Trusted Files vs policy

1. Do I understand correctly, that Defence+ policy rules only apply to files that are not in “Trusted Files”? And that “Trusted Files” are thus allowed to behave without any restrictions?

Why I’m asking: I’d like to restrict most applications’ behaviour by defining more granular “Predefined Policies”. But if it is true that “Trusted Files” are no longer restricted by security policy rules, then many of the applications installed on the computer would just bypass the policy control. Especially as the list of trusted applications is periodically updated from Comodo, and the “Trust applications digitally signed by Trusted Software Vendors” checkbox is no longer available. So the time spent by polishing the rules would not pay back, if the rules are not followed by all applications.

On the other hand, if it is not true that “Trusted Files” bypass the security policy, then I must ask: In which sense are the “Trusted Files” trusted, if they can still be restricted by policy rules? I’ve already read e.g. https://forums.comodo.com/empty-t61611.0.html, but am not any cleverer.

2. Is there a similar connection between “Trusted Files” and “Network Security Policy” rules in firewall (in the sense that “Trusted files” can access network without any restrictions)?

3. What files qualify to “Trusted Files” list? I noticed that the list contains mainly DLLs (but not exclusively). For instance, even though it contains plugins for WinAmp, it does not contain “winamp.exe”. And in other thread in the CIS forums I’ve read that non-exe files can be safely deleted from the “Trusted Files” list, because (they say) there’s no use in having them there. Is it true?

Thank you,
Martin.

I’ve found some answers.

It seems (e.g. according to https://forums.comodo.com/defense-sandbox-help-cis/should-comodo-trust-itself-t65200.0.html) that the current version of CIS does not allow to change security policy of a program that is on Comodo’s whitelist. The only way is to disable the Comodo’s cloud scan completely, which is not what I want to do.

I would like to keep using the cloud scan, but with the ability to override it with local policy rules. But Comodo seems to have chosen the oposite approach - if they decide a program is safe, we have no other chance then to trust it too. This approach is against all usual conventions.

In the light of this CIS behaviour, creation of my own local policy rules seems as a waste of time.

Thank you,
Martin.

You’re misinterpreting what is being said at your link. CIS does monitor whiitlisted apps. It doesn’t ignore computer security policy for whitelisted apps. All whitelisting does is establish whether or not an app is recognized. Recognition is necessary for proper sandboxing behaviour.

The behaviour of non-sandboxed apps, i.e., those recognized as ‘safe’ is determined by computer security policy. If computer security policy is configured according to predefined policy then that’s the priviliges it has. If it has custom security policy, then each app can be customized with its own security policy.

If ‘create rules for safe apps’ is checked, then automatic ‘custom config’ rule is created for the app when it launches, transparently to the user, without any notification. The access rights for most of the access names within computer security policy for safe apps in that case will be ‘allow’. To tightly control access rights on your system you should ensure that all process access rights are specified as ‘ask’ for each access name. From here on out you’ll get alerted for each access attempt by access name. If you allow with ‘remember this’ ticked, the exclusion list will be maintained. Anything not in the exclusion list will generate a future alert. Clearly this will generate a significant number of alerts for some apps.; especially true for Windows system components.

The way to deal with that is to allow - remember this - when some update process is occuring. After a sufficient number of alerts have been answered whereby a pattern can be discerned, then just leave one of the alerts hanging, open CIS GUI and drill into the offending app. Open its custom security policy and drill into the exclusion list for the particular access name generating the repeated alerts. Alter the first existing exclusion path using wildcards and then delete all the other newly created exclusion paths. Apply your changes progrssively on exit. Then uncheck the ‘remember this’ option on the hanging alert and the system should run off doing its thing. Clearly you’ll get a new alert if the path changes; most likely when dealing with protected registry entries; you’ll have to modify the paths appropriately as the subkeys/subfolders change.

Two components that really should to be tighly restricted are explorer.exe and iexplorer.exe. They’re fundamental to the functionality of Windows and are mutually dependent.

The other aspect of CIS that needs to get addressed is the firewall. If ‘allow rule for safe app’ is checked, then any safe app that wants internet connection will generate an utomatica allow IP access rule for that app, allow any any any any. You should never check ‘remember this’ for any IP access attempt. You should ensure that the last rule in any apps firewall ruleset is ‘ask & log’ . CLick allow to permit the IP connection attempt. Later you can review the logs, ascertain the domain name for the IP address logged, and put the IP address into app specific zones. Then create a new rule allowing IP access to that zone for the app in question.

seems pretty O0 right? But if you are rigorous and systematic, you are training CIS to be the best :P0l it can be. If all of a sudden after a while you start getting bizarre alerts you’ll know something’s funky.

Thank you for your extensive answer. I understand what you said, and if my computer behaved the way you descibe, I would be satisfied. But my CIS allows execution of almost any application without asking. Not of every application, but almost any. Originally I thought that this CIS behaviour is by design, which lead to my post. But now it seems that something is seriously bad in my settings.

E.g., I can run telnet.exe or firefox.exe without being alerted by CIS. I’m able to execute these programs from Start->Run by explorer.exe, from cmd.exe, or from the far.exe file manager. None of these programs is in the local Defend+ Trusted Files, nor they have an explicit allow rule in the local Defend+/Firewall security policy. Therefore I thought that they are claimed safe by the Comodo whitelist, which content I cannot check. This hypothesis seems to be supported by the fact that when I enable Defence+/Firewall Settings → Create Rules For Safe Applications, allow rules are created immediately after the application execution. So, what’s wrong?

I hope it’s clear that I cannot consider unattended execution of telnet or firefox as a safe operation.

I use CIS 5 (the latest version 5.0.163652.1142, updated from CIS 4), both firewall nad Defence+ in Safe Mode, Sandbox is enabled.

Thank you,
Martin.

P.S. On the other hand, when I try to execute which.exe, which is probably a not very common program, I’m alerted by CIS. Hence again, this seems to support the hypothesis of a problem with the global whitelist.

I understand your consternation. However, when I try to execute telnet from explorer I get a popup informing me that explorer wants to run telnet. If I try to run telnet from a command prompt I get a popup telling me that cmd wants to execute telnet.

I’m running v5.0.163652.1135 which is virtually identical except .1142 has secure DNS. I am configured with D+ proactive security in paranoid mode.

You didn’t mention your configuration or D+ mode.

FWIW, I performed the above test in safe mode and telent executed w/out peep from HIPS.

I have Windows XP SP3. D+ is in Safe Mode, as I’ve already written.

You say that CIS didn’t alert you when you tried to execute the telnet application? So your configuration behaves identically to mine when you are in Safe Mode?

If this is normal behaviour of CIS, then the protection provided by CIS in Safe Mode is very weak, in my opinion. It seems that there’s not much difference between CleanPC mode and Safe mode (contrary to what the documentation says). Or maybe I don’t understand the idea with which CIS was designed. Against what does CIS protect my computer? If an infection somehow manages to get inside my computer, then it suddenly gets all the means to communicate over internet, execute regedit.exe etc., even though the infected application is not marked as trusted. Or am I missing something? HIPS should protect me even in this situation.

Thank you,
Martin.

I’m sorry :-[ I missed your mention of safe mode.

The difference between D+ configurations safe and clean PC is that in clean PC mode every executable is assumed to be safe (executing w/out alerts). In safe mode the local white list is used for non-trusted files (trusted files execute automatically). If a non-trusted file is not in the local whitelist, the Comodo File Look-Up Server is queried with the file SHA1 hash against the globally recognized malware database. If its not found there, the globally recognized whitelist is queried. If a hit is discerned in either query the host is notified and if appropriate the local whitelist is updated (and the file executes).

If the hash is not on the latest black-list or white-list, cloud scanning technology is leveraged to determine whether the file behaves in a malicious fashion. Unrecognized files are simultaneously uploaded to Comodo’s Instant Malware Analysis servers for further checks:

Comodo server based heuristic anti-virus scan is performed. If malware is not discerned, the cloud based behavior analysis system determines whether a file exhibits malicious behavior; the unknown executable is run in a virtual environment and all actions that it takes will be monitored, e.g., processes spawned, files and registry key modifications, host state changes and network activity will be recorded; if found to be malicious then the signature of the executable is automatically added to the antivirus black list (also updating FLS blacklist) and the host is notified the file is malware otherwise the host is informed the file is NOT malware.

If the executable was not found to be malicious then it is automatically run in the sandbox on the host, simultaneously added to local ‘Unrecognized Files’ list and transfered from CIMA servers to Comodo technicians for analysis. Analysis will either yeild the file to be malicious (update FLS black-list) or non-malware (update FLS white-list)

The above process occurs for files for which no computer security policy has been created. Executables don’t run in a vacume, i.e., somthing has to launch it. In paranoid mode, the alert is due to no computer security policy exists for telnet with respect to explorer or cmd explicitely. If however, in safe mode, I explicitely block telent from executing in the explorer security profile, then I receive a Windows security message and telnet doesn’t launch. As such, in safe mode, to prevent execution of any arbitrary executable, it needs to be explicitely blocked in all security profiles. This behavior occurs by default in paranoid mode.

The above mentioned cloud-based analysis processing also occurs in paranoid mode for sandboxing purposes. But sandboxed or not, if an explicit execute right doesn’t exist for an exisitng secutiry policy, an alert will be generated. For example, on my system, my security policy for explorer has 193 execute permissions; telnet is not one of them. Ping and tracert are not included as execute rights for cmd. Any time I run those apps, I get an alert. I permit the execution but do not tick ‘remember this’.

In ‘safe’ mode, whitelisted apps, e.g., ping, tracert, telnet, will automatically execute w/out alert (unless explicitely blocked w/in the security policy for explorer, cmd, etc… I could, if I desired, create a security policy of *.bat, and block execution of any files I don’t want executed by any bat file. Safe mod may generate less alerts, but its not intinsically less secure. If you want to micromanage security for peace of mind, change your D+ mode to paranoid.

Thank you for your long answer again.

It seems to me that we (and CIS) mix two meanings of the word “safe”. CIS considers safe every file that doesn’t contain malware. I would consider safe only files that cannot be misused. Network communication programs like telnet, Miranda, Firefox, ICQ cannot be considered safe, in my opinion. Neither can be system utilities like regedit, format, task manager, explorer etc. On the other hand, applications like image viewers, CD rippers, editors etc. can be considered safe until they try to perform an unsafe action like internet communication or overwriting of system files. This is what I always thought a HIPS should do for me. And this is what I’m trying to persuade CIS to do.

I want to divide my programs into cathegories, and if they do what programs of that particular cathegory are expected to do, everything is OK and no need for alert. But when they try to do something suspicious, CIS should alert me. The problem is that in Safe mode CIS “boycotts” my D+/firewall rules and without alerts it allows operations that I consider unsafe.

For instance, my file manager far.exe has an explicit rule in D+. It has all Access rights set to “ask” without exclusions. Nevertheless, CIS does not ask when far.exe tries to execute another program. I would expect that if a program has an explicit D+ rule to ask for everything, CIS would really ask, and then remember the answers as exclusions from the rule. Do you say that the only way how to get alerts from CIS is to switch to the Paranoid mode?

Paranoid mode seems to me as an extrem for really paranoid users. Especially because CIS would then ask on really everything. And because I don’t know answers for all the questions it asks, though I consider myself an advanced user. “Ipx7g.dll tries to do whatever to ctfmgr.dll”. What the hell ipx7g.dll and ctfmgr.dll are, and why does the first one need to do whatever to the second one? What am I to answer? I have no idea about the purpose of these files nor on the way they work. There is no documentation. I would do more harm than good if I refuse to allow the operations they are trying to do.

Thus it seems to me the CIS Safe mode as the best one, if only CIS respected the explicitly defined policy rules. Have I no other chance then to switch to the Paranoid mode? What would you suggest?

Thank you,
Martin.

P.S.: I understand what you were trying to explain to me in your post. But I do not want to explicitly block execution of telnet or any other programs in my rules. I only want CIS to ask me, which it does not do. And I do not want CIS to ask on everything, just on the things I explicitly specified in my D+ ruleset.

P.P.S.: In CIS4, I remember an alert saying roughly this: “X wants to execute Y. The Comodo comunity decided that both X and Y are safe. What do you want to do?” Now, instead, CIS simply allows execution without asking.

“Do you say that the only way how to get alerts from CIS is to switch to the Paranoid mode?”

Yes.

“For instance, my file manager far.exe has an explicit rule in D+. It has all Access rights set to “ask” without exclusions. Nevertheless, CIS does not ask when far.exe tries to execute another program. I would expect that if a program has an explicit D+ rule to ask for everything, CIS would really ask, and then remember the answers as exclusions from the rule.”

Use paranoid mode; you’ll get an alert each time far.exe wants to launch something. If its something like telnet and that’s reasonable, then you can allow (but not ‘remember this’). Next time it launches telnet, you’ll get alerted again. If you choose ‘remember this’, it’ll launch it automatically.

if you launch an app and begin to receive alerts the logical concliusion - should your system be clean - that all those alerts are related to normal functioning of the app. By ticking allow and ‘remember this’ you develop a security baseline for that app. Several months later far.exe wants to elevate priviliges for ipx7g.dll. What’s up with that? Most likely far.exe has been updated / upgraded and it has new functionality. Otherwise it has been compromised or shell-code injection is taking place. Or something.

IF it has been compromised - hijacked - then the SHA1 hash will not match what is in the local whitelist hash database and it won’t matter if far.exe is a trusted app; it’ll go through the cloud process gyrations I described previously - and a more comprehensive description can be found in online help - and most likely be deemed as malicious. Even if not deemed malicious itll get sandboxed. It doesn’t matter even if the vendor is in the default trusted vendor list (or user custom added). If either the image SHA1 hash or the CA issued digital signature doesn’t match, CIS will clamp down on the thing like a dog in heat.

Just recently had an issue with Ad-Aware v 8.3.5 where they ■■■■■■■ up the CA issued digital signature. Despite Lavasoft being a out-of-the-boxt trusted vendor, CIS branded it as ‘unrecognized’ and sandboxed the dagnabbed thing. In short order Lavasoft released an incremental update that fixed the digital signature and AAW began to function again according to the baseline security policy established for AAW.

If its too daunting of a task to research obscure alerts, then your only option is to rely on the cloud based analysis inherent in ‘safe’ mode. You said in a previous version the alert said: “X wants to execute Y. The Comodo comunity decided that both X and Y are safe. What do you want to do?” so you were relying on some opinion originally in some fashion. With cloud computing malware assessment its esentially the same thing; you are, however, availing yourself of a much wider pool and one that is strictly empirically objective rather than subjective opinion of users. That’s because the empirical measurement is founded upon heurstic behaviour analysis. It is occuring in real time accross the globe.

Telnet can’t launch by itself just as 10 Oxycontin tabs can’t get into your system by themselves. Each Oxycontin tab is safe on its own. Your argument is that the pillbottle is at fault for allowing you to take 10 at once. I believe we’re arguing semantics. An app this is not malware is safe in so far as its used. There has to be a root app to launch telnet. Even if explorer has permission to launch telnet, something has to access explorer in memory to avail itself of explorer’s inherent functianlity to launch telnet. If ctfmgr.dll wnats to do that, it fundationally must be on the whitelist for its actions to occure tansparently to the user. IF it is an unrecognized app, it goes through the cloud computing assessment, and its discoverd that it accesses explorer in memory, launches telnet and establishes an IP connection to OldMenDotheNatyToYoungBoys.com and uploads all your credit card numbers: that gets blacklisted in a heartbeat (no harm no foul); telnet is still safe and so is explorer.

You’re never going to have the occurance that notepad.exe launches telnet transparently and initiates a backdoor connection somewhere. CIS will recognize that notepad is masquerading as a legit app and lock it down. That can only occur if the notepad at issue is living in some other folder than the liegit notepad does, or the legit notepad got overwritten. And before that can happen, a droppper has to perform the action of overwriting the legit notepad. Not only that, but how did the corrupted notepad get launched in the firstplace? Its virtually impossible for you to run a corrupted version of notepad; a lot of hurdles to crawl under there Maynard.

I suppose its possible if you download VeryCoolGuyApp from HackedWarezRUs.com, and you blindly trust all installers and give the installer carte blanche permission you can install a root kit onto your system. You want CIS to prevent your irresonsible behaviior?

It seems that you want CIS to provide UAC functionality. That functionality can be obtained explicitely via CIS D+ paranoid mode. Otherwise I do not see what your objection is that CIS doesn’t alert you that you manully executed telnet from any number of avenues for whatever reason that you have. As far as you not being responsible enough to familiarize yourself with normal functioning of your system and to research alerts on the internet, then you can’t be helped; safe mode is your only option.

Case in point: you get an alert that j3salv.dll wants elevated permissions. What is that? A quick look on the internet shows that it is Microsoft OFD Jet3.5 salvage and is a component of the software Microsoft Money version 11.0.716 by Microsoft Corporation. MS is a trusted vendor. In ‘safe’ mode ithere’d be no alert, but in paranoid mode you’d see CIS complaining about that. So do you allow or deny? Well, gee this is hard. If the last thing you did was something in MS Money, it would not be totally unreasonable to allow and ‘remember this’ (unless you want to be alerted every time you do that). If you weren’t doing something with MS Money a big red warning flag snapping in the hurricane winds should be aflutter. Perhaps its as innocuous as something related to MS Money updating itself. The onus is upon yourself to ascertain the validity of what’s occuring on your system. That means you should be familiar with normal processes and recognize something out of the ordinary. If that’s too intimidating, then ‘safe’ mode is your only option.

You’re accountable for the security of your system. You can delegate responsibility to CIS, but if it makes a mistake and allows something in that it shouldn’t have, you are accountable; its ultimately your fault. Safe mode is the best option for the least amount of alerts in conjunction with the least amount of brainpower required of the user.

Hello and thank you for your answer.

So, I’ll summarize my view of various CIS modes according to my current knowledge:

“ClearPC mode” seems literally dangerous to me, because it gives you a false feeling of security. It’s inherently insecure because if a malware succeeds in getting onto your harddrive, it is considered trusted by CIS since then. And due to plenty of security bugs in various software, malware has plenty of opportunities to get there.

“Safe mode” seems insecure to me in the sense that a single wrong decision can compromise the whole computer. Without the ability to learn that the comuputer is compromised.

E.g. I do not install warez, but I do install freeware utilities made by various authors. I cannot be sure that these programs do not contain malware; but even if they did, I expect CIS to alert me that an installed application tries to cross privileges given to it by its cathegory.

“Paranoid mode” is also insecure, because it depends on my unqualified decisions. Not even experts can answer all CIS questions without hesitation, and what about an ordinary user? Most of the executables and dll libraries installed on my computer are undocumented, and I have no idea about their purpose, not saying about the way they work. When an unknown dll wants to access another unknown dll, I have only two clues what to do: To check whether CIS considers these executables safe, and check the directory in which they are installed. If a malware masks itself e.g. as a plugin, would be the alert “X tries to execute an unknown dll Y” sufficient for me to deny the attempt?

E.g. the day before yesterday I run with my unknown (according to CIS) but freshly installed file manager a safe program. At the same moment the file manager tried to access Firefox, then it tried to modify windows\system.ini, and then it tried to modify content of the program being executed. I blocked all these attempts, immediately rebooted to another partition and performed full scan of all disks by the Symantec antivirus. Then I rebooted back and repeated the scan with Avast. Nothing wrong was found by either Symantec, Avast or CIS. What was that? It looked like a clear virus attack, but probably this is a normal behaviour of the program (as this is a text-mode program). Later, when I allowed the modifications to pass, the contents of the files were untouched. Another problem is that this file manager executable is already submitted to Comodo for months, but it is still unknown to CIS.

Well, the “hitparade” of CIS modes above was based mainly on my ignorance of how exactly CIS works. It may change if I learn more.

For instance, what happens if a bug in a “safe” (by CIS) internet application is successfully exploited. Will CIS consider this hacked in-memory process still safe? I guess that yes, which would result in that this process would be able to write whatever it wants to the disk.

Or another thing: CIS submits suspicious files for analysis to CIMA servers. But these files are analysed in isolation, though in reality they cannot run without libraries. To which extent then can be the analysis trusted to be able to reveal the harmful character of an application? In other words, when CIS claims the file to be safe, can I be really sure that it is not malicious?

What I’ve written is not to say that CIS is useless! Sure, (at least) better to have same security than none ;-). But I feel there’s a huge gap between the Safe and Paranoid CIS modes, which I would appreciate to be filled with another mode as I described in my previous posts. But this is just a sigh. I don’t expect CIS to be enhanced in this way just because of me :-(.

Martin.

Read Unknown Files: The Sand-boxing and Scanning Processes in the online help pages. Then you will see that buffer overflow detection precedes the decisions as to whether a file is safe or not.

Or another thing: CIS submits suspicious files for analysis to CIMA servers. But these files are analysed in isolation, though in reality they cannot run without libraries. To which extent then can be the analysis trusted to be able to reveal the harmful character of an application? In other words, when CIS claims the file to be safe, can I be really sure that it is not malicious?

Too technical a question for me.

What I've written is not to say that CIS is useless! Sure, (at least) better to have same security than none ;-). But I feel there's a huge gap between the Safe and Paranoid CIS modes, which I would appreciate to be filled with another mode as I described in my previous posts. But this is just a sigh. I don't expect CIS to be enhanced in this way just because of me :-(.

Martin.</blockquote>

Read Unknown Files: The Sand-boxing and Scanning Processes in the online help pages. Then you will see that buffer overflow detection precedes the decisions as to whether a file is safe or not.

Eric, safe applications are not sandboxed. And I guess that the scan is performed on the on-disk file only, not on the already running process read into the memory. In my question I am asking about hacking a process, not about hacking an executable file.

Concerning buffer overflow, this is probably the most common way how an application can be compromised, but surely not the only way. Even with the buffer overflow protection active a process can be hacked.

My opinion is that no protection is bulletproof, and hence there should be other protections acting in the second line. But with the concept of centrally determined safe files that cannot be overridden (with the exception of the Paranoid mode), Comodo effectively put these second-line protections out of the play.

  Martin.

CIMA never classifies files as safe, it only checked to see if the file has any obvious behaviors as malware and if it does it will update the signatures automatically. When something is actually marked as safe, it means someone (human) has looked at the file and determined it to be safe. At least this is what I know.

That’s not what I said.

And I guess that the scan is performed on the on-disk file only, not on the already running process read into the memory. In my question I am asking about hacking a process, not about hacking an executable file.

Concerning buffer overflow, this is probably the most common way how an application can be compromised, but surely not the only way. Even with the buffer overflow protection active a process can be hacked.

Then still a buffer overflow needs to be produced. The BO will most likely be seen by BO protection. What other attack vectors are you referring to here?

My opinion is that no protection is bulletproof, and hence there should be other protections acting in the second line. But with the concept of centrally determined safe files that cannot be overridden (with the exception of the Paranoid mode), Comodo effectively put these second-line protections out of the play.

  Martin.</blockquote>Please be more specific about what attack vectors are not properly covered by CIS.

What other attack vectors are you referring to here?

For instance, I remember a bug in IE (or Firefox?) long time ago, when the browser incorrectly interpreted the mime-type of a file included as an in a HTML site. A malicious site was able to submit a code instead of an image and force the browser to execute it. (This was a long time ago, so the details may be incorrect.) I doubt this was a BO attack.

Please be more specific about what attack vectors are not properly covered by CIS.

I don't know what else does CIS do to protect us apart of BO protection. But "Never say never" is a good rule to follow. If you offer a sufficiently attractive prize, I'm sure someone will hack you even with you having CIS running and properly configured. ;) [i]Edit:[/i] I didn't read my own post carefully, so I was answering on something else. I know that CIS checks checksums of all files before they are executed, and that malware must write itself somewhere to the filesystem in order do stay active even after reboot. But I'm not convinced that the checksums alone are sufficient to prevent the malware to stay active. I presented my arguments above and in my previous posts.

Eric, safe applications are not sandboxed.

That's not what I said.

But I was asking on what happens when a safe (hence not sandboxed) application gets hacked.

Martin.

Not sure any firewall can fix other program’s bugs. That’s why humans still fix bugs. If it would trigger a BO though then it would most likely be caught.

I don't know what else does CIS do to protect us apart of BO protection. But "Never say never" is a good rule to follow. If you offer a sufficiently attractive prize, I'm sure someone will hack you even with you having CIS running and properly configured. ;) [i]Edit:[/i] I didn't read my own post carefully, so I was answering on something else. I know that CIS checks checksums of all files before they are executed, and that malware must write itself somewhere to the filesystem in order do stay active even after reboot. But I'm not convinced that the checksums alone are sufficient to prevent the malware to stay active. I presented my arguments above and in my previous posts.

Relevant registry keys are protected so it should not be able to start on boot.

That's not what I said. But I was asking on what happens when a safe (hence not sandboxed) application gets hacked.

Martin.</blockquote>Then the program that does the hacking should have been allowed in the first place. It either would have been sandboxed and then it [url=http://help.comodo.com/topic-72-1-155-1184-Unknown-Files---The-Sand-boxing-and-Scanning-Processes.html]cannot[/url]:<blockquote>the Sandbox restriction level set for an application, Defense + also implements the following restrictions. A sandboxed application cannot:

Access non-sandboxed applications in memory

Access protected COM interfaces

Key log or screen capture

Set windows hooks

Modify protected registry keys (if virtualization is enabled)

Modify EXISTING protected file (if virtualization is enabled).

Or you gave an unknown program the permission to do something to the other program in the first place. It is not possible to totally take the user out of the equation.

In the above you stated CIS would not follow if you changed a custom rule. To have it follow your custom rules make sure that the custom rules are above the “All Applications” rule in Computer Security Policy → Defense + rules. All rules that are under the “All Applications” rule will follow the rule set by “All Applications” rule; they subordinate when there. The same is true for firewall rules.

After moving rules as described in the above will may closer to the type of control you seem to be after without having to go to Paranoid Mode. Now you have gained control by putting rules in the appropriate place you should be able to start editing the custom rules to your likings. You should now also be able to enable protection settings for every program you want.

On an important side note. Comodo tested CIS v5 sandbox during development by throwing 15,000 malwares at it. None of them could infect the system. It could drop files in harmless places but not in relevant places nor would it survive reboot. Notice this is without using AV. Not bad if you ask me.

The one thing I have noticed that is a problem in some instances especially with rogue apps, some of them use .job files instead of messing with the registry to start themselves at startup and it seems to me that the CIS sandbox does nothing to stop these from being created. This might be something for Egemen to look into.

Not sure any firewall can fix other program's bugs.

Long time ago I was using ThreatFire. At that time it was clashing with Avast and causing system instability, so I uninstalled it. Nevertheless, the "motto" behind TheatFire was that it is not so important to prevent infection, but to prevent infection to do any harm. Thus, ThreatFire was focused (at that time, I don't know whether this has changed since then) on monitoring applications for suspicious activities (in another sense that CIS dos it). The big difference in comarison to CIS was that TF monitored even whitelisted files. And this is what I miss in CIS (apart of Paranoid mode).

You’re still arguing that checking file hashes is sufficient to detect all mallware. I’m not convinced, and I’ll give you another argument (that I have already mentioned anyway):

I have an almost new installation of Windows XP Pro, with only the basic programs installed (like office programs, media players, image viewers etc.), all from credible authors and sources. Even in this case I have hundreds of unrecognized files in CIS (currently about 150 on the system disk, even after performing Unrecognized Files → Lookup against the Comodo safe list). Most notably there are native images of various Microsoft .NET assemblies among them, several C:\Windows\installer*.tmp files (what are these?), some components of Secunia PSI, Cobian Backup etc., a few days ago there were also updates of various Lenovo/IBM ThinkVantage utilities. And what if I were a geek and was keen in installing various software gadgets? Do I not deserve to be protected?

On an important side note. Comodo tested CIS v5 sandbox during development by throwing 15,000 malwares at it. None of them could infect the system.

I’m not in doubt that CIS is technically excellent. What I say is that it’s interaction with users is problematic. Either it bypasses them (in Safe mode and below), or it havily depends on their feedback. Nothing in between.

In the above you stated CIS would not follow if you changed a custom rule. To have it follow your custom rules make sure that the custom rules are above the "All Applications" rule in Computer Security Policy --> Defense + rules. All rules that are under the "All Applications" rule will follow the rule set by "All Applications" rule; they subordinate when there. The same is true for firewall rules.

After moving rules as described in the above will may closer to the type of control you seem to be after without having to go to Paranoid Mode. Now you have gained control by putting rules in the appropriate place you should be able to start editing the custom rules to your likings. You should now also be able to enable protection settings for every program you want.

I have (and always had) it set the way you describe. The problem is (as WxMan1 pointed out), that in order to get alerts for applications denoted as safe by Comodo, you have to switch to the Paranoid mode. In the Safe mode - no matter what - you cannot force CIS to alert you for suspicious behaviour of safe applications. Because in the Safe mode CIS seems to work the following way:

• If an application has an explicit rule for allow or deny, CIS allows or blocks it according to the rule.
• If however it has an explicit rule for “ask”, CIS does not ask the user, but instead it consults the list of safe applications (both local and global).
• If the application is found safe, CIS does not alert (even though the rules specify it should). You are alerted only when the application is unknown.

In my opinion it would suffice to correct this behaviour as follows:

• If an application has an explicit rule for “ask”, CIS should follow the rule. Without respect to the safe file list, though the list could be used to help the user to make correct decision. (CIS already does this in the Paranoid mode.)

• If desirable, this behaviour could be enabled by a checkbox.

  Martin.
  

TF is a behaviour blocker. CIS has behaviour blocker by means of cloud but not local like TF or Mamutu.

You're still arguing that checking file hashes is sufficient to detect all mallware. I'm not convinced, and I'll give you another argument (that I have already mentioned anyway):

Don't think I stated that. Signatures fall short when it comes to detecting malware. But Default Deny should save the day. If malware would run it would not be on the white list. So you would be alerted if it would try to unduly influence other programs.

If you happen to find something that goes under the radar of CIS please report it. Comodo always wants to know those things so they can be fixed.

I have an almost new installation of Windows XP Pro, with only the basic programs installed (like office programs, media players, image viewers etc.), all from credible authors and sources. Even in this case I have [i]hundreds[/i] of unrecognized files in CIS (currently about 150 on the system disk, even after performing Unrecognized Files -> Lookup against the Comodo safe list). Most notably there are native images of various Microsoft .NET assemblies among them, several C:\Windows\installer\*.tmp files (what are these?), some components of Secunia PSI, Cobian Backup etc., a few days ago there were also updates of various Lenovo/IBM ThinkVantage utilities. And what if I were a geek and was keen in installing various software gadgets? Do I not deserve to be protected?

Your point, other than being concerned, being? I understand your concern about possible intrusions but I am having a hard time getting to technically understand what intrusions would intrusions would be getting under the CIS radar.

I'm not in doubt that CIS is technically excellent. What I say is that it's interaction with users is problematic. Either it bypasses them (in Safe mode and below), or it havily depends on their feedback. Nothing in between.

That's the very nature of any HIPS based firewall. Using the sandbox in conjunction with default deny takes away a lot of decisions. Even without sandbox the white list still takes away a lot of work. But it is the nature of the HIPS beast to be on the talkative side of things.

I have (and always had) it set the way you describe. The problem is (as WxMan1 pointed out), that in order to get alerts for applications denoted as safe by Comodo, you have to switch to the Paranoid mode. In the Safe mode - no matter what - you cannot force CIS to alert you for suspicious behaviour of safe applications. Because in the Safe mode CIS seems to work the following way:

• If an application has an explicit rule for allow or deny, CIS allows or blocks it according to the rule.
• If however it has an explicit rule for “ask”, CIS does not ask the user, but instead it consults the list of safe applications (both local and global).
• If the application is found safe, CIS does not alert (even though the rules specify it should). You are alerted only when the application is unknown.

In my opinion it would suffice to correct this behaviour as follows:

• If an application has an explicit rule for “ask”, CIS should follow the rule. Without respect to the safe file list, though the list could be used to help the user to make correct decision. (CIS already does this in the Paranoid mode.)

• If desirable, this behaviour could be enabled by a checkbox.

  Martin.</blockquote>There is something to be said to have that behaviour back in Safe Mode and to have a choice to enable it. Egemen stated there would be changes to Image Execution Settings in a post v5.0 release. May be being able to get alerted to program starting other programs is back in safe mode. You can start a wish topic about it. I will give a +1 there.
  

CIS has behaviour blocker by means of cloud but not local like TF or Mamutu.

The part of D+ that monitors applications whether they try to execute another application / overwrite a protected file or registry / modify memory of other application etc. (simply any action listed on the CustomPolicy -> AccessRights tab). I would call this a local behaviour blocker, though it does something different than TF. And this is what I meant when I've written

The big difference in comarison to CIS was that TF monitored even whitelisted files. And this is what I miss in CIS (apart of Paranoid mode).

(But you were probably talking about heuristic analysis.)

I have an almost new installation of Windows XP Pro, with only the basic programs installed (like office programs, media players, image viewers etc.), all from credible authors and sources. Even in this case I have hundreds of unrecognized files in CIS (currently about 150 on the system disk, even after performing Unrecognized Files -> Lookup against the Comodo safe list). Most notably there are native images of various Microsoft .NET assemblies among them, several C:\Windows\installer\*.tmp files (what are these?), some components of Secunia PSI, Cobian Backup etc., a few days ago there were also updates of various Lenovo/IBM ThinkVantage utilities. And what if I were a geek and was keen in installing various software gadgets? Do I not deserve to be protected?

Your point, other than being concerned, being? I understand your concern about possible intrusions but I am having a hard time getting to technically understand what intrusions would intrusions would be getting under the CIS radar.

An example of such possible scenario - according to my current knowledge - is like this:

1. A process of a safe application gets hacked by a malware
2. The application being safe allows the process to do various potentially dangerous actions (including modification of protected files) unspotted. The malware uses this privilege for writing itself into some critical areas in order to survive.
3. When the malware is executed from disk, it may or may not cause a CIS alert of an unknown program being executed. (E.g. does CIS block an unknown service being started at the Windows start when no user is logged on?) But even if CIS alerted the user, the user may allow the execution anyway.

At this point you say that it is the user’s fault if he allows an unknown program to run. But my point is that with so many unknown programs on disk it may be hard to avoid execution of a malitious program. And this can be even worse in the Paranoid mode when CIS asks on everything.

The cure that I suggest is that even when a safe application tries to modify protected areas, the user would be alerted by CIS. I would be much more suspicious when firefox.exe tries to write something into %windir%\system32 than when an unknown application residing in %windir%\system32 is later executed.

That's the very nature of any HIPS based firewall. Using the sandbox in conjunction with default deny takes away a lot of decisions. Even without sandbox the white list still takes away a lot of work. But it is the nature of the HIPS beast to be on the talkative side of things.

No, it is not. At first, D+ is said to be one of the noisiest HIPS. At second, the world is not black-and-white. It is not necessary either to allow all or to deny all. Instead of putting so much emphasis on the whitelist, I would prefer to be able to define policies of various degrees of “allow something”. This can be done in the Paranoid mode, but does not work correctly in the Safe mode, as I said many times before.

There is something to be said to have that behaviour back in Safe Mode and to have a choice to enable it. Egemen stated there would be changes to Image Execution Settings in a post v5.0 release. May be being able to get alerted to program starting other programs is back in safe mode. You can start a wish topic about it. I will give a +1 there.

Well, I'll do it, and let you know.