basically what i did was install comodo, all settings at default. Then i doubleclicked on a pre-installed program and i got the popup: Explorer.exe is trying to do X, it can be considered safe.
I should not be getting this popup
I get it in both Safe-PC and clean PC mode
1.CPU (32 bit or 64 bit):
Both
2.Operating System information (including Service Pack Version):
ALL
3.Actively-running security and utility applications (Optional if you post a Comodo Firewall Pro Configuration Report):
only comodo firewall pro
4.Specific symptoms of the bug, and steps you can take to reproduce it (step by step).:
symptoms:
There are 2 parts to this bug-report
1. Eventhough Explorer.exe should be on the trusted list by default it shows pop-up dialogues anyway in both clean-pc and safe mode
2. If i accidentaly choose "isolated" application, the computer will get locked down and become unusable.
to reproduce:
Although explorer.exe should already be in the trusted list is pops up with a question.
"from the pop-up select "isolated application"
5.Specific steps you have taken to try to resolve it.:
Reboot into safe mode, try to change it there, or remove and reinstall comodo from safe mode
6.Brief description of your Defense+ and Firewall+ mode (Custom, Train with safe) plus mention if you modified any setting in ADVANCED section of D+ and F+ (Optional if you post a Comodo Firewall Pro Configuration Report): Cleanpc. Safe mode
7.If you pc reboots or you have a BSOD post in BSODs: Please add your minidump files here: n\a
8.Report if you are using an Administrator account Or a Limited User account. Vista users please Report if you have UAC Disabled or Enabled (Optional if you post a Comodo Firewall Pro Configuration Report) : doesn't matter, always same result
explorer.exe is treated as Trusted app by default.
[code=Trusted Application]Policy [Trusted Application] is defined as
Access Right 0: { Interprocess Memory Access } Default Action: Allow
Access Right 1: { Process Terminations } Default Action: Allow
Access Right 2: { Windows Messages } Default Action: Allow
Access Right 3: { Windows/WinEvents Hooks } Default Action: Allow
Access Right 4: { Protected COM Interfaces } Default Action: Allow
Access Right 5: { Phyisical Memory } Default Action: Allow
Access Right 6: { Disk } Default Action: Allow
Access Right 7: { Keyboard } Default Action: Allow
Access Right 8: { Computer Monitor } Default Action: Allow
Access Right 9: { Protected Files/Folders } Default Action: Allow
Access Right 10: { Protected Registry Keys } Default Action: Allow
Access Right 11: { DNS Client Services } Default Action: Allow
Access Right 12: {Device Drivers Installations} Default Action: Allow
Access Right 13: { Loopback Networking } Default Action: Allow
This policy will trigger an altert when the assigned app start an executable.
The policy to remove these alerts is Windows System Application
[code=Windows System Application]Policy [Windows System Application] is defined as
-----------------------------------------------------------------------------------------
Access Right 0: { Run an Executable } Default Action: Ask
[0] Allowed: *
Access Right 1: { Interprocess Memory Access } Default Action: Allow
Access Right 2: { Process Terminations } Default Action: Allow
Access Right 3: { Windows Messages } Default Action: Allow
Access Right 4: { Windows/WinEvents Hooks } Default Action: Allow
Access Right 5: { Protected COM Interfaces } Default Action: Allow
Access Right 6: { Phyisical Memory } Default Action: Allow
Access Right 7: { Disk } Default Action: Allow
Access Right 8: { Keyboard } Default Action: Allow
Access Right 9: { Computer Monitor } Default Action: Allow
Access Right 10: { Protected Files/Folders } Default Action: Allow
Access Right 11: { Protected Registry Keys } Default Action: Allow
Access Right 12: { DNS Client Services } Default Action: Allow
Access Right 13: {Device Drivers Installations} Default Action: Allow
Access Right 14: { Loopback Networking } Default Action: Allow
Every alert offer the chance to change the policy of the triggering app.
explorer.exe execute aletrs are no exception.
If you wish to submit further feedback on this design PM a mod to move this topic in the Feedback board.
If you wish to suggest a specific alternate desiggn please submit your suggestion to CFP wishlist topic.
I’ve not tested this and this behaviour could be slightly changed among CFP releases but IIRC microsoft digitally signed apps could not trigger an execute alert.
I guess safelisted apps could do the same (eg notepad). Anyway this design could be changed in future.
The trusted application policy will changed to a custom one as soon the user add an application to explorer.exe execute list.
This way it would be possible to enable CFP parental contol and prevent other users to run unspecified apps.
Parental control offers an option to silently block any alert by default.
Thus in that mode only previously allowed app can be executed.
Changing explorer.exe default to Windows System Application will prevent this chance if CFP Parental control is enabled.
-Clean pc
-Install comodo, dont do the malware scan
-Pc should be in clean mode
-Switch to safe mode,and open a previously un-opened program
-Swith back to clean mode and open a previously un-opened program
Does the pop-up show up now? IIRC it does.
You might have hit the nail on the hammer there.
The applications i was testing are 100% NOT pre-trusted/safe. These where basically compiled 5 minutes before installing comodo.
Yes they where on the PC, No comodo does not know they exist