Illegal browser launch revisited :(

Last time we discussed this topic was over a year ago. I quit using Comodo after multiple frustrating attempts to set it up properly for the issue discussed below. I decided, however, to give the latest version a try (CIS Premium 10, yes, beautifully designed and very rich in options and capabilities), but ran into the very same headache - several apps stubbornly keep launching the browser without a single warning! CIS also shows very few (if any) notifications upon launching apps assuming they’re safe or at best running them sandboxed. Weird for a training mode?

The latest offender is “CD Recovery Toolbox Free”. A simple app to copy files from damaged CD/DVD media. Every single time I close the app the browser is launched. I tried using the same settings suggested in this thread that once worked, but to no avail.

What is not clear to me is why CIS despite both Firewall and HIPS being set to training mode and pop-ups enabled, never asks a question or shows a pop-up? That’s how it used to be with some very old versions of Comodo that was so efficient and virtually flawless. It is of no comfort that some major competitors have the same problem (KIS, now-defunct Agnitum Outpost, ZoneAlarm etc). I do have a security program that handles this issue properly, but is not free like Comodo.

Any help?

Training Mode, is to create a set of firewall/Hips rules for the application or game you are wanting to run. It allows all things freedom to do what they want, and records these as a set of rules.
Once you run the app/game for 5 minutes, turn Training Mode off.
Then you will get the warnings, alerts you expect.
Personally, I rarely use Training Mode.

Thank you, but that doesn’t answer my question. I also tried paranoid mode without success.

From the help documentation:

Training Mode: HIPS monitors and learns the activity of any and all executables and creates automatic ‘Allow’ rules until the security level is adjusted. You do not receive any HIPS alerts in ‘Training Mode’. If you choose the ‘Training Mode’ setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.
So once you changed to paranoid mode you wouldn’t get alerts because allow rules where already created for that application to due what it wanted to do. To block applications from executing web browsers you can either create a HIPS rule for the application that you want to block from running installed web browsers or edit the all applications rule. You would then need to add the web browsers file group to blocked files/folders of the run an executable access right exclusion.

Thank you, but the million dollar question is (does that apply to freeware? LOL) - Where are the pop-ups for any and every new activity that the old old Comodo used to have?

Regardless of which mode I use in the settings (training, paranoid etc.) even after deleting ALL already created rules for the offending app, the pop-ups don’t happen. Absolutely ZERO notifications. This is not only strange, but dangerous behavior from a program labeled as “Internet Security”. At the very first attempt by any app to launch a browser (or any other program), shouldn’t an Internet Security software at least sound a warning asking the user to allow or block the given action? Elaborate rule creation and other fine tuning are great features of Comodo, but I’d like to see a warning before I have to create any rule.

If you’re referring to the pop-ups that tells you comodo is “learning” and thus allow actions in training-mode, then I think they removed such notifications. As for the non-alerts after removing the rules and setting HIPS to paranoid mode, make sure you disabled “Do NOT show popup alerts” in HIPS settings. This gets set when you keep the installer option to not show alerts as much as possible.

No. I’m referring to any pop-up notifications that any security program would show after you install it and it starts monitoring the activity on your computer. That is what I expect(ed). And what I got was virtually no warning of any activity, suspicious or not. These notifications should be there from the moment CIS is installed without me having to go into HIPS or any other settings to modify anything.

Example: I was playing with ZoneAlarm the other day which, just like CIS, failed to notify me of the illegal browser launch. I discovered that this is due to default settings which were not as strict as I wanted. After changing the Application Control to “Max” (from default “Med.”) and DefenseNet to “Manual” (from default “Auto”), ZoneAlarm started to notify me of all application activity and allowed me to act accordingly. Those are the pop-ups I’d like to see with CIS, too.

Question: Is there a CIS setting that would do the same as described above without me having to set up parameters for individual applications?

When you are using the default Internet security configuration HIPS is disabled so you won’t get any alerts for actions carried out by running processes. If you switch to the proactive security configuration, then HIPS will be in safe mode which means actions done my applications that are considered safe/trusted by comodo, due to being either digitally signed by a trusted vendor or its file hash is in comodo’s cloud safe list, you won’t get alerts and the action will be allowed until that application attempts to execute something that is not trusted. The same is true for the firewall, safe mode will not alert for outgoing connections made by trusted applications, or when a trusted application wants to receive an incoming connection (assuming the port is open in global rules or “ask me for incoming connections” is selected for the stealth ports firewall task).

If you want to be alerted for actions by any processes regardless of its rating status, you would make sure auto-sandbox is disabled and set HIPS to paranoid mode. Even when in paranoid mode you won’t be alerted for certain group of applications, due to default rule for these file groups in HIPS rules, e.g. the Windows System Applications file group are going to be treated as the Windows System Applications HIPS ruleset. To see what applications are within that file group you can click on the + sign next to the name of the file group in HIPS rules, to see what access rights they are given, go to the HIPS rulesets section and double-click on the ruleset name, or double-click the rule if it says custom ruleset under the treat as column. You will not get HIPS alerts for those that have the Installer or Update ruleset applied to them even in paranoid mode (though there is a wish to change this behavior).

So what you are looking for is to switch to the proactive configuration, set HIPS to paranoid, change the firewall to custom ruleset and change the alert frequency to high, and disable the auto-sandbox. I suggest you take a look at the help documentation for HIPS settings, HIPS rules, firewall settings, and the firewall app rules and global rules.

and get some aspirin ready for the headache you’ll surely have ;D

Finally! That’s exactly what I needed. A bit of an overkill, but at least I could use those settings when first running an unknown app that CIS considers “safe”.

Thank you!