Why give blanket defence+ access to safe applications to do so much?

Why does defence+ now give access to so many things automatically to safe application even if the application does not need it. If it is safe it will learn what the application does anyway so how does this help? I guess it might speed things up slightly, but presumably only during initial learning. I would rather have stronger security. It might keep the size of the rules down slightly but if this is a problem it would be better to solve it by saving the rules a different way.

If some malware replaced a safe application it would go to my pending files and it would not longer be safe and would no longer learn automatically but if it has already learned more than necessary then security is less strong.

I know there would be a pop-up when the malware replaced the safe application but if this was answered incorrectly for some reason then the automatic rules would reduce the security. A user is more like to realize they have a problem the more pop-ups they get.

I had a similar inquiry which i posted about in…


the correct solution IMO would have been the ‘old’ tactics. Learn all the actions of the safe application and NOT do blanket Allow All…

in the new way, i have manually, changed some d+ access rights for internet facing apps (firefox, ie, utorrent, emule, winamp etc) for stuff like Device Driver Installation, Process Termination, Protected COM/Registry/Files to Block. This should have been done by Comodo.

CIS is like Samson, super tough but not very smart. (:TNG) Its VERY user-dependent. If user is savvy/smart then CIS is impregnable, but if not then it is… (that Samson analogy is good…grin. its for this reason alone that my parents/sis cannot use it. they can after its trained, but not while … its too complicated for them to understand the lingo).

i would have loved a “Un-trusted by default” approach. (“Default Deny” - you should copyright it…ASAP) I can name some software which follow this approach. Its a ‘smart’ approach.
Of course if the AV comes in the top3-5 then it makes D+ kinda redundant. … ive never encountered 0-day malware(ie where the av(ava5t or CAV in this case) couldnt catch it), unless i made it myself.

this is a good food for thought thread. iLIkeIt.

CIS is a default DENY approach. All stuff gets blocked by default thats not a trusted app, thanks to D+…

What the safemode does, is that it will help users get less popups while maintaining FULL security. All safe apps has been throughly analyzed by COMODO, and to my knowlege no spyware/malware will be able to replace A trusted file and be threated as trusted, if a spyware replace a trusted file you will get many alerts about the file trying to modify the other file access disk, loading dlls bla bla, I don’t know the exact alerts as it might use many techniques. But…

Noone is forcing anyone to use the white list…
Set D+ to Paranoid Mode, and all alerts will be up to you about everything, and the firewall to custom policy…
That way no whitelist will be used… And also make sure you unpick the “trust applications digitally signed by trusted software vendors”… D+ > advanced > D+ settings…

I still think safelist and such is a good idea, since it helps novice/new users, and prevents them from accidentially blocking important applications. And later if they feels like it they can be a control freaks and decide for all apps exactly what they can and can’t do! =) However don’t believe a “safe app” can do anything… :slight_smile: As fast as a safe app tries to do something or load something suspicious, you will still get an alert! :wink:

If an application is safe all it need to do is allow the things the applications need. Setting a blanket allow does NOT give less pop-ups. A safe application will give zero pop-ups even without this. It will only make a difference if the user subsequently changes to paranoid mode but any user who wants paranoid mode is not likely to want blanket allow rules.

MoneyBoy=) Common. Default Deny CIS… you gotta be kiddin me playa. How is a user responsive system default deny. If you look at this post (and mine) we are worried that now its become default allow!!!

There are only a few Default Deny approaches and that’s vmware/virtualbox ala virtualization. or SRP or anti-executable. (this is OffTopic).

That said, I bought your explanation(about safe mode) the first time around, and i buy it again. Thanks.

But, i TOTALLY agree with tcarrbrion. = “If an application is safe all it need to do is allow the things the applications need”. man tcarrbrion you and i are totally on the same page here…

but there is a simple workaround. Let D+ AllowAll and then you go and manually change some stuff (like process terminations, device driver installations) for programs like firefox, iexplore, utorrent, emule… basically any internet facing app.

I never said I don’t want the safe list, I think it is a good idea. For me, it never has enough in it. But it should not set so much allowed for safe applications if there is no need for it.

Not allowing all actions of a trusted application even in safemode… is a good thing to prevent the application from being hijacked or attacked. :-TU

Take Windows media player for instance… You play a video that you just downloaded from a homepage, windows media player will load all this video asks for. The video could potentially load a bad dll file or similar, and make Windows media player act weird and do stuff its not supposed to… This is why its good to prevent even safe applications to load for instance a “not safe” or yet to be classified applications, and preform some actions.

Safemode was intended to keep the security as high as paranoid mode, while giving you less popups, still some popups are necessary to not reduce security… thats why even safe applications will bring an alert once in a while. :slight_smile: For those not listed as trusted, you will get as many popups as you would get in paranopid mode, that is, popup for almost everything. :slight_smile:

Nothing bad will run, It gets Denyed by default, user gets a question… And the good stuff will give you very few popups… At least in theory of safemode. =)

Don’t worry, paranoid mode will still be there for those who like to control every little action even for safe applications… :wink: But unfortunately paranoid is not for normal users, they will complain about all the popups. Its a good thing Comodo offers so many options, I mean modes, One for the tweak freak and an other for the masses that still maintain full security!

^ i agree with what you guys are saying.

But i wish CIS would place internet facing apps in a separate category/area and deal with them as such. (maybe a wish-list addition)

A Allow All for CCleaner is very different from the one for IE. ;D

ps. unless i see proof of what i fear, i will go with Monkey_Boy=)'s (man is your nick complicated) explanation and rest easy. peace out. O0

I have created a program group in defence+ of internet facing applications and block things like direct disk access, device driver installations etc to make sure they are blocked. This is not for the average user, though.

:a0 i did something similar but individually. I only have 4-5 Internet facing apps. Firefox, IE, utorrent. emule (sometimes).

Actually i let this go, because i realized that D+ asks about suspicious behaviour even from trusted apps, which is what i wanted. Eg. abc.exe is categorized as trusted. But when it tried to create a .sys file i got prompted, which is what Monkey_Boy’s been saying all along. so pretty good stuff.

:wink: :a0

I read in another thread that CIS is slow when saving rules as it appears to save the whole lot at once. This could be a reason for the blanket rules so everything saves in one go.

I definitely agree with tcarrbrion. The new way of allowing trusted application access to almost everything is not very cute. It doesn´t help anyone with anything but makes problems to some users who are skilled enough to work in paranoid mode but at the same time lazy to do this. For me the best way to work with defense+ is to reinstall the whole system, then by using trusted software list to automatically allow what the clean computer software needs and then to switch to paranoid. After that new system of allowing actions I have to manually disable some rules to some applications after swithing to paranoid which is pretty difficult.
Please think of that change - I can´t really find the reason why that change was made.

(sorry for my english)

I am very disappointed that this has not been addressed in 3.9. It should at least be an option and since this is how it used to work should not be too much work for the developers.

I plan to upgrade from CFP 3.0 to CIS 3.9 when it is released. I was using Paranoid Mode in CFP 3.0, but it was a painful training period over several months, and I share the PC with an inexperienced user who learned to allow everything. I am trying to figure out what to do for CIS 3.9. I share tcarrbrion’s concern.

With all of my security precautions, I feel confident in using Clean PC Mode. Would this address tcarrbrion’s concern? In other words, does Clean PC Mode produce the same rules as Paranoid Mode on existing applications after training? If malware replaced an existing application, would Clean PC Mode produce an alert?

If you trust an application, why complain about its access? If anything (other than you personally) tries to modify any program file, Defense+ will stop it, issue an alert asking if you are aware of this before letting it continue. Even if you choose not to reply to the alert, the resolve will be ‘Deny’.

May be this topic is helpful: Configuring CIS for Maximum Security with ZERO Alerts for Novices

I’m with tcarrbrion and slangen!

I really hate the default allow for safe apps! In the previous versions was different!

If an application is safe all that Defense+ need to do is allow the things the applications need.

Why does Defence+ now give access to so many things automatically to safe application even if the application does not need it?

But this behaviour does NOT reduce pop-ups if you are safe. Everything the application needs to do will be learnt anyway. If an application gets modified so it is no longer safe then you will get less pop-ups as it has already got rules for lots of things it does not normally do. If an application is compromised I want as many pop-ups as possible in case the wrong reply is given to the first one.

To me it reduces security for no gain. there might be a slight performance gain when an application is initially learning but once this is done it will make no difference, only reduce security.

And how should D+ automatically (!) decide what an application needs?