Items added to top of Computer Security Policy

I have report this before but it appears to have got lost and has never been fixed.

It has just happened again. A new entry to computer security policy has been added to the top of the list. This is no good as the application will bypass any group rules you have set up.

Latest 3.9 under vista Sp2 32 bit. Defence+ temporarily in paranoid mode to test something.

When using D+ in Paranoid mode all applications are listed separately at the top of the Computer Security window. This is by design.

It used to do it sometimes when not in paranoid mode. Maybe that has been fixed. I have not seen it for a while. I thought this was the old problem again.

It will do this in other modes by only if you answer a Defense+ alert to create the rule, all auto create rules are added at the bottom even if you are in Paranoid mode.
I presume it is done this way so you know the rules which you have created by answering a alert.

Aahh, now I have a question. Does the order of the list make a difference? I have resorted my list in alphabetical order. I have brought up some of the lower entries to the top (along with the original top entries) just to make the list easier to read. Have I messed things up? Now I’m Paranoid! ???

In that case it is very bad as it will bypass any group rules you have set up. I have group rules to stop all applications from doing certain things and this will not work if rules are added at the top.

The order of the rules is very important. The rules are searched down in order and it stops when you reach a match. If the application rule is above the group rule the group rule will not work. It does not matter if you do not have group rules.

Thanks for the reply. I just cleared my rules and started over (just to be sure). :wink:

There is a rule called All Applications, specifying program *. This rule, which I assume was autocreated at install or from the Proactive Security config, has Ask on all access rights. I have a rule for Firefox that blocks writes to protected files/folders except for writes to C:\Downloads. I tested with the All Applications rule both above and below the Firefox rule, and the Firefox rule takes precedence (Firefox displays an error for insufficient privileges, no D+ alert) in either case when I try to download an EXE to directory other than C:\Downloads.

I am very interested in knowing exactly how the D+ rules precedence works. Please revise your summary based on tests of CIS V3.9.95478.509.

Thanks for your help to forum members.

As far as I’m aware there is no precedence order for D+, although I stand to be corrected.

Unlike the firewall where the placement of an Allow or Block rule affects the behaviour of any given application or service, D+ groups all ‘permissions’ in a single entry. The entry will specify what the application or service can or cannot do in relation to other services/applications/system components etc.

There is a precedence order and it is important. When something monitored by defence+ occurs it starts at the top and looks down the list until it find the application or a group containing the application. If it finds a match it looks at the rules. If the rule says block or allow it stops. If it says ask it carries on looking down the list of application.

This enables you to set up group rules, such all the all applications group, where you can allow or block something for everything in the group. This only works if the group if above the individual application or it will use the individual applications rule which for safe applications is probably forced to be allow. This lets you have some control over safe applications.

I have a group called “dangerous applications” which contains web browsers and media players and similar and where I block certain very dangerous thing they should never be doing. It only works if the group rule is above the individual applications rules.

Thanks for the detail tcarrbrion. I have taken many of your strategies. There is often a tradeoff between security and usability. Your original thinking often improves on one of these while not reducing the other, which is a benefit to Comodo and users.

I can understand that CIS puts new rules from alert responses at the top. Otherwise, other rules sometimes would give different behavior than how the user responded to the alert, which would upset novice users. How about a CIS option for experienced users that specifies whether new rules created by alert responses go to the top or the bottom of the list?

With the current CIS behavior, the only way I see to use group rules without override is to create group rules without any default action of Ask, as this strategy prevents new rule creation for group members. The user can create groups of sorts by using the same predefined security policy for a number of apps, but one alert for an Ask rule will cause the policy to become customized. This prevents the user from making changes to the rules for a group or even seeing which apps belong to the group.

This info could be used in the justification for a new wish list item. I find better acceptance of new ideas if I summarize the situation and options concisely such that the option I offer is clearly an improvement.

I would like this.

I don’t mind this much. You can still see what is in the group and anything allowed or blocked in the group will not be affected by whatever is in the individual rule (as long as they are below the group).

The things set in the individual rules are likely to be less important things that you leave on ask. I see this as a small usability thing with no effect on protection. I think it is more important to be able to control safe application more easily.