V3.9.95478.509 Defense+ Gives Too Much Freedom to Applications In Training Mode

I tried to find similar threads, in vain, and am here to post one about this. I hope I didn’t miss an existing one, because if this is really a bug (and not just a bug with me alone), it should be very obvious.

I’ll go straight to the point.
If I enable Training Mode, no matter what my Defense+ learns about a program, it will give this to the program (or any program):

http://img199.imageshack.us/img199/6139/problemz.png

This is too much. Just so you know, the above settings were given to my firefox.exe when it first ran. (Firefox doesn’t need this much to run, does it?) Now thanks to this, almost all programs in my Computer Security Policy list have the exact same settings. I don’t recall seeing this in any previous versions, only in the latest one (V3.9).

Somehow, this problem also exists when I allow a program to do something and “Remembered my answer” while in Safe Mode. Though, I couldn’t really duplicate the problem with every program when in Safe Mode, because while the settings for WinRAR were okay (lots of “Ask” and not “Allow”, which was normal), for uTorrent they were not (the same settings as in the screenshot above), all while in Safe Mode, allowed, and “Remembered my answer”.

Please look into this a bit and let me know if it’s just me or it’s everybody.
Thanks.

CIS Version: V3.9.95478.509 X32 (clean install - uninstalled old CIS with Revo Uninstaller and installed this)
CIS Settings:

  • Antivirus Real-Time Scanning DISABLED (always, on-demand only)
  • Firewall SAFE MODE (always)
  • Defense+ TRAINING MODE (usually Safe Mode) with everything monitored under “Monitor Settings”
    OS: Windows XP SP2 Admin Account with password
    Security Applications:
  • CIS
  • Avira Antivir V9 (real-time & on-demand)
  • Spyware Terminator V2.5.6.316 (real-time protection ENABLED, HIPS DISABLED)
  • COMODO BOClean V4.26
  • Spybot - S&D V1.6.2.46 (TeaTimer DISABLED, on-demand only)

Hello, In training mode any application be allowed to do what it wants and automatic rules set for it.
It is designed this way to “learn” activities and create rules automatically while using applications for the first time.

Hi Kyle.
Thanks for your reply, but I’m not sure if you get me. Previously I did not see my Defense+ acting that way. It allowed powers for a program that did not even say it needed the power.

Yes, Training Mode allows programs to do whatever they want and saves rules for them, but to allow almost everything? Weird.

This is also the same in clean PC mode and I think (not tried) safe mode. I don’t like it either and it seems a pointless reduction in security.

See my threads:

https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/why_give_blanket_defence_access_to_safe_applications_to_do_so_much-t35835.0.html

https://forums.comodo.com/leak_testingattacksvulnerability_research/how_dangerous_is_direct_disk_access-t38407.0.html

https://forums.comodo.com/defense_wishlist/idea_for_increased_security_and_configurability-t38559.0.html

@Serenity;
Training mode is meant to be run for applications you trust, You wouldn’t run malware in that mode.
The reason for the loose rules is so that it gives you no annoying pop-ups and lets your programs run that you know are safe and don’t want to tell d+.

@tcarrbrion
Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled.

Training Mode: Defense+ will monitor and learn the activity of any and all executables and create automatic ‘Allow’ rules until the security level is adjusted. You will not receive any Defense+ alerts in ‘Training Mode’. If you choose the ‘Training Mode’ setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.

I hope this helps you guys.

Thanks tcarrbrion.

I understand where you’re coming from and I also agree with you (about getting less security, because I’m quite “security-hungry”), but the focus of the problem mentioned in this thread is not exactly that.

If a program is marked as safe (by COMODO or by me), I do prefer a more detailed security policy for each of them and not an “umbrella profile” to allow too many things. However, that’s only when it’s marked safe.

This problem I’m having here is that ALMOST ALL programs learned under Training Mode (and sometimes Safe Mode) are given a BIG amount of powers, unnecessarily, whether they’re marked safe or not.

I didn’t see this in previous versions. Just this one.

Now this is what gets me worried. I’m not sure if it’s a bug, or it’s purposely designed that way.

Well I’ve only ever used training mode for a short period of time a while back to be honest, the same with clean pc mode.

If you want tighter rules for any reason then you could use paranoid mode\safe mode.

But I wouldn’t know when I would have a malware in my system! And when I first installed it fresh, I surely have to put it in Training Mode to learn what I usually do.

The rules are too loose. Let me explain.

Firefox.exe did not prompt that it needed to, for example, access my monitor, disk, and keyboard when it first ran. While previous versions of CIS set “Ask” for monitor, disk, and keyboard access for firefox.exe in Training Mode, why does V3.9 put “Allow” for all 3?

I need someone to confirm whether they’ve changed, into such a way, the way CIS creates rules.

I don’t understand. Even if it’s in Training Mode, why allow a program a power it does not even ask for? And the program is not even explicitly marked as safe!

I guess this design was introduced as of CIS 3.5 3.8 to acknowledge the efforts of those members complaining about the number of alerts or deeming unneded to specify detailed allowed access rights for trusted applications (whenever they were safelisted by Comodo or by users themselves). As usual conjectures are not helpful at all so I guess it would be better to provide some info for those eventually interested.

Even in previous versions trusted applications were automatically granted access rights up to this scenario.

Run an executable and Protected Files/Folders did not automatically grant all actions even for trusted application and this design is still unchanged.
The current behavior of Protected registry keys for Trusted applications mimic the old design.

http://img199.imageshack.us/img199/6139/problemz.png

Although most access rights were set to Ask as long a trusted application needed to carry an action that action was going to be added in the allow list (Modify… button).

As before those willling to have full contol over access rights and to apply their own policies (including conditional ask) even for trusted apps should use CIS in Proactive securtiy config and D+ Paranoid mode whereas as long an user is confused by access rights details (and there are people who still wish D+ to work like an AV) they wouldn’t be able to leverage on the amount of info provided by browsing the Allowed lists of most access rights.

For trusted applications these info are automatically retained only for Run an executable, Registry and Files/Folders, although using access right Modify button is possible to add blocked entries to explicitly prevent a Trusted app to automatically obtain such access right or set the whole access right to block.

Paranoid mode will retain access right info for all privileges, for all applications accordingly to D+ monitor settings.

Whereas an application without policy is launched or a pemission/access right for a policy is set to Ask (and the blocked exception list is empty):

  • Training mode will deem all applications as trusted.

  • Safe mode will deem all application safelisted by Comodo, digitally signed by a Trusted Vendor or featured in user customized Safe list, as trusted applications.Other applications will trigger alerts according to the permission they strictly need.

  • CleanPC mode will deem all applications not listed in My pending list as trusted. Applications safelisted by Comodo cannot and will not be added to pending list (AFAIK this should be the case for app signed by trusted vendors too). Applications featured in pending list will trigger alerts according to the permission they strictly need.

Those users neglecting that safelisting by signature is not supposed to work soon after an update (a new app update will change the app signature thus there will be no match in the existing safelist), unwilling to use the custom safe list or trusted vendors feature(or got an application which was not digitally signed) will not be alarmed anymore soon after updating their trusted application to see an alert as soon they used something in these apps they never used before .

CIS V3.5? How could that be? Just yesterday I was still using V3.8 and Defense+ was still working the way as I always wanted. And after I removed V3.8 and installed V3.9 it changed!

I’m somewhat confused already. You see, what I want is this:
Say there is a program “abcde.exe” that I’m going to run. I know many people have downloaded it and are using it, but I don’t fully trust this program (which is the case for MOST OF THE TIMES). How would I know if it’s secretly sending something out to someone? So for the first time it runs, to avoid the trouble of manually allowing and remembering each action the program carries out, I switch to Training Mode to let CIS allows and remembers ONLY AND ONLY the actions that abcde.exe performs. After that, I’m going to switch back to Safe Mode and the next time I run it, I want whatever actions that were not learnt the first time during Training Mode to be reported to me. This is how I’d been using Training Mode and Safe Mode, in versions prior to V3.9. (Of course, if I suspect there is something funny in a program that I need, the first time I run it I’m going to use Safe Mode and examine each and every alert and prompt I get.)

Is this still possible with V3.9? Because from what I’m seeing here in my system, this way of using Training Mode and Safe Mode is no longer possible.

If it was not 3.5 it should have been thereafter before V3.9.
Forgive me as I’m not willing to install 3.5 to verify this as IMHO the exact version is not relevant at all, anyway I edited my previous post to strikethrough the 3.5 version identifier.

Paranoid mode will allow you to choose how much trust you are willing to concede on a per app basis whenever alerts mention the application has been safelisted by Comodo.

If you are willing to outperform/outsmart the default behaviour D+ paranoid mode will allow you to do so.

This is what I have complained about. The same thing happens in clean PC mode. This image is for my own compiled program, not in any safe list, in clean PC mode. It is allowed to do so much.

[attachment deleted by admin]

This design does not in any way reduce the number of alerts you get. It might be slightly more efficient the first time an application is run as all the rules are saved at once but I can’t see this as a big advantage.

It does mean reduced security (how much is debatable).

It does mean you cannot train up for paranoid mode.

If you want increased security and do not want all the alerts of paranoid mode you are stuck.

No it does not reduce security at all, For example on my pc Opera.exe is set as a trusted application, Does it need all those rights? No, It’s just trusted for usability. Is opera.exe malware? no, Your safe apps will stay safe, You’d get an alert if malware tries to modify those tursted applications.

If you have malware the more pop-ups the better. Someone might give the wrong answer to one pop-up. If they get 5 they are more likely to think something is wrong and have more chances to stop it.

Those willing to learn about D+ can run leaktests in Safe or CleanPC modes provided they do not manually get these leaktests to be trusted.

Those users neglecting that safelisting by signature is not supposed to work soon after an update (a new app update will change the app signature thus there will be no match in the existing safelist whenever the user claim that app obviously ought to be trusted), unwilling to use the custom safe list or trusted vendors feature (or got an application which was not digitally signed) will not be alarmed anymore soon after updating their trusted application to see an alert as soon they used something in these apps they never got to use before.

As long an user is confused by access rights details (and there are people who still wish D+ to work like an AV) they wouldn’t be able to leverage on the amount of info provided by browsing the Allowed lists of most access rights.

Those wishing for their personal take on increased security will have to use paranoid mode thinking that average users often described in many posts in these forums will have no use for this or that alert they wish to see for trusted apps, for detailed description of all access rights and other changes that may affect ease of use.

After many years of AVs as an established approach to security, any effort other than a single click is extremely discouraging. Who is going to fully use any HIPS if he can count on a godly AV with more than 100% detection and hope that a comparative testing all extisting viruses around (including those that are going to be created or the AV tester has not got yet) will lead them to their safe heaven?

Good thing that paranoid mode has not been removed yet whereas apparently nobody is willing to use it despite their particular security needs.

Okay people, I cannot use Paranoid Mode. I can, but I mean it’s not suitable because “Every action of the safe executable files are learnt” isn’t there. I trust (to an extent) what COMODO trusts, that’s why I stop at Safe Mode and not go all the way to Paranoid Mode. After all, if something is known to be safe I don’t want to waste my time examining it.

But lots of other times I find myself dealing with applications THAT I NEED but that I trust only 70% to 85% or so, that’s why I said I want Training Mode for them the first time (and I’ll be monitoring what D+ is learning through the pop-ups), after which I’ll use the usual Safe Mode.
If my trust for an application is less than 70%, I’ll install AND use the program in Safe Mode all the way to monitor every action.

Now that Training Mode allows ALMOST EVERYTHING for ALL programs that run for even a second and that trigger even one (and only one) D+ alert (and then Training Mode allows so many things =_=), when I change back to Safe Mode lots of things are already allowed, including privileges that the programs don’t need. This is how my security is reduced.
And don’t forget Paranoid Mode isn’t exactly what I want, as explained above. So I actually need Training Mode to make my life easier, without it allowing unnecessarily things of course, which is NOT what it’s doing in V3.9.

Sorry but I can’t really get what you’re saying. :frowning:

For me, I won’t ever mark an application as trusted. No matter how trusted a program is by the general public, I personally do not know what lurks within the codes.
Even for programs trusted by COMODO, I’ll go and review the access rights of those programs every now and then.

Paranoid? Somewhat.
But I don’t like Paranoid Mode.

Requesting an additional option for D+ paranoid mode to allow “Every action of the safe executable files are learnt” for user defined safe files would be an exact match for the above mentioned scenario. There would be no need to switch back and forth to Safe mode either.

Besides Training mode was meant to learn all actions for all applications. Using Safe mode or CleanPC mode would have been a better option. There is no security allowing an application to run only to see what access right it got after those action will be granted and obviously it was not something possibly needed for safelisted apps.

I use CIS with in clean PC mode with parental control on. It works well as in normal use I get zero pop-ups and almost nothing gets blocked. I cannot use paranoid mode. Other users of my PC would not know how to answer alerts.

If I upgrade an application and the new version does direct disk access or something else dangerous I want to know. If everything was not learned in advance I could run the new program with it in my pending files to test it out. It would be even better if I could select certain things that always gave a pop-up. The way it is now I would never be alerted. I think this needs to be an option for people that want it. It cannot be hard for the developers to do as this is how it used to work.

If I install a program I don’t want lots of pop-ups. I would like a pop-up every time if the installer tries to install a device driver. I cannot do this. Defence+ is very good but not quite there for me.