My Own Safe Files is useless

Here’s the configuration I set in Comodo’s Computer Security Policy

%Windir% = Windows System Applications
All Applications * = Isolated

I test run Firefox, but it won’t run because D+ blocked it of course. So I was wondering if My Own Safe Files works, then
I add firefox.exe or whole Firefox directory to My Own Safe Files, unfortunately, D+ won’t learn anything from the files in My Own Safe Files.

I must add Firefox.exe or firefox directory as Trusted Application in Computer Security Policy instead of My Own Safe List before the rule of “All Application = Isolated Applications” in order to allow firefox.exe to run.

This information is from Comodo’s help file:

Comodo Firewall Pro allows you to define a personal safelist of files to complement the default Comodo safelist.

Files added to this area are automatically given Defense+ trusted status. If an executable is unknown to the Defense+ safelist then, ordinarily, it and all its active components will generate Defense+ alerts when they run. Of course, you could choose the ‘Treat this as a Trusted Application’ option at the alert but it is often more convenient to classify entire directories of files as ‘My Own Safe Files’.

My Own Safe Files is pretty useless if D+ can’t learn anything from it as claimed once All Applications is set to Isolated Applications.

I think in Safe/Clean PC level, files in My Own Safe Files should be learned or matched before applying any rules in Computer Security Policy.

I guess ??? priority of the Defense + is as follows when an application is executed.

1.Check in Quarantined files
2.Check For Rule in Computer Sec. Policy.
3.If rule not found, Verify in Comodo’s safe list\My Own Safe files
4.If App. is not in Safe list and Trust the Digitally signed vendor is Enabled, Verify digitally signed files in My Trusted software vendors.
5.At last, If Application is not safe\It is found in My pending files, Alert the user.

I understand what you meant,

but if I add program path in Computer Security Policy instead of My Own Safe Files(My Own Safe Files uses hash to identify the files, right?), then it wouldn’t be very secure because that way I just copy a malicious file, rename it to firefox.exe, D+ would allow it to run.

If Imagine Execution Control + Safe Files use hash to recognize the files, then it will be more secure than just allow any files with same name to run.

Did your executable in safe list also try to access protected folders and registry?

In My Protected Files, I have:
%windir%*
%programfiles%*
%userprofiles%*
Temporary Files Group

In My Protected Registry, I have:
–Entire Registry listed–
HKEY_CLASS_ROOT*
HKEY_CURRENT_USER*
HKEY_LOCAL_MACHINE*
HKEY_USER*
KKEY_CURRENT_CONFIG*

My Safe Files:
Entire Firefox folder (%programfiles%\firefox*)

Computer Security Policy:
Default Policies listed
%windir% = Windows System Applications
Removed All Applications rule

D+ Level = Clean PC

[attachment deleted by admin]

I tested with exactly same conditions, except this:

The only way i found to add objects (excluding moving from pending or quarantined files, and specifying from running processes) is to add either by browsing to exact location (folder c:\program files\mozilla in this case), then all exe’s from that folder (*.dll, *.exe) will be added to safe files.
Where did you get environment variable? Added one object to safe files and renamed it to %programfiles%\firefox*?

Anyway, here is my results: CFP does learn evething, except:

  • i don’t know whether it learns global hooks (as in my VM CFP doesn’t catch global hooks, hence i cannot state anything);

  • alerts are showed for protected files/folders activities (you are right here), but i don’t have an idea whether this behavior can be considered as bug or undocumented feature:

Files added to this area are automatically given Defense+ trusted status.
From one side trusted means access everything (like trusted app policy), from other side manual doesn't state explicitly what exactly does "trusted status" mean ???

Oh, I just use %programfiles% to represent C:\Program Files\ in previous post, I didn’t mean I used environment variables to add it to safe list.

I’m realized that whatever executables in the safe list, CPF do recognize them as safe applications but still ask user for permissions. In the Alert message, it says

firefox.exe is a [b]safe [/b]application. It is [b]about to modify the contents of C:\Program Files\Mozilla Firefox[/b]. This usually happens when you try to install or update an application. [b]If you are not performing any of these operations, you mean consider[/b] blocking this request.

So I assume, either Safe application does not get trust status as stated in help file or it’s a bug.

During the test, I also find out default policy’s Windows System Application and Trusted Application are not the same policy. Because I find out that Windows System Application allows its applications to create process, but Trusted Application won’t. Is that right? I was having problems with Logitech SetPoint although it was given a Trusted Application status. CPF won’t allow SetPoint to create process and logged in D+ events. But once I give SetPoint a Windows System Application status, SetPoint runs successfully without any errors or alerts in D+.

AFAIK “My Own Safe Files” can be used in specifc CFP modes to trigger training/autolearning as long an app has no defined rule.

Adding a predefined policy to */All application should prevent training of all apps regardless if they were added to “My Own Safe Files”.

Maybe only partially learned apps could still be trained.

Anyway this is a special case.

Same here. It doesn’t learn activities about modifiyng protected files/folders. We need developer’s feedback in order to find out if this is a bug or expected behavior.

Yep. This is by design: the only difference between Windows System Application and Trusted Application is that Windows System Application has * in exceptions for “run an executable”, which means it can launch everything without alerts.

It works great in clean pc and safe mode, except CFP doesn’t learn activities for protected files/folders automatically.

This is because IMHO CFP was not designed to work this way.
The all application policy was used to create a baseline ruleset applicable to all application.
eg. to add %windir%\system32\ctfmon.exe to the interprocess memory access of all apps with one rule.

As it is now this is not a consistent behaviour.
IMHO existing ruleset should take the precedence over Trusted vendors and “My own Safe Files” and I’m inclined to consider */all application as a normal rule.
Anyway I was not able to find out if */all application takes the precedence over all rules or only subsequent ones.

If so (by design behavior) it seems to me this is not logical behavior. Let me explain. We don’t have any executable from specific folder (e. g. %programfiles%\firefox) listed under computer security policy, we add entire folder to “my safe files”.
CFP automatically learns every activity, except CFP gives pop-ups when firefox.exe (for example) tries to perform actions on protected files/folders. Why? If we added firefox folder we obviously want to avoid any pop-ups as this is purpose of “my own safe files”:

[b]If an executable is unknown to the Defense+ safelist then, ordinarily, it and all its active components will generate Defense+ alerts when they run. Of course, [u]you could choose the 'Treat this as a Trusted Application'[/u] option at the alert [u]but it is often more convenient to classify entire directories of files as 'My Own Safe Files'.[/u] [/b]
Why does CFP give alerts about activities on protected files/folders and doesn't give alerts about accessing screen, modifiyng protected registry keys etc. ?

P.S.: I tested with and without “all application” group (with default permissions) under computer security policy. Same results in both cases.

Yes the behaviour is inconsistent.

If I understood correctly this means that “My own Safe Files” doesn’t work correctly even with untrained apps.
It looks like a regression bug.

as for this

sovereignty68’s 1st post points out that rules are hadled from top to bottom.
The only thing missing would be if an half trained app placed before the “*/all application” group will learn the new rules regardless of what is configured in “all application” group.

In addtition to this I wonder how application added to “My trusted vendor” list will be learned.

My Trusted Vendor does not work in this version latest the thread is on this page at the bottom.
Dennis

Here too but few members managed to get it working (IIRC they imported their previous config).

Guess so. But i was checking only exe’s that were not listed at all under computer security policy, hence i’m not sure how does “my safe files” feature behave if we add half-trained apps etc.

Lucky people ;D
As for me i didn’t succeed in importing my 3.0.21 config.