I’m new to Comodo’s Defense+ so naturally I have some questions to fully understand how to use this program effectively. To give you an idea where I’m coming from, I’ve been using Online Armour before deciding to try Comodo so I have some basic HIPS knowledge.
In D+, how can I completely block/disable/untrust (whatever you want to call it) certain programs? I want certain programs blocked from starting/starting or ending other programs (physically and remotely), from doing anything advanced like installing global hooks/accessing physical memory/installing drivers, etc.,etc… Basically I want to block certain programs from doing ANYTHING. I guess the first step would be to give the selected programs the “Isolated Application” predefined policy, but then what next (since the program can still run)?
When editing policies, what exactly is “Protection Settings”? Is it options to protect the selected application(s) from what other processes can do to it? Example, if I activate “Process Terminations” for 34.exe, does that mean 34.exe is protected from other programs trying to terminate 34.exe? If so, what general processes should I activate these protections?
Lastly, once I get D+ set up to my likeness, where can I test it to make sure it is providing maximum protection. For example, to test your firewall you would run GRC’s Shield UP.
Hey ProActiv! Welcome to the forums. I will try to help you as best as I can… How ever I don;t have CIS installed at the moment.
Comodo → Defense+ → My Computer Security Policy. You should be able to add custom rules manually there. Or, Run the application and you should get pop-up windows and you can do it from there. Which is easier in my opinion. As for starting up… Comodo should alert you if an application tries to add it self into the start-up list. If this program already has before installing CIS… you can do this;
Start → run → msconfig
Go to start-up and untick the boxes you wish.
By memory… Yes, I think so. (I could be wrong as I don’t have CIS visually infront of me )
Hopefully another member could clarify this for you/ You could try looking at the inbuilt helpfile within CIS… Comodo → Misc → help.
[ at ] ProActiv: non of your everyday applications really need this protection. if you have another 3rd party realtime scanner like malwarebytes, superantispyware, or another AV you could enable process terminations and interprocess memory protection on these. for exmaple, you can see in d+, that the “COMODO Interent Security” group has protection against process terminations and interprocess memory by default.
1) Comodo -> Defense+ -> My Computer Security Policy. You should be able to add custom rules manually there. Or, Run the application and you should get pop-up windows and you can do it from there. Which is easier in my opinion. As for starting up.. Comodo should alert you if an application tries to add it self into the start-up list. If this program already has before installing CIS.. you can do this;
Start -> run -> msconfig
Go to start-up and untick the boxes you wish.
After reading the helpfile, I’ve been playing around with the MCSP screen to understand how it works. I guess I need some help creating custom rules to do what I’ve listed above.
For example, let’s say I want to completely disable Internet Explorer (iexplore.exe). The first thing I did was to add iexplore.exe in the MCSP section and apply the “Isolated Application” predefined policy. That would block IE from doing stuff like running other applications, installing global hooks, physical memory access, etc. but IE would still be able to run. What custom rule do I need to add to block it from ever being able to run? I know if I have CIS in “Paranoid Mode” it will alert me that IE wants to run, but I prefer adding a custom rule to accomplish this.
[ at ] ProActiv: non of your everyday applications really need this protection. if you have another 3rd party realtime scanner like malwarebytes, superantispyware, or another AV you could enable process terminations and interprocess memory protection on these. for exmaple, you can see in d+, that the "COMODO Interent Security" group has protection against process terminations and interprocess memory by default.
Yeah, that is a good idea. I’ll add those protections ASAP :-TU
The best way to lock down a file from ever being accessed or being run is by adding it to Defense+ > My Blocked Files.
“Defense+ allows you to lock-down files and folders by completely denying all access rights to them from other processes or users - effectively cutting it off from the rest of your system. If the file you block is an executable, then neither you nor anything else will be able to run that program. Unlike files that are placed in ‘My Protected Files’, users cannot selectively allow any process access to a blocked file.”
)
