Comodo Internet Security calculates the hash of an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is ‘unrecognized’ and you will receive an alert.
Option:
a. Aggressive - This setting instructs Defense+ to intercept the file types listed in the ‘Files to Check’ tab before they are loaded into memory and also Intercepts prefetching/caching attempts for the executable files.
b. Normal - Same as aggressive but does not intercept perfetching/caching attempts. This is the default and recommended setting.
c. Disabled - No execution control is applied to the executable files.
My questions:
what is the difference between Aggressive/Normal in plain English: Intercepting Prefetching vs not Intercepting Prefetching?
The recommended setting is normal why not Aggressive? Dos Aggressive uses more CPU, other reason?
Disable - no execution control: Can you explain the relation between D+ and the Image Execution feature. Does that mean if I chose Disable, D+ will not use any safe list and return many more Pop-up alarms? Other?
I’ll give you completely amateur replies. They might be far off the mark.
I cannot answer the first question, so I’ll answer the next two.
I think setting the slider to aggressive will produce more pop-ups than if it were set to normal. It will most certainly not user more resources.
In “Clean PC” mode and in “Safe mode” “Image Execution” feature will calculate the hash of an executable and check it against the list of files in the COMODO safe file list. If a matching entry is found, the file will be treated as safe, if no matching entry is found you’ll the alerted about that particular file. It will thus, also, detect modification of safe files (modifying a file will change the hash value, also). Which means the file doesn’t match the hash value and is safe no more.
Since Clean PC mode treats all files on your system as safe, it is very much necessary to have the “Image Execution” protection enabled in Clean PC mode. If ever any of the files on your hard disk were modified, it is the “Image Execution” feature that will alert you about it.
I suggested long ago that Comodo make Image execution more intuitive. Here is what I posted in the usability forum:
Regarding “Image Execution Control Settings”: Experts and programmers probably undertand that “Image” isn’t referring to a graphic image (e.g. JPEG picture), it is referring to an application’s memory image (as initialized in RAM); however, the term “image” WILL confuse people who are not experts (they will assume it does mean a graphic image, which is the more common meaning the word). To eliminate confusion, it seems best to change this name to something that is still accurate but not subject to double meaning and ambiguity, such as “Settings for Executables.” ----- See Pic #1
Tanks to everyone for helping out. However, and sorry to say it, my questions are still open. so please to anyone willing to share his knowledge, see my questions 1 to 3 above on the thread:
Intercepting Prefetching vs not Intercepting Prefetching
tcarrbrion gave me a partial explanation about the difference. Is there more?
Disable - No execution control is applied to executable files = Does it disable the COMODO white list? and what difference with the D+ security level Disabled?
Since no one else is answering this question, I’ll try to help. Until someone more knowledgeable comes with a more technical explanation, my half-correct an answer should help you.
1]Every “executable” you run on your system, will create a .pf file of itself in the folder C:\WINDOWS\Prefetch. I am guessing this is done after the executable loads into the memory. The control level at normal, will detect only the memory loading, whereas setting it to aggressive, even "prefetching and “caching” will be intercepted.
2] Similar to the first answer.
3] Disabling shouldn’t affect the white-list check, but modification of safe files wouldn’t probably be detected.
Setting image execution control to disabled just stop defence+ asking permission before a program is allowed to run (the top setting for each program under computer security policy). Setting defence+ to disabled turns off all the other things that defence+ monitors.
I have read that Image execution control is not needed if you have the full CIS package installed. The reasoning was that a virus would be stopped before implanting itself and/or modifying files therefore making execution control redundant. It went on to say that was why image execution is disabled in the default internet security policy.
I am using the Internet Security Policy but I did turn on Image execution. Is it really necessary or not with the full install Of CIS? The article I read also said that the default monitoring controls were also sufficient for the same reasons. A piece of malware should never get to the point where it can begin to take those actions if you install the full suite.
Another question is this: If one of my programs receives an update and therefore it’s main executables are altered,will Image execution pop up a warning when I try to use the updated version? I would rather not have that happen.
1]Every "executable" you run on your system, will create a .pf file of itself in the folder C:\WINDOWS\Prefetch. I am guessing this is done after the executable loads into the memory. The control level at normal, will detect only the memory loading, whereas setting it to aggressive, even "prefetching and "caching" will be intercepted.
Thank you for this one.
@EricJH
I am using Proactive Protection. In this mode you are capable of catching what CIS can catch
I have just noticed the different settings on the Image execution setting windows, using the default profiles:
CIF - Normal
CIP - Normal
CIS - Disable
I use the full suite minus the AV. does that mean that the configuration profile CIS = AV included.
CIF - Firewall, no HIPS
CIP - Firewall, HIPS (eventually AV) - all at elevated security settings
CIS - Firewall, HIPS, AV
Correct?
@ tcarrbrion
Setting image execution control to disabled just stop defense+ asking permission before a program is allowed to run (the top setting for each program under computer security policy)
stop defense + asking permission:
= deny. The program cannot run
or
= allow. No alarm pops-up.
The configuration I’m using with the Internet Security policy scored 340/340 on the leak tests so I feel pretty good with it. ;D
It just seems to me that the developers consider that Image execution is not needed if CAV is installed since both the Internet Security and the Antivirus policy disable it by default but it is enabled in the Firewall policy that is meant for users who did not install the AV.
I have just discovered that turning off Image execution causes CIS to fail 2 of the leak tests. The explorer as parent one and also the coat one. I have turned it back on and I guess I’ll have to live with a few more popups.
I use Internet security profile with firewall in safe mode and D+ in Clean PC. I have enabled image execution however which is disabled by default and I have also checked all of the monitoring options. Since those are the only differences I could see between Internet Security and Proactive, I see no reason to switch and have to build my rules all over again.