Tips for using Paranoid Mode

Comodo Internet Security - CIS Install / Setup / Configuration Help - CIS
#1

I’ve read topics in which some people have expressed frustration about the lack of control of behavior of programs that Comodo has deemed trusted when using Safe Mode. I’ll show you how to get back control by using Paranoid Mode. This topic is intended for advanced users only.

This first post covers creating your own custom list of trusted programs.

Here are the steps:

  1. Switch to the CIS configuration that you wish to use. If desired, you can create a new configuration by exporting an existing configuration and then importing it using a different name. Information about the configurations included with CIS is found at Comodo Preset Configurations | Comodo Internet Security | Comodo Internet Security v5.9/5.10.
  2. Use Defense+ Security Level Paranoid Mode.
  3. Define a new file group called “Custom Trusted Programs without Arbitrary Launching Capability”. Add programs to this group that you wish to be considered trusted. Wildcards such as * can be used to specify all programs in a given folder and subfolders. Programs in this file group can be launched by any other program without an alert, and can perform any action without an alert except launching of programs that you haven’t specified as trusted.
  4. Add a Defense+ policy for file group “Custom Trusted Programs without Arbitrary Launching Capability”. Give it the predefined policy Trusted Application.
  5. Add the file group “Custom Trusted Programs without Arbitrary Launching Capability” to the “Run an executable” Allowed Applications of the “All Applications” Defense+ policy. This allows any program that’s running to run programs in the file group “Custom Trusted Programs without Arbitrary Launching Capability” without an alert.
  6. Use Firewall Security Level Custom Policy.
  7. Add a firewall policy for file group “Custom Trusted Programs without Arbitrary Launching Capability”. Give it the predefined policy Trusted Application.

You can create additional file groups if you want different policies for different file groups. For example, if you wish to always run installers from folder c:\temp\setup without alerts, you could create a file group called “Custom Trusted Installers” with member c:\temp\setup*, Defense+ predefined policy “Installer or Updater”, and firewall predefined policy Trusted Application. Add the file group “Custom Trusted Installers” to the “Run an executable” Allowed Applications of the “All Applications” Defense+ policy.

There may be programs that you wish to consider trusted and also allow to launch any program, whether trusted or not. To do so, create a file group named “Custom Trusted Programs with Arbitrary Launching Capability”. Add desired programs to this file group. Give it the predefined Defense+ policy Windows System Application and firewall policy Trusted Application. Add the file group “Custom Trusted Programs with Arbitrary Launching Capability” to the “Run an executable” Allowed Applications of the “All Applications” Defense+ policy.

I recommend that you review all existing Defense+ and firewall policies for inconsistencies with your intended goals after implementing this method. In particular, pay close attention to the Defense+ policy (if there is one) of explorer.exe (i.e. Windows Explorer), because it may be allowing execution of any program. Note that Defense+ policies are processed in the order that they are defined.

Periodic rule maintenance is recommended. You may delete a Defense+ policy for a trusted program unless there are Defense+ rules that you wish to preserve. You may delete a firewall policy for a trusted program unless there are firewall rules that you wish to preserve. You may delete any Defense+ policies whose only non-default rule is to launch a trusted program.

I’ve been deliberately vague about the specific user interface actions to accomplish the above steps. Feel free to ask if you need more details.

#2

This second post covers execution control for those of you using Vista or Windows 7 with a UAC-protected admin or standard user account as your everyday use account. If you’re using a Windows XP admin account as your everyday use account, then this post doesn’t apply to you. To make this post independent from the first post, I didn’t use the new file groups mentioned in the first post, although they could have been used.

You may wish to allow any program that’s already running to run programs within folder \windows that can’t be written to by a user lacking admin rights. Some folders within folder \windows allow both writing and execution by users without admin rights. To handle this scenario, add c:\windows* (or whatever your \windows folder is) to the new file group named “Windows Folder Apps”. Add the file group “Windows Folder Apps” to the “Run an executable” Allowed Applications of the “All Applications” Defense+ policy. Create a new file group named “All Applications #2” whose only member is the asterisk (*) character. Add a Defense+ policy for file group “All Applications #2”. Drag this policy so that it immediately precedes the “All Applications” policy in the list. Edit this policy so that its “Run an executable” Blocked Applications list contains all folders within \windows where a non-admin user can write to. The list of such folders is found by using free programs such as AccessChk or AccessEnum. If you can’t or don’t want to use AccessChk or AccessEnum, here is a list of folders that you can use:

Windows XP x86:
c:\windows\Debug\UserMode
c:\windows\Registration\CRMLog
c:\windows\Tasks
c:\windows\Temp
c:\windows\system32\spool\PRINTERS

Windows Vista:
c:\windows\Registration\CRMLog
c:\windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\drivers\color
c:\windows\System32\spool\PRINTERS
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp - only if you use x64
c:\windows\SysWOW64\FxsTmp - only if you use x64
c:\windows\SysWOW64\Tasks - only if you use x64
c:\windows\Tasks
c:\windows\Temp
c:\windows\tracing

Windows 7:
c:\windows\debug\WIA
c:\windows\Registration\CRMLog
c:\windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\drivers\color
c:\windows\System32\spool\PRINTERS
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp - only if you use x64
c:\windows\SysWOW64\FxsTmp - only if you use x64
c:\windows\SysWOW64\Tasks - only if you use x64
c:\windows\Tasks
c:\windows\Temp
c:\windows\tracing

Since the policy for “All Applications #2” blocks writing to \windows\Temp for all programs, programs or installers that require execution in \windows\Temp will fail unless there are policies with a rule allowing execution in \windows\Temp for said programs or installers; these policies also need to appear in the Defense+ list before the “All Applications #2” policy.

Optionally, if you also wish to consider the programs within the \windows folder as trusted, then add a new Defense+ policy for file group “Windows Folder Apps”. Give it the predefined policy Trusted Application.

You may wish to allow any program that’s already running to run programs within folder \program files that can’t be written to by a user lacking admin rights. To handle this scenario, add c:\program files* (or whatever your \program files folder is) to the new file group named “Program Files Apps”. If you’re using x64, also add c:\program files (x86)* (or whatever your \program files (x86) folder is) to the file group “Program Files Apps”. Add the file group “Program Files Apps” to the “Run an executable” Allowed Applications of the “All Applications” Defense+ policy.

Optionally, if you also wish to consider the programs within the Program Files folder(s) as trusted, then add a new Defense+ policy for file group “Program Files Apps”. Give it the predefined policy Trusted Application.

#3

Tips:

The first three tips are for the material covered in the first post.

  1. You can copy an existing Allowed Applications entry in a Defense+ policy to the clipboard by right-clicking it, choosing Edit, then pressing Ctrl+C. You can paste an entry from the clipboard into a file group by pressing Add, then Select From, then Browse, then press Ctrl+V.

  2. If you get an execution alert for a program that you know you will want to consider trusted, press Allow and check “Remember my answer”. If you get any alerts for the program that you wish to be considered trusted, in the alert choose “Treat this application as” “Trusted Application” and uncheck “Remember my answer”. Go into Defense+ policy and use tip #1 to define the program as a trusted program. Finally, remove the Allow execution rule that was created at the beginning of this tip.

  3. As an alternative to tip #2, if you get an alert for a program that you wish to be considered trusted, in the alert you could choose “Treat this application as” “Trusted Application” and check “Remember my answer”. This saves you from doing the work of adding the program to the appropriate trusted file group, but then you will also get an execution alert if a different program tries to execute the trusted program.

  4. You can use drag and drop in the file groups list to move commonly used file groups to the top of the list.

  5. I’ve noticed that a change in a file group’s membership doesn’t necessarily register in firewall policy quickly. As a workaround, go into Network Security Policy and press OK.

  6. If there are programs that you are suspicious of, you may use the manual sandboxing feature. Be sure to block execution of the suspicious program in an execution alert if you haven’t manually sandboxed it yet.

  7. When you’ve reached the point where there are few or no more alerts appearing, you may use the Parental Controls feature to suppress Defense+ and/or firewall alerts. This is handy when you let a novice or untrusted user use the computer.

  8. In Defense+, the policy for a given program (or programs in a file group) is separate from which programs are allowed to run the given program (or programs in a file group) without an execution alert. As an example, if you have a Defense+ policy for program firefox.exe, this by itself doesn’t allow firefox.exe to run without an execution alert. This policy states the rules for firefox.exe if it’s already running. Whether firefox.exe is allowed to run without an execution alert is determined by the “Run an executable” rules of your other policies.