I have a few questions, I will start with the following one, then depending on the answers ask the next few.
What is the Defense+ safe list?:
If I assume, the Defense+ safe list is the sum of the Trusted Files + Computer Security Policy + Trusted Software Vendors (They use the same list but each apply different rules) would this be correct? or does each use there own list whilst applying their own rules?
The trusted files list is a list of all files which have either been verified as safe by Comodo, thus they are recognized by hash. It also includes any files on your computer which are signed by the vendor who is in the TVL (Trusted Vendors List). Additionally any files you manually add to your white list will be found there as well.
On the Comodo_Internet Security_2012_ver5.9-5.10_User_Guide_031512.pdf it states “If an executable is unknown to the Defense+ safe list then, ordinarily, it and all its active components generate Defense+ alerts when they run.” But what happens when I add files to the Defense+ Safe List, How will CIS treat those files;
Will it prevent Defense+ Alerts displaying and let only the files in the Safe List load?
Will it prevent Defense+ Alerts displaying and let the files load and all the subsequent components, which the safe files executes?
Files that you stipulate as trusted will not become sandboxed. If a process is sandboxed and you stipulatee do not isolate again the file is added to the trusted list.
Processes that are considered safe will generate appropriate alerts for resource access for as long as you do not stipulate that CIS should create a rule by checking ‘remember this’ If you have ‘create rules for safe applications’ checked, then no additional alerts are created, but resource access control list entries are automatically made by CIS for the process. These are generic ‘allow’ rules.
If you do NOT have ‘create rules for safe applications’ checked, then for each resourc access requested CIS will generate an alert. In the former case, the resource access control will become ‘allow’, in the latter the resources access control will remain ‘ask’. For example; ‘Protected Files and Folders’ will automatically become ‘allow’ and no additinal alerts will be generated for that resource, otherwise each incident of file folder acces will generate an alert and depending on your response a specific resource access control list entry will be made for that specific file / folder the process requests access to; the resource type will remain ‘ask’ and addiitional alerts can be generated if other file / folders are requested to be accessed.
I think I found the reason why CIS keeps letting some programs run, even after I delete it off the Safe List.:embarassed:. However, I will ask some more, just to be sure.
If either a safe file, a Safe Signature or a Defense+ Rule, is deleted off my safe list,Will CIS automatically add that signature back to my Safe List?
If yes, then,
Which feature will add the signature back to my safe list? I will disable this setting.
P.S. Thank you Chiron and WxMan1 for that information, it helped, however I’m not done yet. After somebody answers these questions I will ask about the exclusions for Execution Control Settings, then, the Antivirus exclusions.
If you remove your app from the trusted files list, but the app is distributed by the Trusted Vendor program, as soon as you run the app: presto boingo right back into Trusted Files. This is not bad!
What that does is prevent the app from being sandboxed. What you want is create a leash for the app: create a D+ rule and implement custom policy and ensure that all resource access controls are set to ‘ask’.
Now, anytime the app wants access to any system resouce: an alert will be generated. Certain things are required for the app to function. If you deny the app access to whatever arbitrary system resouce, the app won’t run right (or might outright crash). A good example of this would be if the app has file open functionality.
For the file open dialogue to function, you’ll probably need to grant access to Explorer.exe outright (as executable), or access Explorer in memory. This might cascade alerts, in that Explorer may want to hook the app in memory, or run a DLL as EXE, etc. any one of which may end up hooking back to the app in some fashion. Unless you have sincere belief in being compromised, this is all normal processing for that app. Once you’ve estabhlisehd the security baseline for the app - allow & remember this - the app will run just ducky (and never alert you again).
That being said, if you’re in ‘paranoid’ mode and a ‘safe’ app asks for access to any resource, you’ll get an alert. If you allow the access, the app runs off happy as a pea’s pod (but no rule gets created). If, instead, you remember this, then a general rule for the app gets created where ALL resource access controls are ‘ask’ and the specific resouce within whatever arbitrary control
WxMan1, unfortunately, that does not work. I have a COMODO signature in the Trusted Software Vendors list and a Defense+ Rule. I explicitly created a rule, which prevents COMODO Dragon accessing some protected files and folders. However CIS still lets me access those files and folder through COMODO Dragon. I also don’t have Dragon in the Trusted Files list.
I tried the following whilst in Safe Mode with GIMP but only got some of the job done. I found the best way for me is. disable both the “Perform cloud based behavior analysis of unrecognized files” and “Automatically scan unrecognized files in the cloud”, also make sure the file you want to secure is deleted off the Trusted files list and delete any signature for that file off the Trusted Software Vendors list. Then create the Defense+ Rule, then load the app, CIS immediately displays Defense+ Alerts, letting me configure the rules manually. However, when I add a rule which prevents access to a group of protected files and folders, it does not work.
e.g. CIS lets me access my image files on my USB through GIMP, even though the prevent rule is there. I don’t want this.
It does not work even in Paranoid Mode. I want it to work under Safe Mode. How can I fix this?
P.S. I should mention, CIS will prevent writing, but does not prevent reading. Might this be a bug?