Unrecognized files

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
#1

Win 7/32 CIS 5 sandbox disabled.

Should defense+ alert on unrecognized files at all or just files with malicious behavior?
Since I always have unrecognized files listed from various installs such as updates etc., just no pop ups what so ever.
D+ set to clean PC.

Thanks

#2

in the ideal case defense+ should “alert” (better say “ask”) for any file that tries to execute. thats the point with it, it protects you from UNKNOWN things that could execute automatically if defense+ is not stopping them. its a mechanism, no database like an antivirus.

as you run “clean pc mode”, everything new will be put in the list for future decisions if they should become trusted files.
in my eyes this is much more work, than to use safe mode, and click one time the questions with yes, until the new program runs. instead in clean pc mode, you have to go through a list with increadible much entries. and then you should have to decide if they should become trusted files …
i have much less work and “decisions about trusting” to make to get everything running …in safe mode, or even in paranoid mode.

to get the optimum out of defense+, switch to proactive security konfiguration too.

#3

very interesting info.

thanks clockwork

PS. would it be advisable to put CIS into learning mode for major installs and updates?

#4

i can not suggest to use the trainings mode. (only in very rare situations, if you dont know how to set for example steam games to run, while avoiding 10s of freezings and reboots until you made the rules. i have my own rule set that i use then).

  1. often i noticed that it makes blueprint rulesets for each program running while that (not only the needed facts, but blueprints)
  2. an installer is running one time, but in trainings mode it would get a permanent rule. if this installer is gone, there is a rule without a program taking the place.
  3. think of an virus, waiting to be executed, and then in trainingsmode it would even get a permanent allow rule. with switched off defense+, it would at least NOT get a rule!
    after i used trainingsmode i always watch on the defense+ list, if there are new rules that i dont want to be there. while that i noticed this blueprint behaviour too.

when i install a grafic driver or something which needs an reboot, i switch defense+ OFF until the reboot is done.
if i use normal installers, i choose in the question window “treat as installer” and i DONT mark “remember my answer”.
when the installation is done, you should shut down the installer, instead of “start the game right now”. because, everything that is started with the installer has for this time running the same rights as the installer. if you close the installer first, then this temporary rule (“DONT rememeber my answer” makes it temporary) is not more valid. all is fine and done.

#5

wow, thanks for the wealth of information