Guide v2.06
Revision history:
August 10, 2010: Initial guide v1.0 created.
August 24, 2010: updated guide to v2.0. Included in v2.0 is the ability to install programs with Defense+ not disabled, and protection of Comodo Internet Security from tampering by the user.
August 25, 2010: updated guide to v2.01. The recommendation in step 10 was changed.
August 29, 2010: updated guide to v2.02. Added explanation in steps 20 and 21 that a trailing * is required. Moved Notes to a separate post because this post is already long enough.
September 24, 2011: updated guide to v2.03. Added download links for Comodo Internet Security v4.1.
October 22, 2011: updated guide to v2.04. Removed material regarding an older method. Added material regarding how to prompt upon execution of unrecognized programs in CIS v5.x or later.
October 23, 2011: updated guide to v2.05. Added link to topic discussing this guide.
October 26, 2011: updated guide to v2.06. Removed material about alternative method for CIS v5.x.
In this topic I’ll show how Comodo Internet Security v4.1 can be used as anti-executable software, similar to Software Restriction Policies (SRP) or AppLocker. The goal of the method presented here is that any file that a user with limited privileges can write to is non-executable by the user, and any file that a user with limited privileges can execute is non-writable by the user. We’ll use built-in operating system functionality as well as Comodo Internet Security to achieve this goal. For a good explanation of this goal, see How to make a disallowed-by-default Software Restriction Policy, but don’t follow the instructions there since we’ll be using Comodo Internet Security instead of Software Restriction Policies.
This method is suitable only if your “everyday use” account has limited privileges, which includes:
- limited user account (Windows XP) or standard user account (Vista or later)
- admin account using User Account Control approval mode, which is the default for Vista and Windows 7
I’ve tested this method with CIS v4.1 on Windows 7 x64, Windows XP x86, and Windows Vista x86. CIS v4.1 x86 can be downloaded from Download Comodo Internet Security 4.1.150349 for Windows - Filehippo.com. CIS v4.x x64 can be downloaded from http://download.chip.eu/de/Comodo-Internet-Security-64-Bit-_6804435.html - select ‘Jetzt Downloaden’ and then ‘Software jetzt downloaden’. Note that since v4.1 isn’t the latest version of CIS, virus signature updates might no longer work. This guide hasn’t been updated for CIS v5.x because CIS v5.x doesn’t allow for .DLL execution control.
Steps:
- Create a full system backup, or at least a restore point, in case things go awry.
- Install Comodo Internet Security (CIS) if you haven’t already done so. You don’t need to install the antivirus component if you don’t want to use it. Don’t restart the operating system when prompted - we’ll do that in step 7.
- Open CIS. Create and activate a new CIS configuration if desired using More → Manage My Configurations. You can export an existing configuration and then import it to create a copy of an existing configuration.
- Disable the CIS firewall if you don’t want to use it by right-clicking on the CIS tray icon → Firewall Security Level → Disabled.
- Disable the CIS sandbox if you don’t want to use it by right-clicking on the CIS tray icon → Sandbox Security Level → Disabled.
- Disable Defense+ by right-clicking on the CIS tray icon → Defense+ Security Level → Disabled. We’ll enable Defense+ later when we’re done configuring everything.
- If you’re installing CIS, restart the operating system.
- Open CIS if it’s not already open. Go to Defense+ → Advanced → Defense+ Settings → General Settings. Uncheck all 4 checkboxes. Change ‘Keep an alert on the screen for (seconds)’ to 999.
http://img820.imageshack.us/img820/779/fig1q.jpg
- Go to Monitoring Settings. Uncheck all checkboxes except for Interprocess Memory Access and Processes’ Termination. You can monitor other areas if you like but they are not required for the purposes of this method. Press OK.
http://img829.imageshack.us/img829/3777/fig2.jpg
- Go to Defense+ → Advanced → Image Execution Control Settings → General. Do either option 1 or option 2, but not both.
Option 1. If you want to monitor .exe and .com files, then set the slider to Normal. This option offers weaker security than option 2 because .dll and .bat files are not monitored, but unlike option 2 there aren’t any extraneous “false positive” prompts.
http://img826.imageshack.us/img826/7841/fig3y.jpg
Option 2. If you want to monitor .exe, .com, .dll, and .bat files, then set the slider to Aggressive. This option offers stronger security than option 1 because .dll and .bat files are also monitored, but unfortunately sometimes results in “false positive” prompts - prompts when execution wouldn’t truly occur. Therefore, when using this option I recommend using the Parental Control feature to suppress Defense+ prompts - more on this below.
http://img830.imageshack.us/img830/6449/fig4.jpg
- Go to Files to Check. Delete all existing entries. Click Add → Browse. Type * and then press Apply. Press Yes. Press OK.
http://img831.imageshack.us/img831/3302/fig5s.jpg
- Go to Defense+ → Common Tasks → My Protected Files → Groups → Add → A New Group. Type Global Blacklist and then press Apply. Select entry Global Blacklist. Click Add → Select From → Browse. Type * and press Apply. Press Yes.
- Press Add → A New Group. Type Global Whitelist and then press Apply. Select entry Global Whitelist. Click Add → Select From → Browse. Type * and press Apply. Press Yes.
- This step can be skipped if you intend to always disable Defense+ when installing programs. Go to Windows Explorer. Create a folder that will be used only for launching program installers. I recommend creating a folder inside the user profile of the account that will be used when installing programs. For example, I created folder C:\Users\elmoadmin\Run. elmoadmin is the name of the admin account that I use to install software. Note to Windows XP users: user profiles are stored in the Documents and Settings folder.
- This step should be skipped if and only if you skipped step 14. In CIS, press Add → A New Group. Type User’s Installers and then press Apply. Select entry User’s Installers. Click Add → Select From → Browse. Select the folder that you created in step 14. Press “->”. Press Apply.
- The last three (or two if you skipped steps 14 and 15) file groups in My File Groups should look similar to the last three (or two) file groups below. The item order doesn’t matter. Press Apply. Press Apply.
http://img833.imageshack.us/img833/1084/fig6.jpg
- Go to Defense+ → Advanced → Computer Security Policy. Delete all existing policies.
- Press Add → Select → File Groups → Windows Updater Applications → Apply. Select policy Windows Updater Applications. Click Edit → Use a Predefined Policy. Choose ‘Installer or Updater’ from the list. Press Apply.
- Skip this step if and only if you skipped steps 14 and 15. Press Add → Select → File Groups → User’s Installers → Apply. Select policy User’s Installers. Click Edit → Use a Predefined Policy. Choose ‘Installer or Updater’ from the list. Press Apply.
- Press Add → Select → File Groups → Global Blacklist → Apply. Select policy Global Blacklist. Click Edit → Access Rights → Modify (the Modify that’s next to ‘Run an executable’) → Blocked Applications → Add → Browse. Here we want to specify the files that will be blocked from executing. Unfortunately, by default some folders within \Windows are both writable and executable by a user with limited privileges. Those folders should be blocked from execution. The folders to select are as follows. Your Windows folder may be in a different location than mine is - use the appropriate location for your system.
Windows XP x86:
c:\windows\Debug\UserMode
c:\windows\Registration\CRMLog
c:\windows\Tasks
c:\windows\Temp
c:\windows\system32\spool\PRINTERS
Windows Vista:
c:\windows\Registration\CRMLog
c:\windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\drivers\color
c:\windows\System32\spool\PRINTERS
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp - only if you use x64
c:\windows\SysWOW64\FxsTmp - only if you use x64
c:\windows\SysWOW64\Tasks - only if you use x64
c:\windows\Tasks
c:\windows\Temp
c:\windows\tracing
Windows 7:
c:\windows\debug\WIA
c:\windows\Registration\CRMLog
c:\windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\drivers\color
c:\windows\System32\spool\PRINTERS
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp - only if you use x64
c:\windows\SysWOW64\FxsTmp - only if you use x64
c:\windows\SysWOW64\Tasks - only if you use x64
c:\windows\Tasks
c:\windows\Temp
c:\windows\tracing
Press Apply → OK → Apply → Apply.
Note that all entries must end with * - see figure below.
http://img829.imageshack.us/img829/562/fig7.jpg
- Press Add → Select → File Groups → Global Whitelist → Apply. Select policy Global Whitelist. Click Edit → Access Rights → Modify (the Modify that’s next to ‘Run an executable’) → Allowed Applications → Add → Browse. Here we want to specify the files that will be allowed to execute without prompts. Select C:\Program Files. Press “->” button. Select C:\Windows. Press “->” button. If you’re using x64, select C:\Program Files (x86) and press “->” button. These folders may be in different locations on your system - use appropriate locations. If you didn’t skip step 14, then select the folder created in step 14 and press “->” button. Press Apply → OK.
Note that all entries must end with * - see figure below.
http://img825.imageshack.us/img825/5386/fig8.jpg
- The purpose of this step is to avoid unnecessary (for the purposes of this method) Defense+ prompts. Skip this step if you wish to see these prompts. Set Interprocess Memory Accesses to Allow. Set Processes’ Termination to Allow. Set Window Messages to Allow.
http://img820.imageshack.us/img820/1046/fig9.jpg
- Press Apply → Apply.
- Press Add → Select → File Groups → COMODO Internet Security → Apply. Select policy COMODO Internet Security. Click Edit → Protection Settings. Set Interprocess Memory Accesses to Yes. Set Windows/WinEvent Hooks to No. Set Processes’ Termination to Yes. Set Windows Messages to No. Press Apply → Apply.
http://img825.imageshack.us/img825/733/fig10.jpg
- Ensure that the policies look similar to below. The order of the policies must be the same as shown. The files in the file groups Windows Updater Applications and COMODO Internet Security may vary from what is shown. Press Apply.
http://img265.imageshack.us/img265/7673/fig11.jpg
- Change CIS Defense+ mode to Paranoid Mode by right-clicking on the CIS tray icon → Defense+ Security Level → Paranoid Mode.
- Run programs that you normally use and check if everything seems to be working properly. Check if rebooting works properly. CIS will prompt upon execution of any files not explicitly allowed or blocked by your ruleset, unless suppression of Defense+ prompts is enabled - more on this later.
Please post any feedback about this guide at https://forums.comodo.com/install-setup-configuration-help-cis/feedback-for-topic-using-comodo-internet-security-as-an-antiexecutable-t77783.0.html.
Please see my next post for notes.