"Remember my answer" depends on "fewer/more options"

Hello!
I think I found a bug.

I have been using Defense+ for well over a year, and I am very happy with it. But…
Once, when I opened Computer Security Policy just to check if it’s all OK there, and I found it’s not. What I saw were several rules with all “Allow” and some others with all items “Block” in “Access Rights” page. When I cleaned them up, later I encountered the same thing. I spent a lot of time figuring out where does it come from, and finally here are the results.

Consider I got a keyboard access alert for explorer.exe. I want to allow it and remember it. There are two ways to do that. One - to make “more options”, check the “remember…” and click OK. The other - to make “fewer options” and do the same. And when I use the second way (the one with fewer options), all the “Access rights” of explorer’s rule are set to “allow”, but not just for keyboard access what I wanted to.

Why do I consider this a bug? Because of two things. 1) When I tell “let explorer access keyboard”, I am not expecting to be treated as “and, by the way, let it install any drivers”!!! 2) This does not seem to be documented in Help, and is hard to discover.

Please tell me if this is reproducible and if you think that this really is a bug. Thanks.

PS. Comodo Antivirus version 4.1…, and it probably applies to CIS v3 (I upgraded because of rules getting trashed).
PPS. Maybe it has something to do with explorer being “safe”, but it doesn’t seem to be affected by “trust … signed …” and “create rules for safe apps” check boxes in “Defense+ settings” window.

Seems potentially important. Can anyone replicate?

Endymion, your skills are very much needed!

Will transfer to bug reports if replicable.

Please submit the information requested: here.

Best wishes

Mouse

This is not a bug but by design that has happened since the beginning of v3 which is when I first started using comodo firewall/defense+. The idea is, at least the way I see it, is if you have the fewer options alert displayed you will get “fewer alerts” whereas with show more options you will get more alerts which allows finer control over what is allowed by the application. This way you can say for example allow interprocess memory access of ctfmon.exe but block explorer.exe and get asked for other applications or allow certain windows/winevent hooks but still get asked for other hooks.

Hmm not sure, but need to wait for my next alert to check how its presented. This seems convincing:

Why do I consider this a bug? Because of two things. 1) When I tell "let explorer access keyboard", I am not expecting to be treated as "and, by the way, let it install any drivers"!!! 2) This does not seem to be documented in Help, and is hard to discover.

Dont need to wait, set defense+ to paranoid mode and do the following: have notepad and taskmanager already running before switching to paranoid mode.

  1. select notepad and press end process button click yes on warning dialog
  2. when alert pops-up select more options
  3. choose allow this request for all alerts displayed relating to taskmanager with remember my answer selected
  4. you should have received alerts for obtain an elevated privilage (debug),access memory of notepad and cftfmon (ctfmon should be the very first alert before all others),and process termination of notepad as the final alert.
  5. go to defense+ computer security policy and doubleclick the entry for taskmgr and then access rights
  6. you should see everything set to ask, but if you click modify for interprocess access memory and process termination, you will notice notpad in the allowed application list.
  7. remove taskmgr entry from policy and repeat steps but with alerts set to fewer options and you will notice everything is set to allow in access rights and will only get one alert for taskmanager.

Yup tried paranoid mode myself.

Well personally I think the alert should make it clear if CIS is going to do this, so I’ll probably move it to bugs tomorrow.

Best wishes

Mouse

You ask the data for the bug report. Voilar!
1. CPU: 32 bit
2. Operating System: Windows XP SP2 russian
3. Actively-running security and utility applications:
COMODO Antivirus (with Defense+) v.4.1.150349.920
Punto Switcher (automatic keyboard layout switcher)
Diskeeper
4. Specific symptoms of the bug, and steps to reproduce it.
Symptoms: answering an alert with “fewer options” and remembering answer causes all access rights of the corresponding rule to change to allow or block, depending on whether I click allow or block in the alert.
Steps to reproduce:
a) Set Defense+ to paranoid mode (enables alerts for safe apps).
b) go to Computer Security Policy, double click “…/notepad.exe” line, click Access Rights.
c) adjust the rights: driver installations and protected registry keys to “Block”, everything else to “Ask”.
Click all the “Apply” buttons.
d) Launch the notepad. You will get a Defense+ alert on keyboard access.
e) Make sure that you have “less options” interface of an alert. Check “Remember my answer” and click “Allow”.
f) Look how it affected the rule.
What you get is that notepad is allowed to do ANYTHING except to launch another app. Did you want to allow notepad to install drivers when responding to alert? Of course not. Moreover, all our efforts on setting the rule are wasted! ■■■■.
But would you do the thing with “more options”, a specific rule would have been created, just as common sense suggests.
The problem is that it is nowhere clear from the alert’s interface that it is going to do that. Moreover, it appears to be not covered in help. Except for the problem, it appears to be a useful feature.

5. Specific steps you have taken to try to resolve it. N/A
6. Defense+ and Firewall mode
Defense+: paranoid mode. In “Defense+ settings”, on “general settings tab” – all checks cleared except for “Create rules for safe applications”. On “monitor settings” tab, everything checked.
Firewall: not installed yet…
7. BSODs: none.
8. Windows account: administrator

Plus I have made some nice screen shots.

[attachment deleted by admin]