Settings for running Steam [Draft] [v6] [v7]

Comodo Internet Security - CIS Defense+ / Sandbox FAQ - CIS
41

You can and you can’t… The normal GUI no, but steam big picture mode is basically full screen steam made for the living room with controller as primary input.

42

I see. I haven’t seen that option.

43

For me the button for it is in the upper right corner, under min/max/close buttons.

44

OK revised it. Please note that AFAIK turning off the BB does not turn off BO protection.

45

I wonder if, in paranoid mode, Steam executables (aprt from Steam and Steam Service) need Windows System privs?

46

Here are the settings i use to to allow all my games to work but it is probably the least secure method since it gives a group the installer policy.

Finding installed games path:
First step is to figure out where your games are installed if you already know the file path of your games skip to the next step. To find where your games are installed open steam then click

  1. steam button at the top left
  2. Settings
  3. Downloads tab
  4. “steam library folders” button

Creating a group for installed games within CIS:

  1. Click tasks
  2. Advanced tasks
  3. Open advanced settings
  4. Security settings tab
  5. Defense +
  6. HIPS
  7. Protected Objects
  8. Right click in the white space where the rules are listed and select groups
  9. Right click in the white space and select “Add new group”
  10. Name is “Steam” or whatever you want to call it
  11. Right click on your newly added group and select add then "Folders
  12. Now select the folder where you have your games installed from the previous step
  13. Click “OK”

These next steps depends on how you have CIS setup

If you have the HIPS enabled:
Applying the installer/updater policy to your group:

  1. In the advanced settings select Defense +=
  2. HIPS
  3. HIPS rules
  4. Add a new rule
  5. Click “Browse” at the top right
  6. Select “File Groups”
  7. Select your newly created group which we called Steam
  8. Select the option “Installer/Updater” under “Use Ruleset:”
  9. Click Yes to the dialogue box that pops up
  10. Click “OK”

If you have the Auto-Sanbox enabled:
Excluding your new group from the Auto-Sandbox:

  1. In the advanced settings select Defense +
  2. Behavior Blocker
  3. Make sure the option “Define exclusions for behavior blocking” is check
  4. Select “exclusions”
  5. Right click in the white space and select “Add” → “File Groups” → then select your newly created group which we called Steam
  6. Click “OK”

If you want to give your group complete access through the firewall:

  1. In the advanced settings select Firewall
  2. Application Rules
  3. Right click in the white space and select “add”
  4. Click “Browse” at the top right
  5. Select “File Groups” then select your newly created group which we called Steam
  6. Select the option “Allow Application” under “Use Ruleset:”
  7. Click “OK”

These are the settings i use and never have any issues with my games. Even new games will work perfectly since they will be part of the group i created. After using this method you will NOT need to add newly installed games to the rules since the group uses a folder destination.

CAUTION: This settings will allow anything run from your games folder complete access to your computer and complete access to the internet. If you use these settings be cautious about what you install/copy to this folder.

47

Thanks very much wasgij. Excellent wording of instructions!

I did not realise you could change the games directory, so I will add a note on that.

I’ve so far taken the slightly less permissive approach of giving anything run from Steam or SteamService full permissions.

Is is possible to launch games which do not run from these executables?

There have been several instances of Steam executables being detected, hence the AV exclusions, which I would have preferred to avoid.

Best wishes

Mike

48

I never knew what that meant so never tried it. I just did and don’t like it at all. It looks like an Android touch UI. I would never use it.

!ot! I also think the new Steam OS and Steam machine are going to fail miserably.

49

Well it’s not designed for Desktops/laptops where you use a mouse and keyboard, it’s mainly designed for the living room where you sit on a couch in front of a TV with a controller in your hand, for this purpose the Big Picture Mode is in my personal opinion better than the standard Steam UI, simply because the standard steam UI doesn’t go well with controllers and on some TVs the font is too small.

They may or may not fail but personally I have no interest in those two projects, I just hope they succeed in their goals of a) Making Linux a better platform for games and b) Bringing more games to Linux.

Personally I’m fine with Windows so far but from my own experience many gamers want the option to play games on Linux (and for many that is the missing piece to make Linux their primary OS) and I believe it is a good idea to bring more games to Linux to really make it an alternative (Sure it has games now but only a fraction of what is currently out for Windows and from what I’ve tried they are usually bad/buggy) Honestly though I’m not sold on the idea of gaming on Linux, I’ve tried a few different distributions and it’s not really my thing, hell I had to install an old version of Ubuntu and then install the Nvidia drivers and THEN update to newest Ubuntu because the newest Ubuntu versions simply wouldn’t let me install the drivers directly (Yes I tried tons of different guides on how to set it up but none worked) So Linux isn’t even a choice for me even if they get more games, simply because it just doesn’t run well for me (for example I couldn’t get it to update in 120Hz, stuck on 60Hz) so Linux really has to improve a lot just to be able to play games properly on it. … I think I went off-topic of the off-topic…

Also sorry for all the off-topic, I believe we should either a) end this here or b) continue via PM since this isn’t really relevant to the topic of this thread.

50

This is the biggest problem I have with CIS.

Even when I “copy” a profile from another game; I.e. I launch the game, save one setting, then block+terminate it, go into settings, then copy settings from another title, the new game still seems to find a reason to popup a request for something that CIS fails at showing me, and it will force me to hard-reset my computer to get it back working again.

There really should be a way for CIS to either Terminate the application; or even automatically DENY (I can do that with I default to block all, but then these requests aren’t logged so I cant configure them later on.)

51

I’m running Comodo Free Firewall version 10.0.0.6092 with Windows 10 Home 64-bit. I found out that Comodo and more specifically HIPS is partially blocking the execution of 3dmark on Steam. I can start Steam and play games just fine. I can start 3dmark but loading a test hangs and I end up with black screen with nothing to do except reset my machine.

I have narrowed it down to HIPS as everything works just fine if HIPS is disabled.

It also works fine if I run 3dmark in windowed mode. If I run it full screen (default settings), it hangs in black screen.

I have been using Comodo for a long time with default settings:

  • Auto-sandbox: Disabled
  • HIPS: Safe Mode
  • Viruscope: Enabled
  • Website Filtering: Enabled

I have added choros.jar from 3dmark install folder to allowed applications as well as steam.exe and 3dmark.exe. Even then every time I start 3dmark the same 2 files appear on the blocked list in HIPS: 3dmark.exe and choros.jar. They re-appear if I unblock them. Why is it doing this?

Note that if I set the above 2 files to “Installer/Updater” everything works just fine. But that is not very smart is it…

52

Hi pete2 and welcome to the Comodo forums. Jut to let you know you can set 3dmark as an install/updater because it is only a benchmarking tool so no real danger. But you could instead set both 3dmark and the jar file as Windows System Applications ruleset. That way both 3dmark and choros can execute what it needs to work correctly without having to ask you which would happens with the Allowed application ruleset. You can also take a look at the HIPS event logs to see what exactly is being blocked. Alternatively you can set CIS to silent mode whenever you run 3dmark or other full screen applications.

53

Hello futuretech and thanks for the answer.

Did not know that Allowed Application ruleset will ask anything. One would think that Allowed means Allowed :wink:

So is setting the files as Windows System Application ruleset more secure than Installer/Updater? I will definitely try it out.

The weird thing is that the HIPS event logs are empty, no events even though it clearly is blocking something.

54

Installer/Updater is inherited by each child process of a parent process that is set as I/U, whereas as WSA is only applied to the given application that you set it to. So yes WSA is less of a security risk than assigning an application as I/U.

For HIPS events it defaults to showing events “Today”, to see all events you would right-click inside HIPS events and select entire period or at the top click filter by date and time and choose (no filtering).