Although I didn’t have any rule in Defense+ to allow the file to run, and Image Execution Control Settings is SET to check *.bat files, I can run the following command without any prompt or block from Defense+ whatsoever :
C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\dr4fnr61.default\IniFox.bat
… This is a batch files which then runs sqlite3.exe in the same folder.
AND ON TOP OF THAT … sqlite runs ALSO without any rule and without any popup from Defense+ !!!
Defense+ is set in Safe Mode and there is no rule in the Defense+ Security Policy.
This looks like a real dangerous mistake by Defense+ !!! :-[
Sqlite3.exe 3.6.14.2 (MD5: 593a4e45bfffaf7726fc60f8d380ca69, SHA1: 493455c9f5a5d204b0695e9e1cf8f3e0d161be19) is not digitally signed but it is safelisted by hash.
To enable “Run an executable” alerts Image Execution Control ought to be set to normal or aggressive (COMODO - Internet security configuration default to disabled)
If Image Execution Control is Enabled (D+ Safe mode) and the child application (eg sqlite3.exe) is not safelisted:
Invoking sqlite3.exe from a batch file (eg IniFox.bat) should trigger a “Run an executable” alert with command.com cmd.exe as parent (left side) and sqlite3.exe as child (right side)
If the above mentioned alert is marked to be remembered, cmd.exe policy will be updated/created and it will be possible to launch sqlite3.exe using the same batch without alets
If Image Execution Control is Enabled (D+ Safe mode) and the child application (eg sqlite3.exe) is safelisted:
Invoking sqlite3.exe from a batch file (eg IniFox.bat) will not trigger a “Run an executable” alert with command.com cmd.exe as parent (left side) and sqlite3.exe as child (right side)
cmd.exe policy will be updated/created to allow sqlite3.exe with a fully specified path without alerts
If Image Execution Control is set to aggressive (not default in any CIS configuration) and *.bat is listed to the related files to check (default in any CIS configuration):
Invoking a batch file (eg IniFox.bat) should trigger a “Run an executable” alert (as long the action has not be marked to be remembered)
NOTE: If Image Execution Control is set to normal (COMODO - Proactive security configuration default) no “Run an executable” alert will be triggered for .bat files
PS: COMODO - Proactive security configuration Protected files features a Executables group that include *.bat to the effect that a “Protected file/folder” alert will be triggered in D+ safe mode even if a safe-listed application with will create a new .bat file.
Sqlite3.exe 3.6.14.2 (MD5: 593a4e45bfffaf7726fc60f8d380ca69, SHA1: 493455c9f5a5d204b0695e9e1cf8f3e0d161be19) is not digitally signed but it is safelisted by hash.
… But, i don’t get any popup, no rule for it, and IEC is set to Normal
What is the point of our Computer Security Policy if CIS starts allowing stuff based on hash ???
… and why didn’t I get any popup whatsoever when I ran the Inifox.bat file ??? :-\
EDIT: I downloaded the latest sqlite from the site mentionned, but once again … Not popup at all. :-\
In that D+ safe mode case there was no cmd.exe popup because that sqlite3.exe version was safelisted (a cmd.exe policy to allow firefox_profile_path\sqlite3.exe launch by cmd.exe was automatically created/modified) whereas no sqlite3.exe policy was automatically created/modified because sqlite did not carry any action monitored by the config defaults (or custom configs) you are using (otherwise a sqlite3.exe policy with default safelisted-app permission would have been generated)
If Image Execution Control is set to aggressive (not default in any CIS configuration) and *.bat is listed to the related files to check (default in any CIS configuration) there should be also an alert for IniFox.bat assuming you double-clicked Inifox.bat from explorer file manager and the corresponding %windir%\explorer.exe policy is NOT set to “Windows System Application” predefined policy (like for COMODO - Internet security configuration) or equivalent policy.
NOTE: double-clicking IniFox.bat from explorer file manager cause explorer.exe to run IniFox.bat. If another app would attempt to run IniFox.bat the result would change according to the configurations and customization used.
(eg. using COMODO - Proactive security default configuration and changing Image Execution Control to aggressive will trigger a “Run an Executable” explorer.exe —> IniFox.bat alert when double-clicking IniFox.bat from explorer file manager)
Then I assume you would prefer running D+ in Paranoid mode. In that case Comodo hashbased safe-list (or the user-modifiable trusted vendor list used for digitally signed executables) will not be used
If you wish to receive alerts for the creation of *.bat (and other executables) you could also switch to COMODO - Proactive security configuration (which got an executable group in Protected file/folder) and thereafter set D+ to paranoid mode.
As far as I see, sqlite3 is not digitally signed. See screenshot below.
I got the popups by first manually removing cmd.exe rules from Computer Security Policy. (which is quite difficult when you have a window with many rules and not a working sort function.)
Then all of a sudden I got a popup regarding sqlite3.exe
So, the problem is somehow fixed by first removing another rule, seems quite weird to me, and all of a sudden I have way less confidence in the usage of CIS.
Somehow the rule for cmd.exe must have been see to automatically allow cmd.exe to run any kind of stuff.
Anyway, thanks a lot for the prompt and really helpful responses guys.
In the end deleting cmd.exe policy (just like editing such policy to remove only the FF_profile_folder\sqlite3 execution rule) and using IniFox.bat to run the more recent Sqlite3.exe (3.6.21) in Firefox profile folder yielded different results because this other Sqlite3 version has not been safelisted yet.