“Do you say that the only way how to get alerts from CIS is to switch to the Paranoid mode?”
“For instance, my file manager far.exe has an explicit rule in D+. It has all Access rights set to “ask” without exclusions. Nevertheless, CIS does not ask when far.exe tries to execute another program. I would expect that if a program has an explicit D+ rule to ask for everything, CIS would really ask, and then remember the answers as exclusions from the rule.”
Use paranoid mode; you’ll get an alert each time far.exe wants to launch something. If its something like telnet and that’s reasonable, then you can allow (but not ‘remember this’). Next time it launches telnet, you’ll get alerted again. If you choose ‘remember this’, it’ll launch it automatically.
if you launch an app and begin to receive alerts the logical concliusion - should your system be clean - that all those alerts are related to normal functioning of the app. By ticking allow and ‘remember this’ you develop a security baseline for that app. Several months later far.exe wants to elevate priviliges for ipx7g.dll. What’s up with that? Most likely far.exe has been updated / upgraded and it has new functionality. Otherwise it has been compromised or shell-code injection is taking place. Or something.
IF it has been compromised - hijacked - then the SHA1 hash will not match what is in the local whitelist hash database and it won’t matter if far.exe is a trusted app; it’ll go through the cloud process gyrations I described previously - and a more comprehensive description can be found in online help - and most likely be deemed as malicious. Even if not deemed malicious itll get sandboxed. It doesn’t matter even if the vendor is in the default trusted vendor list (or user custom added). If either the image SHA1 hash or the CA issued digital signature doesn’t match, CIS will clamp down on the thing like a dog in heat.
Just recently had an issue with Ad-Aware v 8.3.5 where they ■■■■■■■ up the CA issued digital signature. Despite Lavasoft being a out-of-the-boxt trusted vendor, CIS branded it as ‘unrecognized’ and sandboxed the dagnabbed thing. In short order Lavasoft released an incremental update that fixed the digital signature and AAW began to function again according to the baseline security policy established for AAW.
If its too daunting of a task to research obscure alerts, then your only option is to rely on the cloud based analysis inherent in ‘safe’ mode. You said in a previous version the alert said: “X wants to execute Y. The Comodo comunity decided that both X and Y are safe. What do you want to do?” so you were relying on some opinion originally in some fashion. With cloud computing malware assessment its esentially the same thing; you are, however, availing yourself of a much wider pool and one that is strictly empirically objective rather than subjective opinion of users. That’s because the empirical measurement is founded upon heurstic behaviour analysis. It is occuring in real time accross the globe.
Telnet can’t launch by itself just as 10 Oxycontin tabs can’t get into your system by themselves. Each Oxycontin tab is safe on its own. Your argument is that the pillbottle is at fault for allowing you to take 10 at once. I believe we’re arguing semantics. An app this is not malware is safe in so far as its used. There has to be a root app to launch telnet. Even if explorer has permission to launch telnet, something has to access explorer in memory to avail itself of explorer’s inherent functianlity to launch telnet. If ctfmgr.dll wnats to do that, it fundationally must be on the whitelist for its actions to occure tansparently to the user. IF it is an unrecognized app, it goes through the cloud computing assessment, and its discoverd that it accesses explorer in memory, launches telnet and establishes an IP connection to OldMenDotheNatyToYoungBoys.com and uploads all your credit card numbers: that gets blacklisted in a heartbeat (no harm no foul); telnet is still safe and so is explorer.
You’re never going to have the occurance that notepad.exe launches telnet transparently and initiates a backdoor connection somewhere. CIS will recognize that notepad is masquerading as a legit app and lock it down. That can only occur if the notepad at issue is living in some other folder than the liegit notepad does, or the legit notepad got overwritten. And before that can happen, a droppper has to perform the action of overwriting the legit notepad. Not only that, but how did the corrupted notepad get launched in the firstplace? Its virtually impossible for you to run a corrupted version of notepad; a lot of hurdles to crawl under there Maynard.
I suppose its possible if you download VeryCoolGuyApp from HackedWarezRUs.com, and you blindly trust all installers and give the installer carte blanche permission you can install a root kit onto your system. You want CIS to prevent your irresonsible behaviior?
It seems that you want CIS to provide UAC functionality. That functionality can be obtained explicitely via CIS D+ paranoid mode. Otherwise I do not see what your objection is that CIS doesn’t alert you that you manully executed telnet from any number of avenues for whatever reason that you have. As far as you not being responsible enough to familiarize yourself with normal functioning of your system and to research alerts on the internet, then you can’t be helped; safe mode is your only option.
Case in point: you get an alert that j3salv.dll wants elevated permissions. What is that? A quick look on the internet shows that it is Microsoft OFD Jet3.5 salvage and is a component of the software Microsoft Money version 11.0.716 by Microsoft Corporation. MS is a trusted vendor. In ‘safe’ mode ithere’d be no alert, but in paranoid mode you’d see CIS complaining about that. So do you allow or deny? Well, gee this is hard. If the last thing you did was something in MS Money, it would not be totally unreasonable to allow and ‘remember this’ (unless you want to be alerted every time you do that). If you weren’t doing something with MS Money a big red warning flag snapping in the hurricane winds should be aflutter. Perhaps its as innocuous as something related to MS Money updating itself. The onus is upon yourself to ascertain the validity of what’s occuring on your system. That means you should be familiar with normal processes and recognize something out of the ordinary. If that’s too intimidating, then ‘safe’ mode is your only option.
You’re accountable for the security of your system. You can delegate responsibility to CIS, but if it makes a mistake and allows something in that it shouldn’t have, you are accountable; its ultimately your fault. Safe mode is the best option for the least amount of alerts in conjunction with the least amount of brainpower required of the user.