Trusted File still logging as blocked in Defense+

SysInternals Process Explorer (procexp64.exe) is set as a Trusted File, with full access, yet Comodo STILL keeps flagging it for Memory Access on all of Comodo’s executables.

If a file is TRUSTED, why is this happening?

And why don’t the #s clear when the logs are cleared?

This is because of the HIPS settings for Comodo files, you can find the settings here:

[ol]- Advanced Settings

  • Security Settings
  • Defense+
  • HIPS
  • HIPS Rules
  • Find “COMODO Internet Security” rule
  • Right-click it and click “Edit”
  • The new window should have “Access Rights” tab open, go to the other one called “Protection Settings”
  • See “Interprocess Memory Accesses” is Activated, you can disable it or define Exclusions[/ol]

Sorry if the instructions are sort of lacking, kind of doing something at the moment but I hope you can figure it out from the instructions above!

Please note 9. See “Interprocess Memory Accesses” is Activated, you can disable it or define Exclusions

If you disable it, you are disabling CIS self protection.

Sorry I forgot to mention that, I really wouldn’t modify the Protection Settings for CIS, just wanted to point out that it can be done.

You’res till missing my point - if I define a file as TRUSTED, it should be just that.

I should be able to define what a program can and cannot do. I don’t want to disable CIS self-protection, but I want the flagging of this process to stop.

Simple as that.

I don’t understand why Comodo has been making things more and more difficult for users.

Denying memory access does not change how Process Explorer functions. One could argue with wj32 that the coding of PE is deficient that it keeps on trying to get memory access even though it is denied.

CIS/CFP has always had memory access protection for its executables since v3 (I cannot speak for v2 as I never used it).

If you want the flagging to stop you will have to allow memory access for PE. That is a minor risk but acceptable risk.

V7 will bring filtering to the logs. So you can easily filter superfluous amounts of events.

I thought V6.x already had log filtering? I’m pretty sure I used it in V6.3 at least… Something I’d like for the log filters though is an option to make them stick because currently they are cleared after you close the logs.

Log filtering is not really a solution for this problem since process Explorer attempts this memory access about once every SECOND (on average), so the log will not contain much else before it gets full, unless you let it grow to a HUGE size.
(My D+ log contains about 13.000 occurrence of THIS event at this moment, after a couple of hours of system uptime.)