If I update a program, such as firefox or thunderbird or some other executable, should CFP block its execution and warn me that the file has been modified? It does not seem to be doing this - it just lets the program run like nothing ever happened. Sure, it might show up in the ‘files waiting for review’ but that doesn’t stop it from running. Do I have a setting wrong? Isn’t a HIPS program supposed to stop such modified files from executing until allowed again?
This I find to be a problem. I use Zone Alarm in the past and now I am currently using Online Armor. When I was using Comodo and patched a game (COD4,WOW,BF2) I got the pop up about the installer. Then when I launched COD4 I did not get a warning about “trusted program has changed”. Both Zone Alarm and Online Armor do this. Any time a trusted program changes you get an alert stating " a trusted program has changed" allow or block it. Malware can attach itself to an exe file rename it like Firefox. If malware attack your pc and renamed Firefox Comodo would not give you an alert where as Zone Alarm and Online Armor would.
I agree with Vettetech. This seems to be a security disaster. I can easily envision a program update that, as malware, changes an unrelated exe file during the ‘update’. It seems that CFP will treat this as part of the update and not warn me when I execute the unrelated, but changed, exe file. (because how would it know that it wasn’t part of the programs that were supposed to be updated when I ran the installer)
The updater should have a warning because it is a program trying to execute on my computer. That is a separate issue from the programs it has ‘updated’. I am not being warned twice for the same thing, especially because one would likely enter an installation mode with an updater or one would be hit with sooooo many warnings that it is hard to click ok fast enough.
EVERY other HIPS program I have seen gives a simple warning that the checksums don’t match, allow or deny. Comodo should do this too.
Thank you Dr.F. I am using Online Armor on my laptop and Comodo on my desktop. I just updated SuperAntiSpyware to version 4.0.1142. Both Online Armor and Comodo gave me an alert about the SuperAntiSpyware installer. After the installer was done and I launched SAS on my desktop Comodo just let it run. On my latop after the install Online Armor gave me a pop up stating “A Trusted Program Has Changed”. Do you want to allow this change and allow this program to run or do you want to block it. I felt safe knowing that Online Armor was aware I changed a program which I trusted prior.
A similar discussion took place back in January with egemen here.
If you use the my pending files function, and decide that you do not want a modified program to execute as is, you have the option of deleting its application rule so that D+ will treat that program as new. This would force D+ to create a new application rule and not use the previous one. Not very user friendly, but that would be one way of avoiding running the program with previous rules.
No its not user friendly and I have D+ set to train with safe mode cause I dont care for the pending files things since 99% of whats in there I know. Pending files makes you baby sit Comodo and most people have no idea what to do with them.
Thanks for the link. I wish I had seen this at the time so I could have participated in that discussion - You are SOOOO RIGHT in your arguments. If I understand what CFP is doing, this is being completely mishandled by CFP. When someone runs an updater they are going to expect things to be modified and start clicking away, or even go into installation mode or disable defense + temporarily so they don’t have to answer a million questions. The odds of catching and acting correctly to that one malware modification to another file are slim for most users. Having to search through the ‘my pending files’ is obscure and not clear in the ‘directions’ for running CFP. It is clear that they say “In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled.” (they are referring to Clean PC mode). Apparently they are hardly monitored or controlled. Additionally, they clearly say that every new executable “introduced to the pc are not assumed safe.” A modified executable is a new executable - plain and simple! Everyone who has ever used a HIPS program knows that an alert should pop up when a modified version of a file tries to run, period. They really should change this.