Hi,
When you set an application as trusted, what if the .exe or a file attached to it, gets hijacked/infected.
Won’t the malware/spyware etc. have full access to the internet, or how does this work?
Is Defense+ protecting this?
Hi,
Any application added to defense+, either as trusted or otherwise, will be protected by defense+. If the file is modified, etc. by a virus you will be informed of the change.
Mike
Mike is absolutely right :■■■■
Thanks, so I should just let all my known applications be trusted?
And I will still be protected…?
I guess caution should be paid if you use the installer/updater policy and install mode.
If a program overwrite trusted executables using that policy it’s gameover.
Normally you get warned if something tries to modify/delete/add one of the file type in My protected Files, so you shouldn’t need to worry unless you allow the malware to modify (infect) the file.
But to answer your question, as CFP 3 doesn’t ask for permission against all things after the file has been changed, it’ll have the same permissions as before. So it if’s set to trusted, it’ll be able to do anything except launching other executables.
But CFP 3 will still protect from termination and all other protection for the other files are active (if enabled).
Pending file list is currently enabled only in cleanpc mode so the installer policy should be used only for trusted setups. Since the installer policy doesn’t show any alert (if I recall correctly) and pending files is disabled in most D+ modes there is no way to know if an existing executable was updated. Last time I checked existing policies will be applied to executables even if they are listed in pending list.
So pending list was also useful to look if any unrelated file was modified.
I guess that in V3.0.16 the best option is to use the cleanpcmode and look at the pending file list for any suspect file modification.
Wasn’t too bad if Defense+ and Firewall in CFP 3 were using MD5 signature, like 2.4 do! :THNK
For changes made to executables, you will be notified at the time the executable is being changed, provided that executables are included in your protected files, and also that your policy for the program making the change has not allowed changes to be made to executables (by using ‘Installer or Updater’ policy, etc).
Unfortunately, there is a way for rogue code to execute without modifying any of your files on disk. It is the class of vulnerabilities known as buffer overflows. If you are victimized by a buffer overflow, Comodo Firewall will not detect it, and the buffer overflow code will be allowed to do whatever the process with the buffer overflow is allowed to do. Therefore, I lock down on most Internet-facing programs, and also on programs that use data files that I get from the Internet. By this I mean that I run the Internet-facing program awhile, exercise its functionality in order to let Defense+ train on what the program needs to do, and then set most Defense+ settings still set to Ask to Block instead. Protected Files/Folders, however, I keep on Ask, because training doesn’t apply to protected files/folders (except during part of computer boot). Also, sometimes I deny a program rights to some things it requests, such as keyboard access, that may be abused by malicious code. If something doesn’t work right with the program, I look at the Defense+ logs to see if I need to allow something that was blocked. Failure to do this locking down of programs that might suffer buffer overflows, in conjunction with using modes that allow Defense+ and/or Firewall to train, will cause Defense+ and/or Firewall to also train when buffer overflow code is run! For the same reason, I recommend against using the predefined Defense+ policy Trusted Application on programs that might suffer buffer overflows. I also recommend using Comodo Memory Firewall, a free separate product, to protect against (hopefully most) buffer overflows.