Role of "Execution Control Settings" in blocking an application

vcom1 · June 9, 2012, 7:40pm

Hello.

I have a rule (Defense + rules) to block a application to start the Internet Explorer.
If the “Execution Control Settings” is enable, then the Internet Explorer is blocked.

But…

If I disable “Execution Control Settings”, then the Internet Explorer is started!

Is this normal?

Notes:

The Configuration of the Defense + is in the figures;
Windows XP Home Edition pack 3;
Comodo firewall 5.10.228257.2253

Best regards

[attachment deleted by admin]

Valentinchen · June 9, 2012, 9:19pm

have you tried to remove it from Block Application?

HeffeD · June 9, 2012, 9:53pm

This is normal.

From the help file:

Image Execution Control Level Slider
The control slider in the Settings interface allows you to switch the Image Execution settings between Enabled(Default) and Disabled states. The Image Execution Control is disabled irrespective of the settings in this slider, if Defense+ is permanently deactivated in the General Settings from the Defense+ Settings interface.
Enabled (Default) - This setting instructs Defense+ to intercept all the files before they are loaded into memory and also Intercepts pre-fetching/caching attempts for the executable files.

Disabled - [b]No execution control is applied to the executable files.[/b]</blockquote>
In other words, with Image Execution Control disabled, Defense+ isn’t intercepting any executables. So your rule to block IE from starting will not work because IEC is disabled.

vcom1 · June 9, 2012, 11:59pm

According what I understand, it seems that IEC intercepts the executable before it is loaded in to memory and check if it is safe and does some tests.

After that, if I choose Paranoid Mode and with the Defense+ Settings in the figure that I send, I control what the program do!

Is this correct?

Best regards

HeffeD · June 10, 2012, 1:25am

Yes, this is correct.

Yes, in Paranoid Mode, every process will spawn an alert, and you will have complete control over what an application is able to do on your system. Nothing is able to run unless you allow it.

Just be aware that you will receive a lot of alerts in Paranoid Mode.

vcom1 · June 10, 2012, 1:52pm

OK!

I think I understand now.

If I want to control the executable, first I choose what options in IEC and “Monitoring Settings” I need.

For an example:

To disable “Run an executable” for all rules in “Customize Policy”, disable the IEC;
To disable or enable the “Disk” for all rules, use “Disks” in “Monitoring Settings”.
If enable, the Defense+ will apply the rule choosed by the user when the executable access the disk if not, the application is free to access the disk, even if in the rule, I block the access to the disk.

If this is correct, I think the HELP of COMODO, in my opinion, should adivise the user, for example, if he disables IEC then the option “Run an executable” for all rules in “Customize Policy” will not work.

Best regards

HeffeD · June 10, 2012, 4:45pm

But it already does say this. I have already provided a link to the help file regarding the IEC in a previous post. As the section I quoted states, if you disable the IEC, Defense+ will not intercept any files.

At the bottom of every settings window in CIS, there is a link that says: ? What do these settings do? If you’re ever curious about what will happen if you disable something, click the link and read what the help file says about that particular setting.