Settings for running Steam [Draft] [v6] [v7]

This is a draft. Please tell me if it works for you. I tested on Win 8.1 with the Hammerfight v1.004 game.

About Steam
Steam is a game environment consisting mainly of

[ol]- a program Steam.exe located in the main steam directory that is used to run game programs from another directory, and another SteamService.exe located in another directory which is used to run games needing admin permissions and Steam and games installers

  • these games may be unknown to CIS and may use unusual hacks, and/or virus-like behavior to gain performance
  • the steam executables and some games need incoming as well as outgoing connections for some tasks, and which themselves exhibit some unsual behavior and have been mistaken for viruses
  • Several other special purpose executables in various directories[/ol]

Using it with CIS is problematic both for the above reasons and because games are usually run full screen, and may suppress Alt-Tab and so CIS alerts may not be received or accessible. Also games may lock themselves into full screen mode so that they are impossible to navigate away from to answer alerts without closing the program which may be impossible is frozen by CIS.

As a consequence unusually permissive settings are required to run Steam, settings that assume all games are trusted. An alternative for those unwilling allow such access is to run games in Windowed mode (if permitted) when first run, unsandbox executables from sandbox notifications and watch for and allow other alerts with ‘remember settings’ on. This will not always work as access required may depend on the level you reach within the game. A compromise between these approaches for people running with HIPS on and in custom firewall mode has been suggested by Clockwork here and here. You could of course also use game mode, or training mode in different CIS modules. But that puts the whole computer into a permissive mode and so is even less secure than the permissive Steams-specific settings suggested below. However game mode may be an advantage if maximum performance is needed at the expense of security.

Permissive settings for Steam
The following settings assume that the Steam Games you run are not malware, and neither they nor the directories that contain them are infected by malware. Please note that the settings will pose a security risk if this is not correct.

The referred to below will normally be C:\Program Files (x86)\Steam on 64 bit systems and C:\Program Files\Steam on 32 bit systems, unless you have changed it.

A. If Anitvirus and the Firewall are enabled, which they are by default, do the following:

[ol]- Set Firewall Tasks ~ Stealth ports into alert mode

  • In Advanced Settings ~ Firewall ~ Applications settings, add * and apply the Allowed Application policy to it.
  • In Advanced Settings ~ Antivirus ~ Excluded Paths and Excluded Applications add the folder *
  • In Advanced Settings ~ Defense + ~ Behavior Blocker exclude the same folder from Buffer Overflow Protection[/ol]

B. If you are using the Behavior Blocker which is on by default, do the following:

[ol]- In Advanced Settings ~ Defense + ~ Behavior Blocker ~ Exclusions add \Steam.exe and \bin\SteamService.exe, and tick exclude child processes[/ol]

C. If you are using HIPS, which is off by default in the default IS config, but on in proactive config. do the following:

[ol]- In Advanced Settings ~ Defense + ~ HIPS ~ Application rules apply the Installer/Updater policy to \Steam.exe and \bin\SteamService.exe

  • If running in paranoid mode, apply the ‘Allowed Application’ policy to all Steam executables in and \bin[/ol]

Then: restart the computer

These settings should deal with the vast majority of games. However if you get problems double check the Firewall Stealth settings are set to alert inbound connections, not block them, run the game in Windowed mode (not full screen) and watch for alerts from games or svchost.exe.

Best wishes


Personally I’m using HIPS and it has been working fine with just steam.exe as installer/updater (instead of a whole group)

However allowing steam to be run as installer/updater and excluding everything for it from the sandbox might be a bad idea, the steam games don’t need to be malware however as recently proven with Gmod they can be used as attack vectors for malware creators (the exploit in Gmod is fixed now though) I’m still going to run steam as Installer/Updater though, I can’t be bothered with setting up extensive rules for everything every time I install a new game and play a new game, it’s a major pain.

Some people report problems with Steam and the Behavior Blocker with some games, so that’s why I have suggested these settings. I got some freezes when I tried though that might be due to gaming inexperience. I agree about the installer updater - but as you say anything else is too difficult for most people. Training mode is no answer in this context as you are just saying you trust the game…

Do you use game mode - I have never explored what it does and so have not suggested it.

Clockwork had some HIPS settings that he said almost always worked. That would mean you could have a games policy for Hips.

Do you have the BB switched on Sanya?

I never use game mode and I would suggest against it unless Comodo changed the way it works, Game mode is (or at least was) basically setting CIS into training mode.

I do not use BB, I use HIPS.

Without the above settings, in 8.1 VM (vanilla proactive, HIPS =safe) just had a complete OS freeze running an unknown game, so there is a problem…

Could be an issue with the VM or the game or perhaps just the combination. What game is it, I may or may not have it so I may or may not be able to test it…

I was using hammerflight, as its free for next 4-5 days. Happened twice but I cannot replicate now - wierd. Maybe I changed some settings by then, but not all. I’ll try again and let HIPS time out. Probably that was what it was.

No I can freeze Steam by refusing the execution then clicking on Steam, but no OS freeze this time. Must be a dynamic issue or some combination of HIPS timeouts

Found Clockwork’s HIPS settings:;msg591084#msg591084;msg595204#msg595204

Any thoughts?

Iunno, I’m just going to continue using the installer/updater ruleset for Steam, in case of malware I could just restore a backup. (I still wish we could edit the installer/updater ruleset though, I want to block it from accessing a certain folder)

Sorry just noticed “(instead of a whole group)”

Sound reasonable, but I was just worried about people missing alerts if in paranoid or if the in place updates that Steam performs lead to unsigned files.

Best wishes


Steam and all it’s games run perfectly with no special settings needed as long as you use the trusted files list and don’t use HIPS. I have my BB set on untrusted and I never have any problems with Steam. You don’t need any settings to specially trust games or exclude the Steam folder.

Thanks as always for the input Dch48

Yes I agree if you know what you are doing, stay out of FS mode, and watch for alerts and notifications most games should be OK.

The problem is that people don’t (add games to trusted files if they miss the notification) and do (use HIPS and FW) when running full screen. Also some Steam games it appears conflict with guard32 and BO protection. I had a total OS freeze today experimenting with an unknown game.

So the above settings are about making it work for everyone, all or most of the time. As I note above experts can use a more restrictive approach.

Ideally we would know the minimum settings that would allow all Steam games to run perfectly without alerts. Unfortunately that’s quite a research project.

Best wishes


I’ve read somewhere that some games use buffer overflow for some reason, for what I do not know and I do not know if what I’ve read is true or not… I can’t remember where I’ve read it either…

Actually I run all my games in full screen mode and only have an issue with one every time it is updated. The game is Lord of the Rings Online by Turbine. The issue is not Comodo’s fault but purely Turbine’s. Every time there is an update, all of the new game files are accepted by CIS as trusted except for the main .exe of the game. For some unknown reason, Turbine does not sign the main game file but every other file is signed. This makes me have to manually add it to Trusted Files every time to keep it from being sandboxed and not functioning correctly. With Steam and every game I have from them, I never have any problems installing, updating, or running them.

I guess it is a way of inserting code into memory and running it without the overhead of all the OS security checks.

I think it really depends on what games you are running. Quite a lot are unknown and steam users sometimes run beta games too.

Here are a few links from the steam site that indicate the depth of the conflicts with security programs:

And one quote from the steam site.:

We encourage protecting your PC from viruses, spyware and other forms of malicious software. However, it is not necessary to run anti-virus and other security applications while you are engaged in playing a game on Steam.

Anti-virus applications often interfere with Steam and can cause a range of problems from connection issues to games not launching correctly. Please set your anti-virus to Game Mode or disable it before launching Steam if you are experiencing issues with your Steam games."

Ok on the basis of the Steam site discussions have added AV exclusions. The settings ought to work with most games now - if anything they are a bit permissive.

There is also something about a friends server creating inbound connections to check if people are still online. Although probably not essential for the functioning of games, that plus a few PTP games means I cannot use just an allow outbound for games, which I would prefer.

I suppose inbound connections will always need a global rules hole too. So maybe I should start by saying stealth should be in alert mode.

I’ll think further about your suggestion re installer/updater Sanya. Maybe if there is a separate updater I can make just that an installer/updater plus Steam.exe. Everything in Steam itself would start as trusted then, even if they forgot to sign some executables. Would be good if there was a games installer which was always used.

Ticking trust child processes in s/b exclusions plus including whole directories may be more than needed too. Question is, does everything, always, run under Steam.exe.

Added Stealth in alert inbound.