certificate, appearing as “Issued by” to many vendors, but they are not auto trusted.