Comodo Firewall 3.8.65951.477
Defense+ set to Clean PC Mode, Firewall set to Safe Mode
Windows XP Media Center Edition 2005, Service Pack 3 and subsequent updates
Regedit.exe is being allowed to modify \Software\Microsoft\Windows\CurrentVersion\Run, as this entry is automatically being added to Defense+'s Computer Security Policy settings for regedit.exe, under the Access Rights, Protected Registry Keys (set to Ask), Allowed Registry Keys.
Even if I remove all entries for regedit.exe, open regedit, and try to modify \Software\Microsoft\Windows\CurrentVersion\Run, Defense+ does not ask me whether or not to allow the change, and it adds regedit.exe to the Computer Security Policy with the above detailed allowance, such that this crucial registry key is not protected. This allowance is not being granted based on any trust of Microsoft Windows Component Publisher (which is how regedit.exe is signed), as removing this entry from My Trusted Software Vendors does not change this issue.
So, regedit.exe gets added to the Computer Security Policy with Ask selected for all Access Rights, but when it is added, an exception is added for \Software\Microsoft\Windows\CurrentVersion\Run. This has got to be a bug, and I think that it is a serious one. If Defense+ won’t even protect this, I am concerned about its protection of other areas.
Also, the only way to protect this registry key (to prevent this automatic exception) seems to be to remove the exception (from the Allowed Registry Keys list) and set Defense+ to Paranoid mode. With Defense+ set to either Safe Mode or Clean PC mode, the exception gets created automatically whenever a change is attempted with regedit.exe to this key. So, what am I to do? I really don’t want to set Defense+ to Paranoid mode, as I am configuring a customer’s computer, and I don’t want them to get excessive alerts. However, I also don’t want some malicious script or remote process to be able to use regedit.exe to modify this (these) registry key(s), and I don’t want even the user to be able to do this without alerts. I don’t like this one bit.
The other issue is that with previous releases, multiple listings for the same application were not allowed. Now, I have a group that I created for Avast! antivirus, and within that group are \ashServe.exe and \ashDisp.exe. The group is set with a Trust policy, such that all of the executables are trusted. However, Defense+ added single entries for each of these applications (ashServe.exe and ashDisp.exe), and this should not be allowed. I can remove the entries, but they just get added again. In the past, the application would display an error if an application entry was already in the list and one tried to created another entry for the same application.