just before windows completely shuts down and disappear I get a defense + pop up alert
attached file
what do I do about it please?
thanks
[attachment deleted by admin]
just before windows completely shuts down and disappear I get a defense + pop up alert
attached file
what do I do about it please?
thanks
[attachment deleted by admin]
System should be a member of the predefined file-group Windows System Applications
I dunno what your security config is, or why its not in your HIPS config, but what I’d do is create a rule for it manually in D+, i.e., HIPS Application Rules, and ensure that it implements the predefined security policy Windows System Application
Ensure that rule is the second HIPS rule from the top.
ok I did what you suggested thanks
what about the rest of the windows items there (attached image) should I just remove all 4 entries from there?
I mean shouldn’t Comodo not worry about explorer,system,services,svchost by default?
should I remove them all or just apply the same ruleset you suggested to all of them, and if that later option is better, what would be the hierarchy for all of them there please?
thanks again
[attachment deleted by admin]
I detect you have a sense of adventure, that pioneering spirit, and intestinal fortitude and above all else gumption. The fact that you have SvcHost and services listed as individual HIPS rules tells me that. It would also appear that your security config is that of Paranoid.
SVCHost is a fundamental core component of system operation; its not for the faint of heart and I’d not recommend breaking it out of Windows System Applications file-group until the rest of the system is fleshed out with rules. With SVChost as an individua entry, you must be able to discern what normal processing is at the system level.. How to ID a compromised SVCHost can be perplexing for such enigmatic and crucial system process as SVCHost.
That being said, I have All Applications as the first HIPS rule. It has three rules for execution:
%SYSROOT32%\dwwin.exe
%SYSROOT32%\drwtsn32.exe
%SYSROOT32%\dumpprep.exe
Protected registry keys:
Temporary keys (predefined group)
Protected files & folders:
\Device\Afd\Endpoint
These are the default permissions for all executables on the system. It should be the first HIPS rule. Then Windows Systems Applications file-group.
Then I have all the essential boot processes, e.g., video / sound card drivers, mobo-monitor, CIS, browser, and explorer. Following that I have in alphabetic order all the %SysRoot32% stuff, e.g., services, svchost, etc.
Following all that I have specific applications in descending order of frequency of use. Above all the mundane Java, Adobe, Flash, Shockwave updater rules I have the Windows System Updater file group with predefined Installer / Updater permissions.
Once the security baseline has been established, CIS pretty much doesn’t bother you much. Only 1% of the 1 alert out 99 otherwise handled events will be of note. Those alerts can’t be avoided, in that, .e.g, I don’t create a rule for explorer.exe to launch regedit; that app is only launched by me, and I wan’t to otherwise know when it gets launched. Same with stuff like regsrvr32.dll, etc., that has no business running by itself w/out my knowledge.
That intimates extremely judicious implementation of installer / updater permission and a very restricted pool of applications allowed for such, e.g., WIndows Updater Applications.
That’s how I do it. Your mileage may vary. Last good work long time.
“I detect you have a sense of adventure, that pioneering spirit, and intestinal fortitude and above all else gumption. The fact that you have SvcHost and services listed as individual HIPS rules tells me that. It would also appear that your security config is that of Paranoid.”
thanks for the fine compliments but in fact I’m nothing like that intrepid adventurer I actually don’t know that much of how to fully set COMODO properly and when the HIPS alert messages popped up I must havce made some wrong decisions… that’s what you see there… I’m not even sure how to follow your very thourough guide there…
all I want is to know whether I can just remove (delete entirely) all these enteries from the HIPS rules and how to flag these if they pop up again. for instance
if svchost pop up what do I tell it? if explorer pop up?
You may have accidentally blown away the existing rules.
You could:
Remove the SVCHost and Services rules from HIPS rules-set; they are parcel to the predefined Windows System Applications file-group, and run with that.
Or you could import the default Comodo Proactive Security config as My Proactive Config. It’ll reset the rules to default using default file-groups for system processes and default permissions. ALL OTHER process related to installed apps will alert according to paranoid security config and allow you to allow and remember that to craate the specific rules.
Obviously if you import the default proactive config, you will lose the FW rules created so far. Doesn’t look like you’d lose much in way of HIPS. Prolly best to just make a clean break and get 'er on the rails again.
There’s absolutely nothing wrong with your tack, its just that you have to not flinch at alerts, have to be able to interpret when alerts should be ruled, and when alerts should be allowed to appear as a matter of course such that the user is aware that potentially dangerous / malicious activity is occurring; its o.k. that alert happens 'cause I’m doing that, but if I’m not doing that I wanna know.
WRT to SVCHost, its a tough nut to ■■■■■. Suffice it to say that its a service hosting service. This command will show what its hosting:
Tasklist /FI “IMAGENAME eq svchost.exe” /svc
You don’t need to be intimately familiar with what each service its hosting does, but you have to immediately recognize if there’s an unusual one in the list, and especially above all if there’s an SVCHost process w/ out PID listed (or an SVCHost process w/ out a named service). That’s a dead giveaway SVCHost has been compromised. But if otherwise whenever any alert appears, and that command shows the same ol’ same ol’, well then its all good: allow & remember that; CIS won’t bother you 'bout that specific issue anymore.
Eventually you get about 200 or so rules w/in SVCHOST for all its different resource access names and it stops bothering you, except for IP addresses. Again: if the command doesn’t show anything unusual, why ask why? Eventually you get a pool of some 200 or so IP and he bothers you less and less.
OR you can just keep him in Windows System Applications and don’t worry 'bout him at all and God does what He may; you trust CIS explicitly to keep your system clean.
Same w/ explorer.exe: its lives in Windows Updater Applications
I’d leave SVCHost, services, and explorer well enough alone until the system is fully functional WRT to apps that you use and normal system processing; that’s a daunting enough challenge. And in fact, to create custom rules for any of those process, will require utilization of wildcards to manually configure the individual rules. That really becomes an issue WRT registry entries that all of those access (tons & tons).
That being said: if you truly are paranoid about intrusions, you eventually will be compelled to let those process out of their default boxes and create custom rules for each. That’s the only way to be sure, except perhaps nuking it from orbit.
BTW: you should get in the habit to export your custom proactive config. That way if you ever have to clean install, you can import a config copy and you won’t have to start from scratch (heaven forbid).
thank you so much, great tips there!