Protected registry keys added to allowed list, duplicate application listings

I apologize for having to disagree with basically all of you. The white-list (or safe-list if you prefer) does not grant special privileges to applications recognized as safe:
"Application Recognition Database (Extensive and proprietary application safe list)
The Firewall includes an extensive white-list of safe executables called the ‘Comodo Safe-List Database’. "
…
“The Firewall can recognize thousands of safe applications. (For example, Internet Explorer and Outlook are safe applications). If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized you will be informed of this. Also click on the Threatcast Rating tab to see how others have reacted to the same alert.”

So, it is used to alert the user (that the application is safe, and it may be safe to allow it). It is not used to bypass the Computer Security Policy.

Also, when Clean PC mode is enabled when the product is installed the first time and either the malware scan passes (or any detected threats are removed) or the user selects that they are sure that the PC is clean, the Computer Security Policy is updated to grant certain rights, etc., to applications already on the drive, and these applications will appear in the Computer Security Policy. These additions are not hidden, so if they are removed from the Computer Security Policy, then the same application, when executed following its removal from the Computer Security Policy, will no longer have the rights that it previously had. By design, then, alerts should appear for that application being executed after it has been removed from the Computer Security Policy (depending, of course, on what mode Defense+ is set to – Training Mode would not result in any alerts).

There does seem to be a bug on this system, as I have the same version of Comodo Firewall protecting another computer, and it is also set to Clean PC mode and does alert me when I execute HijackThis from the UBCD4Win CD; also, it alerts me numerous times as HijckThis scans the computer and when it tries to modify the registry. What’s more, HijackThis is not allowed to modify this protected registry key (\Software\Microsoft\Windows\CurrentVersion\Run) without my permission.

However, even on this other computer, regedit.exe is allowed to modify the protected registry key listed above without my permission (a policy for this is added to the Computer Security Policy when the registry edit attempt is made). So, on the second computer, regedit.exe is allowed to do what appears to violate the Computer Security Policy, but HijackThis.exe is not (without my permission).

Does anyone know what the “System” application listing is that appears in My File Groups under Windows System Applications? It has no path, and there is no Windows “System” variable defined on this computer or on the other computer (as the “set” command would reveal).

Regarding the topic of this post, I suppose that I have to conclude that the installation of Comodo Firewall on this computer is buggy, and I need to remove the program, clean the registry, etc., and reinstall it. I conclude this since the product is protecting the other computer differently than this one even though the Defense+ configuration on each is the same.

OK. I stand corrected to some extent, as I found this in the help file:
" An application can be given such permission to run in a variety of ways including; manually granting them execution rights in Computer Security Policy; by deciding to treat the executable as trusted at a Defense+ alert or simply because the application is on the Comodo safe list."

I have some learning to do about this safe list.

I withdraw my above statement about having been corrected. Apparently, at least as stated in the Help File, Train with Safe Mode is the only setting that would result in automatic additions to the Computer Security Policy for applications based on any safe-list (Training Mode additions don’t consult the safe list):

"Train with Safe Mode: While monitoring critical system activity, Defense+ will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing ‘Treat this application as a Trusted Application’ at the alert. This will instruct the Defense+ not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in ‘Clean PC Mode’ then Train with Safe Mode’ is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled."

So, in Clean PC mode, the safe list (or white list) is not used to grant applications access to the system, even if they appear on the safe list. Also, it is clear from the help file that any new applications should be allowed access only with the user’s permission.

What version of HijckThis are you using?

On this system, Defense+ when set to Clean PC mode or Safe Mode acts as if it is set to Training mode. Only Paranoid mode gives any protection. I am going to remove it and reinstall it. However, this does not affect the issue with regedit.exe and how it is allowed to modify protected registry entries on either of the two computers.

Endymion:

Please note that on one computer with the same version of Comodo Firewall and the same settings configured, changes by HijackThis require my permission. With that, it is version v2.0.0 (BETA).

Thanks. I downloaded HijackThis v2.0.0 (BETA) and confirmed it to be safelisted.

New applications are those listed in My pending Files.

Safelisted files will be automatically removed from My pending files thus even in CleanPC mode safelist is used.

All modes have obviously their peculiar differences although you may find paranoid mode more suited to your needs this doesn’t imply that CleanPC and Safe mode ought to be misrepresented as Training mode.

Safelisted application like HijackThis and regedit are allowed to write to protected registry entries by design thus the bugged installation you mentioned may actually the one working correctly.

Endymion:

Thanks for trying, but I disagree with you. How can you validate your assertions? What you stated is contrary to what is in the help file. Also, I just removed Comodo Firewall (or Internet Security) from the computer that it was not working properly on and re-installed it. Now, it does alert me when I execute HijackThis (regardless of any safe list that you mention, as in Clean PC mode, the safe list is not used in the way that you assume it is used in).

I did have a buggy installation, and the issue with Comodo Firewall allowing regedit.exe to modify protected registry entries without user permission remains.

I think that a lot of people don’t understand what the white list or safe list is used for. This is from the Comodo Internet Security User Guide:

[i]1.7.2 Answering Firewall Alert
Comodo Internet Security generates a Firewall alert on network connection attempts. Following are the steps to be followed to answer a Firewall alert:

1. Carefully read the ‘Security Considerations’ section. Comodo Internet Security can recognize thousands of safe applications. (For example, Internet Explorer and Outlook are safe applications). If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized you will be informed of this. Also click on the Threatcast Rating tab to see how others have reacted to the same alert.

1.7.3 Answering Defense+ Alerts
Comodo Internet Security generates a Defense+ Alert based on behavior of applications running in your system.
Following are the steps to be followed to answer a Defense+ alert:

1. Carefully read the ‘Security Considerations’ section. Comodo Internet Security can recognize thousands of safe applications. (For example, Internet Explorer and Outlook are safe applications). If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized you will be informed of this. Also click on the Threatcast Rating tab to see how others have reacted to the same alert.[/i]

However, and this surprised me, this is also in the same guide:
Comodo Internet Security calculates the hash an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is ‘unrecognized’ and you will receive an alert.

The Defense+ component of Comodo Internet Security is a host intrusion prevention system that constantly monitors the activities of all executable files on your PC. With Defense+ activated, the user is warned EVERY time an unknown application executable (.exe, .dll, .sys, .bat etc) attempts to run. The only executables that are allowed to run are the ones you give permission to. An application can be given such permission to run in a variety of ways including; manually granting them execution rights in Computer Security Policy; by deciding to treat the executable as trusted at a Defense+ alert or simply because the application is on the Comodo safe list.

So, the manual states that the safe list is used to tailor alerts for applications on the safe list, and it also seems to state that alerts are not given for applications on the safe list. They really need to re-write this guide.

Some clarification is needed here.

Whether or not HiJack This is on the Safe List or not I don’t know. Threw it out as a possibility.

mecarter2,

Open CIS> D+ > Defense Plus Settings > General Tab.

Move the slider up and down and you will see what rules are applied and which aren’t for any given setting.

Do the same in Firewall > Firewall Behavior Settings > General Tab

Move the slider up and down and you will see what rules are applied and which aren’t for any given setting.

The quotes re firewall alerts and defense+ alerts is a red herring because whether or not you even get the pop up depends on a blend of the slider settings and firewall alert settings, Alert Frequency Level.

And for D+ it depends on a blend of the slider setting and Defense + Monitor and image execution control settings.

Bad

Bad:

I have to say, your nick name or whatever is interesting. Is there a story to that? I played Frogger when I was younger; it was a neat game.

Thanks for the insight on the settings. I understand that people may modify things such as those from the default, but I haven’t done this. The program was set to Clean PC mode following installation, as in the first installation the malware scanned completed with success, and in the second installation I selected that the PC is clean of malware.

I don’t always follow the help file information., However, Endymion is correct in how it works.

It is a serious bug that needs to be fixed.

CleanPC mode rely on My Pending file list as you already quoted.

Athough your assumptions about CleanPC mode were wrong whereas you claimed the safe list (or white list) is not used to grant applications access to the system.

Once installed, Comodo Firewall Pro watches all file system activity on your computer. Every new executable file introduced to the computer, is first scanned against the Comodo certified safe files database. If they are not safe, they are added to the 'My Pending Files' for users to review and possibly submit to COMODO. Apart from new executables, any executables that are modified are also moved to the 'My Pending Files' area.

Basically this also imply that if an application (eg: hijackthis) is safelisted it cannot be added to pending files.

The safelist is used differently in various modes. In Paranoid mode the safelist is used as you previously assumed.

Anyway I’m sorry if the manual is not clear enough according to you standards, you may as well create a new topic to advice Comodo how should they rewrite some parts.

HijackThis v2.0.0 (BETA) is currently safelisted.

Paranoid mode alerts(like the one below) mention that, although this can be confirmed also because it is not possible to add the app to Pending list.

As the OP is using 3.8 it may be that the bundled safelist is less updated than the one bundled with v3.9 RC2 anyway in that case HiJackThis would be added to pending files and a manual lookup could be performed. The manual Lookup will query Comodo online master safelist and update the 3.8 safelist to include HijackThis v2.0.0 (BETA) after removing it from pending list.

Anyone using 3.8 willing to test this beside the OP?

[attachment deleted by admin]

I think there is a bug here. I have found strange behaviour regarding protected files and protected registry keys.

I get two pop-ups downloading a exe file with IE 8 but none with firefox. I notice firefox is automatically allowed to write to *.exe. This does not happen to IE and each executable downloaded has to be allowed under temporary internet files and second time under the directory I am saving it to.

When I edit a protected key with regedit that key gets added to allowed list. Regedit may be a special case. Other safe applications do give pop-ups.

These things get added sometimes but not others and I do not know why. Others have had a similar results:
https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/with_cis_v38_do_you_get_less_pop_ups_compared_to_previous_versions-t35829.15.html

I have added a wish list to allow uses to force pop-ups for safe applications so users can increase security if they want to:
https://forums.comodo.com/defense_wishlist/idea_for_increased_security_and_configurability-t38559.0.html

!ot! I think that if you are willing to confirm if it is a bug it would be more appropriate to create a new bugreport topic to describe your testcase and related information about your current D+ config and CIS version. It is possible that the rules you are using or even version specific rulesets/config are triggering the above mentioned scenario in accordance to the implementation difference between IE and Firefox. Merging an eventual troubleshooting in this topic will only add to the ongoing confusion.

Regedit is allowed to do so in because it is a safelisted file. In order to override the safelist, D+ should be set to Paranoid mode which allow user to define their own security criteria to the fullest extent.

I have created bug bug report some time ago.

I do not want to use paranoid mode and have an alert for everything. I just want alerts for what I consider most dangerous. I need clean PC mode with parental control as other users of my computer have no idea how to answer alerts.

!ot! If you don’t mind, please add a link to that bugreport in your previous post as providing incomplete information is not helpful at all. EDIT: thanks for the infos.

!ot! In paranoid mode it would be possible to manually apply personalized/predefined policies to applications safelisted by D+ so those users could abide to your own custom security policy for trusted apps without having to answer alert for everything whereas they would have only to acknowledge when alerts states that an app is safelisted and then select the Custom policy of your choice. But anyway eventual discussion about related new features would be more suited for the recent wish topic of yours linked in your previous post.

This is the bug report, I was in a hurry this morning:
https://forums.comodo.com/beta_corner_cis/comodo_internet_security_3974913496_rc1_bug_reports_locked-t37636.270.html

Please see my reply in https://forums.comodo.com/defense_wishlist/idea_for_increased_security_and_configurability-t38559.0.html