Some files that are not in My Protected Files are being protected anyway. It seems that any executable file listed anywhere within any Defense+ policy is protected, regardless of whether it is included in My Protected Files. Is this intended or a bug? This behavior results in file protection alerts that I would rather not see, because I am now using an approach that aims to reduce the number of popups, as described at https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/an_approach_for_configuring_defense_for_many_fewer_alerts-t36657.0.html. This behavior occurs with v3.8.65951.477 as well as an older version that I use.
Hello,
My name is Jacob Kilgore
I’m one of the Comodo Forum Moderators
I would like to help you with this issue.
What Files are being protected without being listed?
-
Jacob Kilgore
C-O-M-O-D-O Forum Moderator
Hi Mr. Kilgore,
Thank you for your assistance.
Steps to reproduce issue:
- Remove all entries from My Protected Files.
- Set Defense+ mode to Paranoid.
- Delete the existing Defense+ policy for c:\windows\explorer.exe.
- Copy calc.exe from system directory to c:\temp
- Add a new D+ policy for c:\windows\explorer.exe. In its D+ policy, allow it to run the executable c:\temp\calc.exe.
- In Windows explorer, go to folder c:\temp and double-click on calc.exe. It should run without an alert, due to the rule added in step 5. This is to test that the rule from step 5 is in effect.
- In Windows explorer, delete file c:\temp\calc.exe. This triggers a file modification alert, despite the fact that we removed all entries from My Protected Files in step 1.
Hi MrBrian,
Look under D+ > Image Execution Control Settings > Files To Check.
Seems at first thought to be where your query leads me.
Later
Hi Bad Frogger,
Thank you also for your assistance.
I deleted all entries under Files to Check, and also set Image Execution Control Level to Disabled. But the behavior I described above persists.
Sorry then, just when you mentioned exe files. I knew they were listed there as well.
Haven’t read through the approach you link to and thought it through enough to
decide if It seems flawed or not.
Otherwise at the moment I’m at a loss.
Later
In my above example, if the file that we were deleting had not been listed in a Defense+ policy somewhere, there would have been no file protection alert. Thus, the mechanism of what is happening seems clear to me. What I don’t know is whether there is a good reason for doing this. In my particular case, I hope this behavior changes in future versions of CIS - i.e. I’d prefer that the set of files actually protected is the same as the set specified in My Protected Files.
This behavior persists in v3.10.102363.531.
I can’t reproduce here with .531 on win 7 RC.
Can you try the following. Import the proactive back up configuration, COMODO - Proactive Security.cfg, from the installation folder and name it something like Proactive test. Now try again and see if the same thing happens?
Thank you EricJH for your efforts.
I did as you requested, but the undesired behavior persisted. I made these changes after the import:
- changed to D+ paranoid mode
- wiped out protected file list
- deleted default policy for explorer.exe
- executed a program I hadn’t used before to trigger a file execution alert. Remembered the action.
- made a backup of the program I executed in step 4
- modified the program executed in step 4 with a hex editor, at which point the (undesired) file modification alert appears
Can you show me a screenshot of the file modification alert?
[attachment deleted by admin]
I tried to reproduce but failed.
Is this a clean install or an update install? Are you using a configuration from 3.9 or earlier? What configuration are you running?
Are you willing to try to reproduce this with a clean configuration?
Go to Miscellaneous → Manage my configurations → Import → go the Comodo installation folder and import the COMODO - Proactive Security.cfg (or another one) → rename to to COMODO - Proactive Security Test → Activate.
Now try again and see what happens
The above screenshots are from v3.10 (previous version v3.8 was uninstalled first) cleanly installed, with the ‘COMODO - Proactive Security’ configuration exported and then imported to a different name, as you had requested. I am using XP SP3. This behavior happens in every configuration on my machine, and on every version of CIS that I have used.