Using Widget to Unblock

Comment about using “Unblock Applications” from the widget in Comodo Firewall v10. I like to maintain control of the internet no matter what, but I noticed that unblocking from UA on the widget creates allow rules for Firewall, HIPs, and Containment. I also like to monitor the HIPs activities of programs. For me, the most troubling aspect of this is that the file rating is moved from Unrecognized->Trusted, meaning (as I understand things) not even command lines will be examined (heuristic command-line analysis).

I made a suggestion at MalwareTips, so I decided maybe I should also post it here. First of all, I don’t see any reason for Comodo to use the “Unblock Applications” element as a reason to declare a file “Trusted”. So to start with why not just leave the file rating at “Unrecognized”? Rules can still be set for it. Honestly, this would mean that a user would be less likely to make a mistake manually declaring from the files list files as “Trusted”. Moreover, and this part really gets me, in my opinion it would be an opportunity for Comodo in that Comodo could create a “User Trust” type of rating that carries the same weight as “Trusted” (is even seen in the monitoring code as “Trusted”) and then the company not once be on the record about the choice of a user. This is huge in my mind. Think about the user being easily able to see their choices for the “User Trusted” files in the files list. Also, Comodo can grab easily grab this information from customers who are allowing their statistics to be monitored. This should help with determining what users are allowing and considering safe. Wow. Add an “are you sure” to the option in the files list area required to change a file from Unrecognized->“User Trusted” and user will think twice. Anyway, “Trust” is not required to create allow rules for Containment/HIPs/Firewall. Even without using a “User Trust” designation in the files list (just normal trust as it is now), there isn’t any need for Comodo products to use user UA choices as a reason to say a file should be “Trusted”. This is an important fact and brings me to the second part of the idea.

This part is to separate rules creation for an unblock in the widget. The pic below explains a little bit:

http://i640.photobucket.com/albums/uu127/AtlBo/Comodo%20Concept_zpsdbrqvmtf.png

This pic illustrates how this might be done. So now when an allow is chosen a rule is set up for the specific element which is not requiring monitoring (i.e. “run uncontained”). Moreover, this rule can be set for an unrecognized file rather than for a Trusted one, the file rating being left intact. In this case then the rule would be XYZ.exe->Containment->Unrecognized->Ignore. The same would apply for HIPs and Firewall (XYZ.exe->HIPs->Unrecognized->All set to Ask, etc.) and these rules could be created automatically just as easily as they are now.

This simple settings change I feel could really bring to the front the available flexibility of the containment/HIPs/Firewall controls and would make it possible for anyone to be taught to use the program. Thanks for taking the time to read this. I had to get it off my chest. V10 is great but I see the difficulty users are having sometimes. After studying this issue long and hard it all came down to the unblock mechanism.

BTW, an optional password to unblock would be great. Maybe that’s for pay and maybe it could be set uniquely for system accounts.

Thanks again.

Me and pio had a discussion here: https://forums.comodo.com/wishlist-cis/fully-cloud-support-for-cis-or-lightly-av-scans-also-for-trusted-files-t119886.0.html regarding the effect that the trusted status of a file had on the protection of Comodo.

We concluded that any file which is considered trusted, whether it is through trusted vendors, a trusted file hash, or in your case trusted by the user, is excluded from antivirus scanning or any subsequent lookup to the cloud.

Trusted files also have an impact on the HIPS, you can read about it here: File Rating Configuration, Virus Protection, Internet Protection | CIS Help | COMODO

“Trusted files are excluded from monitoring by HIPS - reducing hardware and software resource consumption.”

So that trusted status has a double purpose, to exclude from scanning and to exclude from monitoring from HIPS with the exception of the Paranoid mode and maybe other modes.

However, due to the way that Comodo works, even if a file is rated as trusted, Comodo HIPS can still interact with legitimate applications, here is an example: https://forums.comodo.com/resolvedoutdated-issues-cis/safe-mode-always-blocks-application-from-trusted-vendor-t118669.0.html

On my laptop, this also occurs with that Synaptics thingy. Even though it is trusted, Comodo’s HIPS prevents the Synaptics from accessing CIS processes in memory as a part of self-protection according to the post by futuretech. The unblock rule for the HIPS took care of that issue.

I agree that Comodo should allow the user to unblock an application for only specific protections. For the Firewall and Containment the ignore rule should suffice, I think for CIS it also adds the file to the AV exclusions. Since in CF there are no exclusions if the Cloud Lookup finds something malicious the trusted rating comes into play.

So I have a suggestion: For the Firewall and the Containment it should be the way you described. For the HIPS, it should create an unblock rule only. And there should be another option to add the file to trusted rating. If the user tries to make a file to the trusted status, Comodo should give a warning that this also mostly eliminates the protection of HIPS, Firewall, and Containment.

So I have a suggestion: For the Firewall and the Containment it should be the way you described. For the HIPS, it should create an unblock rule only. And there should be another option to add the file to trusted rating. If the user tries to make a file to the trusted status, Comodo should give a warning that this also mostly eliminates the protection of HIPS, Firewall, and Containment.

EDITED somewhat…

100% I agree in principle. I had never been able to pull together the exact changes to HIPs from the unblock (as compared to normal), although I thought I had it down. Now I don’t think I did completely understand the HIPs element in this context. Anyway, I DO understand what you mean concerning the effect unblock should have on HIPs, and I agree. Although I don’t use Comodo a-v, CFW, I’m with you on that too.

I basically could not agree with you more about what you describe. It sets the user up perfectly to know exactly what to expect from the unblock. That really has had me uneasy, so thanks for your analysis and input. I do hope Comodo see it in this or a similar way. It would bring to the program a large portion of clarity and to the user composure to make the right decision. I think if they do this, it will be almost impossible for anyone to try the program and then even try something else.

BTW, this issue with Trust just rocks. The more I consider it, the more I am crazy about leaving it for files/apps unrecognized by Comodo. I understand your concept for the option, especially the way the idea is presented in the picture (auto-trust when all 3 are unblocked), but I like to be able to see clearly where I have made a choice in the settings, so I would forego the option to trust the file/app in every case given the option 88). Actually, after thinking about it, I know I would like it better without even the option simply because of the confidence and clarity users (including me) would have about Comodo products when they realize that Comodo is sticking by their trust choice on files/apps. I mean, they should…it’s a great company. At any rate, if trust were changeable by a universal unblock from UA, I would like to see it designated “User Trust” in the files list, even if the program treats it as “Trusted”. Maybe it could be something like “Trusted (User)”. Also, I would like if there were a check box setting to remove the option of adding trust from the unblock process somewhere in the settings. This is again assuming it were made possible to add trust somehow in the first place.

Anyway, it shouldn’t be a big challenge for Comodo to come up with a suitable set of HIPs sub-rules for an allow from UA involving “Unrecognized” rating, whether the file is completely (all 3 modules) unblocked or just HIPs or just HIPs and another protection module. If things with a HIPs unblock within the split unblock concept happen the way they happen now rules-wise for the universal unblock which includes HIPs, except with the rule changeover to “Unrecognized”, I would be OK with that. You may be saying something different, apologies. Not 100% clear on your meaning concerning what the rule should be. As you mentioned, the Unrecognized->Allow rules should work fine for sandbox and firewall. Your take on the a-v is logical to me too.

However, due to the way that Comodo works, even if a file is rated as trusted, Comodo HIPS can still interact with legitimate applications, here is an example: https://forums.comodo.com/resolvedoutdated-issues-cis/safe-mode-always-blocks-application-from-trusted-vendor-t118669.0.html

I ran into this exact issue with a memory cleaner. An exemption to the Comodo processes fixed the problem.

To finish, I do believe this idea brings a great deal of strength back to the HIPs and Firewall elements of the program and strength they deserve. Also would turn the files list into a shrine of Comodo’s trust ratings basically if trust stayed at “Unrecognized”. OK, one last btw. That is that I would also turn the “Unblock this application” option on the containment alert (newly contained unrecognized file/app) into pure text. Explain with the text how to unblock using “Unblock Applications” and force the user to use UA to stop auto-containment or any other element of protection. Gives the user a little time to think about Comodo’s trust rating and then to think twice at a critical pressurized time when it would be easy for a user to make a mistake.

Thanks again.

They are re-working the unblock application task, but when it gets changed I don’t know. You mention that you want to able to tell when a user sets the file rating compared to the file rating given by comodo. You can by either viewing the file in question in file list details and selecting the rating tab which will show “My rating” and in the event logs of file list changes the modifier column will indicate user instead of comodo.

OK, so the color is a giveaway too I guess. Ah, I didn’t mean to inject personal desire into that. I just love the concept that the files list is a shrine, and “you better not mess with it unless you know what you are doing”. I think it deserves that level of respect when I look at the work that goes into the ratings. I should know from the colors and then be patient enough to double click to see the details, anyway, I agree. 100% you guys would know better what works with that. I didn’t even know I could see the file rating and details by clicking on the rating until about 10 minutes ago. Maybe there is a better way than “Trusted (User)” and maybe what’s there already is better.

If you guys do this, I can’t wait to show this program to people I know, on MalwareTips, and anywhere else they’ll listen to me. It’s such a great concept all the way through. I show them now, too, but I would feel like I can explain it better, since the UI explains most of the unblock details. I guess this for the a-v would be even scarier good.

One thing that comes to my mind possibly about “Trust (User)”. Could maybe the color of user choices and no choice to date be the same? I don’t know if that would do the job 100% that I would like to see or better even at all honestly. Oh well.

You guys have built such a great concept here. For me, the crux of the thing with this concept is leaving Comodo “Trusted” Comodo “Trusted”. I feel so strongly about that. If the appearance is the same in the files list as now, that’s OK, at least I think the color is an indicator there. I forget what I read in help about that constantly it seems, but man I love the idea of unblock options and then still unrecognized rules and unrecognized in the files list. That screams be careful when you change the rating of a file. Can’t get enough of that. As I mentioned, even if it were only a General Settings->UI check box to remove the option to add trust to a full all modules unblock, I would be OK with that and guarantee you I will have it checked and every noob I show the program too.

Nonetheless, I am mostly just glad to get this off my chest. It’s been on my mind for quite some time now trying to understand what happens with the unblock and how newer users don’t seem to like that they don’t have full HIPs and Firewall :-TD to use after using UA to unblock the sandbox.

At any rate, I know you guys will come up with a superb concept reworking this if I understand you correctly. I don’t PTL all that much, but I did when I read your post. Totally blown away and stoked to see what you guys come up with.

Thanks man for the attention. Seriously.

Below this would be 100% fine with me…100% anti-noob aerasol spray in a can:

OK, one last btw. That is that I would also turn the "Unblock this application" option on the containment alert (newly contained unrecognized file/app) into pure text. Explain with the text how to unblock using "Unblock Applications" and force the user to use UA to stop auto-containment or any other element of protection. Gives the user a little time to think about Comodo's trust rating and then to think twice at a critical pressurized time when it would be easy for a user to make a mistake.

futuretech

Thought of something this AM. Whatever you guys are coming up with for “Unblock Applications”, would adding a complete list of rules by application to the log make any sense at least to think about?

Just in terms of keeping users out of the other (non-rules) settings who might have a hard time knowing what to do, maybe there is a speck of user contentment in this thinking idk. If they knew where to find a complete list of rules, then maybe they could more easily find the rules for an application and delete a rule or rules. For me, this seems like a very nice scenario as long as Trust remains “Unrecognized” after a UA unblock, because someone who allows a program out of containment with UA unblock ("Unrecognized->Ignore rule) could easily just get rid of the “Unrecognized”->Ignore rule and o/c the file would still have its “Unrecognized” status intact. Next time the app is run it’s run back in containment or under the mode monitoring for the protection. User could possibly also use this way of accessing rules to change a rule from Restricted to Partially Limited etc.

I know Configuration changes is there in the log, and it helps. This would be more to access rules in a process by process context all together. With Comodo’s trust intact after an unblock, users couldn’t in any way make a mistake deleting a rule. Again, whatever the rule was, it just goes back to being handled with the default “Unrecognized” protections for whatever mode is selected (HIPs/Firewall) generally in the settings. Those are powerful protection sequences there.

I guess something like this could be a separate module i.e. “Rules Management” for the settings UI/widget. I’m kind of paranoid so I would probably want to password protect it and “Unblock Apps” too.

One other thing I happened to think of just now. When a user deletes a rule for an “Unrecognized” app/file, would it make sense for Comodo to check to see if the user has messed with the file rating? Maybe Comodo could check to see when a user deletes a rule if there are any other rules for the app/file, then if not change the file rating from user choice to Comodo choice again. I guess kind of a reset scenario here. In the case of no other rules present, I don’t see how it could do anything but help. You know, user changes file rating to “Trusted” cause somebody told him to or whatever to turn off HIPs >:-D, etc. A healthy reset from that.

OK, think that’s about it. Just looking foward to see where you guys go with things. Thanks again for the heads up on the work being done on UA. I feel alot better knowing I can plug n play Comodo on grandma’s/noob bro’s desktop, etc.

I have a rule pointing to a “SAFE FOLDER” so whatever I run from that folder does not run in the container. This way I can run safe installers just moving them to my desktop folder and boom!. About the “Unblock Applications” module I think it lacks a “Purge” button that’s it. Just like there is a Purge for other modules in Comodo there should be a Purge for “Unblock Applications”. This thread has a valid point but also miss taking in consideration basic users. Basic users want their system to work and to be stable. Imagine a novice using this thread “Unblock Applications” and he has no idea why there is a HIPS and a FW and a Containment option. He just wants to allow applications in order to use them, and in order for them to run smooth they need to be fully allowed just like “Unblock Applications” works today.
However, for advanced users; “Unblock Application” should provide the advanced user with the chance of choosing what module will be unblocking the application.

However, for advanced users; "Unblock Application" should provide the advanced user with the chance of choosing what module will be unblocking the application.

I could maybe see this being viable as long as the choice to unblock via “Unblock Applications” doesn’t lead to the file/app being rated “Trusted”. This turns off everything. The way it is now, some users will even see an unblock choice on the Containment alert. What is that to a noob “oh think fast what do I do? Oh I know unblock, because I want to use the application now.” Even though that only creates a Containment rule, the file is raised in the files list to “Trusted”. O/C, HIPS and F/W are off as a result. Also, I believe that command-line heuristics is at least partly off. Command-line heuristics is the glue of Comodo in my mind.

I get your point that unblocking for all the elements of Comodo is fine for many users as long as file/app being unblocked isn’t given “Trusted” rating. “Unrecognized” is fine. That way all the default command-line protections are still in place. OK, so add a check box for “Advanced unblock” in the General settings or something. I’d be OK with that.

BTW, even if the option is cleanly removed from the Containment alert so that “Unblock Applications” is the only way to unblock, no way I could be won over that the file rating should be made “Trusted”. This is even if a user were working with non-advanced unblock choices (previously mentioned settings concept) so that all three protections were being disabled for the file/app with the unblock.

Would you mind posting your SAFE FOLDER rule? That would be a good idea for portable applications, but it I guess it does kind of push the edge of safe. I mean, it’s obviously going to be safest to go with what Comodo says :)…

1197×577 38.1 KB

It will depend on your overall Comodo settings. I have deleted the trusted vendor list and added a new one generated from what was present in my system only. So my trusted vendor list got very small. I don’t have the chance to pick wrong my cards when dealing with Containment Alerts because I don’t deal with Containment Alerts, my settings will block if not recognize, allow if trusted. There is no middle point here for me on my settings. Additionally HIPS is set to paranoid mode, "If a malware drops magically from the sky and lands inside my safe folder, and runs from there; the HIPS will fire up even if the malware was manually added to the trusted list previos to being dropped into the safe folder. Aggressive settings may annoy regular users because they didn’t have the time to do a fresh Windows install and run training mode properly before switching HIPS to paranoid. Then HIPS is your best friend vs regular bypassing of the trusted list. There is no such thing as “This turns off everything” for me, sadly the price of commodity at the price of security. All this said, I agree that as you have said, having the ability to choose between what Comodo modules will exclude the “Unblocked Application” is handy; but actual settings already provides strong protection if used wisely. Comodo is not even close to perfection and it tends to run better on Windows 10 than windows 7, and needs to improve many things.

I’m assuming you also disabled cloud lookup, because if you leave CL enabled it has the full trusted vendors list in the cloud, if vendor is trusted from the cloud then the vendor will be added to the local TVL by Comodo.

I also sometimes use Comodo as an anti-exe sort of thing, disable cloud lookup and trim TVL, and set containment to block all unrecognized. Comodo may actually be a good option for that purpose because it also has other layers covered.