More control over safe programs

Hello,

I like the global CIS whitelist feature because it makes CIS less noisy. However, I lack more control over the files that Comodo marked safe. In D+ “safe mode”, I can explicitly block selected operations of selected safe programs. However, I cannot make CIS to alert when a safe program is going to perform a selected operation, CIS simply ignores such rules.

Explanation:
A file is whitelisted by Comodo because it contains no malware, not because it contains no security bugs. Thus I feel necessity to be alerted when e.g. an internet application (Firefox, for instance) tries to write into a protected folder (say system32); or when a program that is supposed to work only locally (e.g. an image viewer or an offline game) tries to communicate over internet. I do not want to block these unexpected operations of safe programs beforehand, because the programs may have a good reason to make the requested operation. But I want to be alerted.

Suggestion:
CIS allows to alert for operations of safe programs only in “paranoid mode”, but in this mode you loose the advantages of the global whitelist. I see two possibilities how to enhance CIS in order it behaves as descibed:

  1. In “safe mode” (and below), when a safe application has an explicit rule for “alert”, then follow this rule. Currently, this rule is followed only for applications that are not marked safe. The problem with this solution is in that the fallback rules (rules for the file groups “Executables: .exe,.dll,…” or for “All applications: *”) should not alert.

  2. In “paranoid mode”, introduce a new file group “Whitelisted executables”, for which you could define your own rules. E.g. “allow everything for Whitelisted executables”.

    Martin.

if you want alert when a trusted vendors software is getting installed then do following operations
CIS —> Defense+ —> Defense+ Settings —> Sandbox settings. Here you unmark Automatically trust files from trusted installers.

Regards,
Valentin

or did I missunderstand your suggestion?

Unfortunately, you did. :frowning: I didn’t say a word about installation.

Another possible solution is described here:
https://forums.comodo.com/empty-t45586.0.html

I added a poll. Also, I’m adding an illustrative example:

Suppose, you want to modify the policy according to which CIS treats web browsers.
Because of this, you define a file group (Defence+ → Computer Security Policies → Protected Files and Folders-> Groups) called “Browsers”, and add firefox.exe, iexplore.exe etc. into it. Then you create a new policy (Defence+ → Computer Security Policies → Predefined Policies) called “Browser Policy” that somehow modifies the default behaviour. Finally, you create a rule (Defence+ → Computer Security Policies → Defence+ Rules) that matches the “Browsers” file group to “Browser Policy”.

You expect that both firefox.exe and iexplore.exe will be treated according to the “Browser Policy”. Unfortunately, you quickly find out that CIS ignores your D+ rule (with the exception when the policy explicitly bans something)! CIS allows you to create the rule, and then it ignores it!?!

The reason why the rule is ignored is in that both firefox.exe and iexplore.exe are marked safe by Comodo.
And you cannot do anything about it (unless you switch to the paranoid mode, which has other drawbacks). This is a background of my suggestion.

Martin.