Protected Data Folders

According to the documentation for COMODO Firewall 10, adding directories to Protected Data Folders makes these directories invisible to sandboxed programs.

I suspect not, but can Protected Data Folders be setup in a way that prevents all programs, whether known/unknown or non-sandboxed/sandboxed, except for those specifically defined from accessing protected folders. For example, can I prevent every program except a specified media player from accessing a media folder?

Also, will folders remain protected if all entries are unchecked in monitoring settings?

Protected data folders is to prevent only contained applications running fully virtualized from reading those folders. You can use HIPS to block write access to certain folders but not read access.

I see. Would blocking write access to certain files/folders prohibit malware from encrypting them? If so, this may work for me. I changed the HIPS module to paranoid mode and added some folders to protected objects. Supposedly the HIPS module should alert me to programs attempting to make changes to files in these folders, right? But I cannot get it to work. “Create rules for safe applications” and “Do not show popups” are unchecked. Further, there are no rules for the applications attempting to modify files in the folders.

Yes adding files or folders to the protected objects > protected files will tell HIPS to monitor those files/folder for write access. How are you testing HIPS to block access to the folders you’re trying to protect? You should be getting alerts unless a rule says otherwise to allow or deny access.

I added some folders to protected objects, and then I used other software to attempt to make changes to files in those folders. For example, I was able to use Microsoft Word to make changes to documents in those folders even though there is no rule that allows Microsoft Word to do so.

I tried adding folders and files to protected objects > protected files directly. I also tried creating a file group labeled Protected Folders, adding certain folders to the file group, and then adding the file group to protected objects > protected files.

Could it be that I am misinterpreting the alerts? The HIPS module asks for input for some things, e.g direct keyboard access, when initiating the program or clicking inside of it, but not when saving changes to an existing document that is in a protect folder. What does the alert look like when the HIPS module blocks an attempt to modify protected files?

Do you have set popup alerts to verbose mode disabled? Try enabling this option under HIPS settings, when this is off you get fewer alerts and when you select allow without remember my answer selected, it allows most access rights.

Thank you. That did the trick. Unchecking all entries in monitoring settings except for Protected Files also worked.

Now, would this prohibit malware from encrypting files? You did state earlier that adding files or folders to protected objects would tell the HIPS module to monitor them for write access, but I wasn’t sure if you were referring to programs, specifically malware, encrypting them.

I have been using only the firewall and containment modules. The firewall operates in safe mode. The containment module uses a custom configuration. I disabled HIPS because it will redundantly alert to changes made by only sandboxed programs unless it is set to paranoid mode, which is too much for my liking. But I am thinking about using HIPS to prevent contained programs from seeing personal files and prohibit programs system wide from modifying personal files except for those I specifically allow to. It is meant as an extra layer of defense against malware from modifying, particularly encrypting, personal files.

What I have in mind is:

  • setting HIPS to Paranoid and unchecking all entries except for Protected Files/Folders in monitoring settings.
  • adding folders containing personal files to Protected Objects, both Protected Files and Protected Data Folders.
  • deleting all default file groups in Protected Files.
Now, would this prohibit malware from encrypting files? You did state earlier that adding files or folders to protected objects would tell the HIPS module to monitor them for write access, but I wasn't sure if you were referring to programs, specifically malware, encrypting them.
When HIPS is set to safe mode then only unknown and malicious rated applications will produce an alert whenever they attempt to modify whatever is listed in protected objects, unless a rule to allow/deny that specific file/folder is set in HIPS rules. This includes encryption too as being able to encrypt a file requires the ability to modify that file or have write access.
I disabled HIPS because it will redundantly alert to changes made by only sandboxed programs unless it is set to paranoid mode, which is too much for my liking.
When something is running in the sandbox or in containment, then you will not get HIPS alerts even in paranoid mode. HIPS only applies to applications running outside the sandbox/containment.
But I am thinking about using HIPS to prevent contained programs from seeing personal files
If by seeing you mean reading files, then protected data folders is what you would use for contained applications, not HIPS as HIPS does not prevent read access to files/folders.

Right. This I am aware of. I think I am going to begin with enabling paranoid mode, checking “Do not display popup alerts,” and selecting “Block Requests” from the drop-down menu. This way only programs, whether known or unknown, that I create rules for can modify protected personal files. I see no reason why every program, even trusted ones, should be able to modify personal files. I only have a few, including Office 365, that need to modify them.

Okay. I thought so, but I wanted to be certain.

I wasn’t aware of this. I didn’t actually test it myself. I read somewhere that HIPS will alert to contained programs. Good to know.

Protected Data Folders is included in HIPS settings; this is why I referred to HIPS. To be clearer, I plan to use Protected Data Folders to prevent contained programs from reading personal files, and Protected Files to prohibit programs system wide from modifying those files. I will create rules for a few specific programs, e.g. Office 365, that needs to be able to modify them.

I am intending this to be mainly an extra layer defense against ransomware: to prevent such malware from locking personal files.