Question about Defense plus.


Usually I browse the forums here without posting, reading through the threads, but finally I decided to post a question.

I want to how how does the proactive defense module work.

Let us say i run an exe in the computer. It is first in in the emulator in Comodo to check its behavior. Depending on the outcome of the monitoring in the emulator, if it is not seen to do anything suspicious, it is allowed to run in the system. Once the exe is allowed to run in the system after its successful stint in the emulator, it not monitored further.

Does the proactive defense module work this way?

Or when I run an exe, is it monitored REAL TIME while it is running in the system and the moment it tries to do anything suspicious (e.g deleting a system file), its execution is halted and the user alerted.

Please share your knowledge to clear up my confusion.

Regards. :slight_smile:

Seems like what you mentioned is Behavior Blocker’s (BB) operation. BB will be only available in CIS v4. Seems like Defense+ of CIS v3 never behave like BB.

Almost right, except Defense+ does not care if executable’s behavior is suspicious or not. D+ fires up alert when executable tries to access protected unit of operating system (which is guarded by D+). Such “unit” can be: access to disk for direct I/O, definite registry keys, executable files (to prevent their unauthorized modification) etc.

It is so called whitelist approach: if executable is unknown, then whatever it attempts to do with protected unit won’t be ever allowed by D+ based on its independent analysis (whether executable or activity is suspicious or not), only by user (by answering “allow” to alerts). So it is always user who makes decisions, and never D+.


Thanks for the clarification.

So no matter what application it is, any attempt to do stuff to the crucial components of the OS would be halted and prompted against, unless it is in the “whitelist”

So how is this whitelist created? Is it ONLY based on the database or is the exe run inside an emulator on its first execution and depending on the behavior noticed in the emulator, it is placed in the whitelist if all goes well?


First there is a “whitelist” made up of digital signatures from well known companies.

This trusts any file which is signed by one of these signatures.

CIS is based on “default deny”. That means it will automatically block unless you allow.
Some important rules/permissions are default, and the rest come from alerts and when D+ is training.


If i’m right, based on database only. Database is of two or three parts:

  • programs signed by so-called trusted vendors are in the whitelist (see LaserWraith’s post);
  • programs placed by user in the “My own safe files” list are in the whitelist;
  • programs in Comodo’s “global” whitelist (recognized by hash sum) – not sure about this part.

Hmm…I wasn’t sure about that. I suppose that is in the the AV part of CIS because usually the firewall and D+ components let you customize everything…but, of course, you can’t edit the AV blacklist/whitelist. You can only exclude and send requests to Comodo.

Help File:

[b]Application Recognition Database (Extensive and proprietary application safe list)[/b] The Firewall includes an extensive white-list of safe executables called the 'Comodo Safe-List Database'. This database checks the integrity of every executable and the Firewall will alert you of potentially damaging applications before they are installed. This level of protection is new because traditionally firewalls only detect harmful applications from a blacklist of known malware - often-missing new forms of malware as might be launched in day zero attacks.

The Firewall is continually updated and currently over 1,000,000 applications are in Comodo Safe list, representing virtually one of the largest safe lists within the security industry.

Almost 3 000 000 in April. (source)

On real example:

I run CIS without AV (which is not installed). “My own safe files” list does not contain “services.exe” from \system32 folder, services.exe is not signed (by Microsoft or whatever else).
When alert for services.exe is triggered it reads “services.exe is safe”. Or alert is not triggered and activity for services.exe is autolearnt by Defense+. I don’t have any explanation for this except there is “global” whitelist which is not customizable by user and is not tied up to Comodo’s AV only.

But the most interesting: seems like global safelist (or
Application Recognition Database - whatever) is remote (Comodo’s servers) OR being downloaded/updated from Comodo’s servers from time-to-time:

(Chernyakov is one of CIS programmers if i’m right)

Interesting. In reading the help file (what I do in my spare time :P) I found this:

[b]Image Execution Control Settings[/b]

Image Execution Control is an integral part of the Defense+ engine. If your Defense+ Security Level is set to ‘Train with Safe Mode’ or ‘Clean PC Mode’, then it is responsible for authenticating every executable image that is loaded into the memory.

Comodo Internet Security calculates the hash of an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is ‘unrecognized’ and you will receive an alert.

This area allows you to quickly determine how proactive the monitor should be and which types of files it should check.


Try to add services.exe to My Trusted Software Vendors. :wink: :-La

I see…missed digital signature cause it doesn’t show up under file properties of Windows Explorer.

Yeah…interesting how it doesn’t show up.

Yes, Microsoft Windows Component Publisher and Microsoft Windows Hardware Compatibility Publisher are special. :-\ Se here:

For those who can’t read that:


It can be. Exe,. Dll and. Sewn. < Det kan vara .exe, .dll och .sys. 88)

And the translation says I’m female. :o :smiley:

Ok then…you translate and post it. :stuck_out_tongue: :smiley:

The signature for services.exe (version 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)) is in