"Protected Files" option is not working

Hi all,

I have the latest Comodo Firewall (6.2.285401.2860) installed on Win 7 x64 Home Premium machine. I originally installed the latest CIS and selected to install only Firewall as I already have Avira AntiVir Premium installed.

My problem is that Protected Files option (Settings - Security Settings - Defense + - HIPS - Protected Objects - Protected Files) doesn’t work for me at all. According to Comodo’s manual that feature is useful for safeguarding very valuable files (spreadsheets, databases, documents) by denying anyone and any program the ability to modify the file - avoiding the possibility of accidental or deliberate sabotage. So any file set there can only be read and cannot be modified nor altered in any way by any user or program except the program that user will mention.

That’s sound very promising, so I created a New Folder on my Desktop and placed a “New Text Document.txt” file there. Then I putted that “New Text Document.txt” in Protected Files. It should be protected against any kind of alteration from anyone after that, however, I can easily modify or even delete that “protected” file. Moreover, I can easily delete and modify any “protected file” that set by default by Comodo itself, let’s say Startup Folders.

Unlike Protected Files section, the Blocked Files section works brilliantly - it really does block any file or even path that is set there. .

So, I really can’t understand what’s the point of that Protected Files section if it doesn’t work at all and anybody can delete and modify “protected” files?

Am I doing something wrong with it? Thanks a lot.

Morrow, have you solved the matter?

Just like Morrow, I also report the same question.
I put an image (.jpg) among the protected files but I can modify it, therefore the protection seems not to work.
After a more scrupulous search I found this old message by the user “tcarrbrion”:

“Safe programs are allowed to modify protected files. If you use notepad to edit the hosts file notepad is considered safe and will be allowed. If malware tried to modify the hosts file it would not be considered safe and you would get a pop-up.”

Is this old explanation (year 2009) valid for Comodo 6.3 too?

I believe it is, Giampy. The “Allowed Application” and “Windows System Application” rulesets are set to allow any action for protected COM interfaces, protected registry keys and protected files and folders meaning explorer.exe is allowed to manipulate (e.g delete or move) a protected file, however an unknown program is not allowed to do this unless you give it permission to do so.

[attachment deleted by admin]

The manual is simply not right as you noticed. The text in the manual is for blocked files.

The function of Protected Files is to protect them from being changed or started by unknown (untrusted programs).

Hi Giampy. Sorry for late reply - just noticed that this topic is still live.

Nope, I did not sort it. I also think that the files are protected against unknown programs, however it doesn’t make much sense - if a virus execute notepad and modifies a protected file, then Comodo will allow it to do that as notepad is a trusted program.

Well the virus would have to get clearance from CIS in order to start notepad in the first place, an unknown program isn’t allowed to start trusted programs without question. If you use HIPS you will get a pop-up saying that the virus is trying to launch notepad.exe, and if you have the auto-sandbox set to Fully Virtualized then notepad.exe will be sandboxed and hence the changes would be made in the sandbox and the files would be safe on the real system… however I have no idea how partially limited to untrusted would do things, haven’t really used them.

There is one more thing: if you look to All Applications rule in HIPS settings you will see that Protected Files / Folders part is set to Always Ask (see attachment). However Comodo doesn’t ask when a program tries to access a protected file or folder which is wrong.

For example the same Online Armor asks when ANY program tries to access a protected file or folder. That is the reason of a file being protected so that only program that you like can access it not just any trusted program.

[attachment deleted by admin]

The “All Applications” rule will only be used when there are no other rules for the application in question, see it as “All Other Applications” instead.

The answers are interesting but I have some doubts.

  1. when an unknown/untrusted program starts, Comodo can already control/stop it. No file may be changed. So I don’t understand the need to further protect files by the feature “Protected Files”. It seems useless.
    Is it a second layer of protection due to scrupulousness only? Or does it protect files from those bad programs that Comodo doesn’t intercept?

  2. shouldn’t protection of files be the automatic behavior of an antivirus by default? Shouldn’t an antivirus automatically protect all the files of the hard disk? Why are such feature and its decisions left with users?

Here is breakdown of everything discussed in this topic.

Protected Files are files are files that are protected by modification by unknown executables. They can also be modified by the user. Only when adding a file to Blocked Files will produce a total block. Even blocking the user from changing them.

The manual is causing confusion here; it describes under Protected Files CIS behaviour for Blocked Files.

The files that are protected from being changed are described in Protected Files: exe, dll, sys, ocx, bat, pif, scr, cpl, com, cmd. That’s where the use is. The confusion is caused by an error in the Help documentation.

2) shouldn't protection of files be the automatic behavior of an antivirus by default? Shouldn't an antivirus automatically protect all the files of the hard disk? Why are such feature and its decisions left with users?
Protection of files is the function of Sandbox/HIPS and not the AV. The AV depends on signatures and may miss a virus. The Sandbox/HIPS will protect Protected Files when it is an unknown file. The AV may miss a malware and that's where the limitations set by the Sandbox/HIPS will protect.