Protected registry keys added to allowed list, duplicate application listings

Comodo Firewall 3.8.65951.477
Defense+ set to Clean PC Mode, Firewall set to Safe Mode
Windows XP Media Center Edition 2005, Service Pack 3 and subsequent updates

Regedit.exe is being allowed to modify \Software\Microsoft\Windows\CurrentVersion\Run, as this entry is automatically being added to Defense+'s Computer Security Policy settings for regedit.exe, under the Access Rights, Protected Registry Keys (set to Ask), Allowed Registry Keys.

Even if I remove all entries for regedit.exe, open regedit, and try to modify \Software\Microsoft\Windows\CurrentVersion\Run, Defense+ does not ask me whether or not to allow the change, and it adds regedit.exe to the Computer Security Policy with the above detailed allowance, such that this crucial registry key is not protected. This allowance is not being granted based on any trust of Microsoft Windows Component Publisher (which is how regedit.exe is signed), as removing this entry from My Trusted Software Vendors does not change this issue.

So, regedit.exe gets added to the Computer Security Policy with Ask selected for all Access Rights, but when it is added, an exception is added for \Software\Microsoft\Windows\CurrentVersion\Run. This has got to be a bug, and I think that it is a serious one. If Defense+ won’t even protect this, I am concerned about its protection of other areas.

Also, the only way to protect this registry key (to prevent this automatic exception) seems to be to remove the exception (from the Allowed Registry Keys list) and set Defense+ to Paranoid mode. With Defense+ set to either Safe Mode or Clean PC mode, the exception gets created automatically whenever a change is attempted with regedit.exe to this key. So, what am I to do? I really don’t want to set Defense+ to Paranoid mode, as I am configuring a customer’s computer, and I don’t want them to get excessive alerts. However, I also don’t want some malicious script or remote process to be able to use regedit.exe to modify this (these) registry key(s), and I don’t want even the user to be able to do this without alerts. I don’t like this one bit.

The other issue is that with previous releases, multiple listings for the same application were not allowed. Now, I have a group that I created for Avast! antivirus, and within that group are \ashServe.exe and \ashDisp.exe. The group is set with a Trust policy, such that all of the executables are trusted. However, Defense+ added single entries for each of these applications (ashServe.exe and ashDisp.exe), and this should not be allowed. I can remove the entries, but they just get added again. In the past, the application would display an error if an application entry was already in the list and one tried to created another entry for the same application.

Regedit is a signed executable from M$.
Defense+/Advanced/Computer Security Policy, disable ‘Trust Applications Digitally Signed’

This has always worked this way. It needs somewhere to save things that are allowed for individual applications but not included in the group rule. It should not cause any problems.

John Buchanan:

I think think that you are misunderstanding how that setting works, or you did not read all of my post.

That setting tells Defense+ whether or not to trust applications digitally signed by those vendors appearing in the Trusted Software Vendors list. As I said above, I removed the vendor of regedit.exe from the list, yet it was still allowed to edit this key, and this key exception was added. Just to be thorough, I tried your suggesting of unchecking the option (and removing the exception), but applying those changes had no effect on this issue (and it should not have). The issue remains, and I think that it is a bug.

tcarrbrion:
Thanks. This is less of an issue for you; I sortof understand your point. However, in the past, Defense+ would display an error if there were an application listed in the Computer Security Policy and I added the same application to a new group and tried to apply the changes with this new group being added to the Computer Security Policy. It does not seem to do that now.

What happened with regedit.exe is happening with other applications. It seems that with the latest updates, Defense+, when set to Clean PC mode, is adding things to he Computer Security Policy without prompting the user about the additions. I am not sure what is causing this, but the only thing that I seem to be able to do to stop it is to put Defense+ into Paranoid mode, and it wasn’t like this before.

What is described in first post, is simply what D+ does in Clean PC mode. It learns every action of an application that had already been in a fixed drive before you set D+ to Clean Mode.

So D+ doesn’t care about what is a trusted vendor.
You will get no alerts for apps that are already on a fixed drive. New apps would be alerted to you.

When a new program would start up regedit to change a key you would get alerted. In this case you are changing something yourself.

It does still do this and I find it annoying. I have a group of applications and it complains if I add a new one. This group rule is above the individual rules and so takes precedence.

This is what it is supposed to do. What I really don’t like is that it adds allow rules for things that the application does not do. There is no need for this in my opinion. All safe applications get rules added to allow direct disk access, device driver installations etc. Such dangerous things should not be allowed by default.

One way to prevent any file from accessing a particular area in any mode other than “Paranoid” would be, adding that particular area; in your case, insert the key path into My Protected Registry Keys. Or add it as a blocked area under: Application(the application you want to block the access for) – Access Rights – the resource you want to block the access for – blocked registry keys (add the location of the resource you want to block the access to).

Indeed this is the design behavior for registry entries of safelisted apps in D+ Safe mode

Regedit.exe is safelisted by signature and by digital cert (Trusted Vendor), so one way to override this would be to use D+ paranoid mode.

It should be however possible to create a Named File group (eg Regedit overrides) containing regedit.exe in Defense Task Center/My Protected Files/ button My file grops and then add that file group at the top (policies on the top of the list are applied first) of Computer Security Policy list in order to configure the blocked registry entries.

The group policy duplicates behavior is usually triggered when group policies are granted additional permissions for one of the access rights set to Ask.

In D+ safe mode safelisted applications are automatically added to Run an executable access rights of parent apps.

Trusted Appllication policy got Default ask permission only for Run an executable access rights.

In case these new policies got their Run an execuatble access right allowed list filled changing the group policy to “Windows System Application” will prevent the group rule duplicates.

All files considered as safe by COMODO will be given full freedom, unless explicitly, specified. (See my previous post). In “Clean PC” mode every file on your HD is considered safe. In safe mode every file recognized by COMODO as safe are considered safe. In paranoid mode every action of every file is alerted, unless if it has been allowed in policy settings

There is however an exception whereas safelisted applications will trigger alerts if they attempt to create new files in protected areas or create new files with a protected extension.

adioz86:

Your theory is not correct. To test this, I inserted a UBCD4Win CD and executed HijackThis from it (running only in memory and not being installed to the local drive). Defense+, in Clean PC mode, added HijackThis.exe to the computer security policy, without prompting me, and granted it Allow access rights for everything except:
Run an executable,
Protected registry keys (for which an exception was added for \Software\Microsoft\Windows\CurrentVersion\Run when I tried to modify a key with it),
and Protected files and folders. These were set to Ask. What’s more, HijackThis was allowed to do all of this (which involved deleting a dummy run key that I had created) without ~any~ prompt from Defense+.

So, Defense+ is doing this in Clean PC mode even for new applications (adding them to the Computer Security Policy and allowing them to edit what are supposed to be protected registry keys). This is not secure. The cause of this is not anything to do with Trusted Software Vendors or any allowance for applications already on the drive when the Comodo application was installed and then put into Clean PC mode.

I run HijackThis and I get the alert (the first time is it run).
Any chance there is already a rule for it in your Defense+?

metalforlife:
That is not correct. As I stated, \Software\Microsoft\Windows\CurrentVersion\Run is a protected registry key already (by default). So, putting it there (as it is already there) does not prevent this issue.

To those suggesting adding this key as a blocked key:
I don’t want to block all changes to this key. I want Defense+ to give an alert and ask for input, as it seems to do in Paranoid mode (but having to switch to Paranoid mode to get protection for this basic key is not right).

To everyone saying that new applications would not be able to make this change without an alert:
Wrong. This has nothing to do with applications already on the drive when the Comodo program was installed.

Regarding the white list, that is just a way of identifying whether or not Comodo considers an application safe or whatever (unless this changed from previous versions). A program’s being on the white list does not make it automatically trusted and grant it access to protected registry keys.

John Buchanan:

No. There was no rule before. This system is new in the sense that I started with a blank partition, installed Windows XP Media Center Edition 2005, updates, etc., Avast!, drivers, other programs, Comodo software, etc.

Isn’t Hijack This on the Safelist, not to be confused with Trusted Vendors list.

Which is respected when in Clean PC Mode?

Safelisted files cannot be added to Pending lists so CleanPC mode is actually focused on unknown executables.

IIRC safelisted files will also treated as safe when run from removable media in Safe and CleanPC modes.

Guess then paranoid mode is the only option.

Exactly my thoughts as to why things are Automagically happening without regard for the Trusted Software Vendors list.

Bad