Some predefined policies don’t appear as choices in the ‘Treat this application as’ drop-down list in alerts. The issue happens more often with predefined policies that the user has created, but also sometimes happens with predefined policies shipped with the product. Both firewall alerts and Defense+ alerts have the issue. Also, the set of predefined policies in the drop-down list varies from alert to alert, seemingly dependent on what triggered the alert.
Version: V3.0.14.276
CPU: 32 bit
OS: Win XP SP2
Other security programs running: Returnil, NOD32
Defense+ Security Level: Train with Safe Mode
Firewall Security Level: Custom Policy Mode
I do understand that there are separate sets of firewall predefined policies, and Defense+ predefined polices. Was this what you were referring to, sded? If not, can you please explain further?
The predefined policies have different permissions. If you try to do something and get a popup, your choices should only include the policies that affect that function. I have only noticed it in D+. IAW, if you have a program that accesses memory, and get a D+ popup, you should only have the options that allow or block memory access, instead of generating another “ask”. See if that fits what you are seeing-I haven’t spent a lot of time looking at it.
Could you please post three different alerts screenshoots where there are few policies available?
Like sded said some alerts show less policies by design.
So you have either to write all the necessary steps in order to reproduce this or post few screenshots.
When running an installer program that is not on the Comodo safe list, sometimes I don’t wish to use the predefined Defense+ policy ‘Installer or Updater’ because I want to ensure that the installer program is not loading device drivers, changing critical system files, etc. As expected, when the installer program creates executable files within the Program Files folder, Defense+ gives file alerts. Some programs create many executables within the Program Files folder, so repeatedly having to answer the Defense+ file alerts becomes quite tedious. Therefore, I created a predefined Defense+ policy with all options set to Ask, and file modifications allowed only within the Program Files folder or subfolders. If it seems that a given installer program is creating many executable files within the Program Files folder, I would like to be able to use this policy temporarily from the Defense+ alert box for modified files, but, alas, my policy is not in the list of predefined policies! So, for now, I use the workaround of going into Computer Security Policy, and permanently assigning my aforementioned policy to the installer program.
As both of you have mentioned, this behavior may be by design. However, to the user, it may seem like a bug. I have seen another post by another user mentioning the same issue. If this behavior is indeed by design, it might be a good idea to document this in the help file, if it is not already documented. And if this behavior is by design, perhaps the developers may wish to change this behavior, to accomodate scenarios such as mine.
I guess it would be useful to change the execution contoll alert to assign a policy to the executable that is going to run instead of using it to reassign a predefined policy to the parent application.
I made a policy to allow file modification in %programfiles%* and ran a setup application. That predefined policy wasn’t available until I got a file protection alert.
Before that I got a file execution alert and a privilege excalation alert (access to control manager) which lacked the new policy I just created.
As I understand your usage scenario this would fall under a new feature request if you agree that redefining the execution contol alert will improve greatly the use of a selfmade installation policy. please submit your latest post in the feedback board (and wishlist) as well.
It is worth to mention that the help file don’t document this policy availability behaviour.
Is there a good technical reason why all Firewall predefined policies should not appear in all Firewall alerts, and all Defense+ predefined policies should not appear in all Defense+ alerts? Or is the program simply trying to help the user by filtering out policies that the program thinks the user would not wish to use in a given alert? If it’s the latter case, I would definitely prefer to not have the program try to be that smart about guessing my intentions.
The technical reason: You have been asked to block or allow a request. If you look at the policies, some do not contain either a block or allow for that request, but another ask. Those should not be presented to you, since they do not answer the current alert at all. The ones that are presented should allow you to either block or allow the current alert, and tell the program how you want to react to future alerts for the same application. If something else is happening, imho it is a bug.
I thought about this since my last post while I was exercising. I came to realize the reason is as sded has since posted. However, IMHO, this should be considered a logic design bug. The reason is that one’s answer to the current alert can be considered logically independent from what, if any, predefined policy should be applied in the future. “Treat this application as” should not be an option mutually exclusive to allowing or blocking the current request. Rather, “Treat this application as” should be its own logically independent option on the same screen, but not within the same option group as ‘Allow this request’, “Block this request”, and “Remember my answer”. If the developers want temporary policies to be available (I’m not sure if this is the intention or not), then there should be a separate “Remember my answer” checkbox that pertains to only the predefined policy dropdown box. The semantics would be that if one chose a predefined policy to be applied in an alert screen, it will be affect which future alerts may appear, but does not affect the current alert. If one chooses to assign a permanent predefined policy from within an alert, the “Remember my answer” checkbox for the allow/block request should be disabled, since the predefined policy will ■■■■ away any existing rules for the given program. Making this change to the GUI would allow all Firewall predefined policies to be shown in all Firewall alerts, and all Defense+ predefined policies to be shown in all Defense+ alerts; this would allow my usage scenario from my previous post in this topic, and will also prevent future posts from other users about this issue.
It still is true that some predefined policies don’t appear as choices in some alerts in v3.0.18.309, but this appears to be by design. Behavior has changed from the last version I tested in regards to which predefined policies appear as choices in alerts for file modifications; in v3.0.18.309, predefined policies are listed in an alert for file modifications if the file that generated the given file modification alert is included in the protected files of the predefined policy. So my specific issue was resolved. I don’t think that the developers wish to further change the behavior of alerts to match one of my previous posts in this topic, so I’ll mark this bug as resolved. Thanks for fixing my issue
