Why give blanket defence+ access to safe applications to do so much?

I think John Buchanan is saying that Defense+ catches when a safe program is modified by malware by a change in its hash/checksum.

Comodo could have pre-configured rules available online for safe applications when they are first run. This would also make it much easier to customize rules when the admin wants to reduce privileges to increase security.

This is how it originally worked. A new rule was added automatically for each thing that the program had to do when the program did it. The program was only allowed to do what the program needed to do. It you subsequently changed to paranoid mode the program would carry on running as it did before but with a learned rule set and not everything allowed.

But if you accidentally allow the first pop-up the and the program already has rules to allow it to do so much then your security is weakened. The modified program can now do more than necessary including such things as direct disk access which I think is dangerous.

Modifying a safe program stops it learning but I believe it still keeps all its allowed rules. Correct me if I am wrong as I have not tried it.

And how many popups did you receive to allow this? Currently you receive fewer popus and greater security. Your argument is invalid in that you are saying a Trusted application should not be considered Safe nor trusted. That is a contradiction.
Listing an application as Trusted is just a different way of saying ‘you can do what you need to do’.
If you wish to have ultimate say on what actions each program is permitted, may I suggest you use Paranoid mode instead, as this will give you what you wish for (including far more popups).

How does automatically allowing everything reduce pop-ups as opposed to only allowing what it required. Please explain this to me.

The other side to this is programs like firefox automatically get rules to allow them to write to *.exe.

The admin account can configure Windows to prevent Firefox download of executables by a LUA this way:
Control Panel\Internet Options\Security tab\Internet Zone\Custom Level\Launching applications and unsafe files, set to “Prompt”
On the admin account, Firefox will not prompt for these downloads. Slick!

Why would an IE setting be used by firefox?

Firefox was criticized for reducing security by not honoring Windows Security Zone policies, so the Firefox team made this change a while ago. Maybe Thunderbird took the change too – I haven’t tried it.

Oh man, that’s really a d*** question!

Safe apps can do almost everything, Defense+ just need to give the rules that the app required, when it required!

I did not know this and I bet most firefox users (and IE users to) do not know about such settings so it is not a general answer to the problem. I can set up my computer to be very secure but it needs to be easy for the masses.

Again this topic (like loads of others here) is going nowhere.

While I was pretty early on in worrying about this, I have since understood whats hapenning with CIS. I had made the erroneous assumption that if Firefox is trusted and allowed to create a EXE then that EXE would have trusted status. This is true for policy based HIPS like G3swall or Def3ns3Wall (if firefox is trusted there) but NOT CIS.

The NEW executable written by a trust app (eg firefox or windows explorer or whatever) would NOT have trusted status and therefore would be treated with a ‘default deny’ approach i.e. a popup(s).

Our/My main worry was the inheritance of the Trusted status which is NOT happeing with CIS, so in actuallity there is nothing to worry about. It was a simple case of confusing policy based HIPS with a true HIPS. grin

ps. although i still prefer the older approach… ;D

What if it is NOT a new application. An existing program is overwritten. It will already have rules to do things. No default deny in this case. I am not even sure if there is a pop-up when writing to an existing EXE as firefox appears to be able to write to exe files.

The point of this topic is that no-one can give a good reason for why it works as it does. Can we have an answer from a developer?

As noted above,

Go to Defense+/Advanced/Image Execution Control Settings
Set the control level to at least ‘Normal’, and in ‘Files to Check’ tab, select Add/File Groups/Executables
Click ‘OK’

All executable files will be checked prior to loading. If a file has changed, then it no longer matches what you have listed as ‘Trusted’ or ‘Allowed’. It therefore generates a popup asking you to verify its use prior to being permitted to run.

Does this help you any?

A bug in firefox allows it to write malware overwriting an existing application. No pop-up (I think) as firefox is allowed to write to exe files or users would complain about pop-ups when downloading programs.

User tries to run the safe application. The user gets one pop-up asking them when they try to run their application. They think the application is safe and so allow it. The malware can now do everything the initial application was allowed to do.

Solution: restrict the initial application to only what it needs to do. A alternative might be to take all rights away from a modified program. This would cause pop-ups when an application was updated unless the user took it out of my pending files.

It would also help if firefox could only save exes to a particular area e.g. the downloads directory. However users are accustomed to be able to save where ever they want.

By the way, the admin controls which extensions are considered executables by the Designated File Types key in the Software Restriction Policy.

Wouldn’t Defense+ produce a pop-up for the malware because its hash/checksum doesn’t appear in the safelist?

Your solution could take at least two different forms. One is that Comodo includes custom rules in its database for each safe application. This seems like an impossibly large task for Comodo to handle accurately. Another form is that Defense+ learns the behavior of safe applications on each PC. But it is essential that Defense+ detects by a hash change when malware replaces a safe application. Otherwise, Defense+ will just keep on learning the behavior of the malware it thinks is safe. But, if Defense+ detects the hash change when malware replaces a safe app, then your justification for your solution evaporates.

I suspect that Comodo developers changed Defense+ to allow everything for safe apps because it increases speed and reduces the size of rules. I would like to see an option called “Learn behavior of safe apps” because it allows me to see what a suspect app has done, and it makes it easier for me to customize the rules to take away privileges from an app to protect privacy. As soon as I customize the rules for an app, I want Defense+ to switch to act like Paranoid Mode for this app. The mainstream Comodo users would never do these things, so it would be best if my proposed option were disabled by default. This option would give knowledgeable users to take more control without the huge pain of the existing Paranoid Mode.

I see a hole in my logic. Defense+ does not detect hash changes in safe apps because Comodo developers think that including them in the My Protected Files prevents unauthorized modification (see https://forums.comodo.com/help_for_v3/does_cpf_30_do_md5sha-t17679.0.html;msg127080#msg127080). But tcarrbrion’s security hole scenario involves unauthorized modification by a safe app that is allowed access to My Protected Files.

I propose adding a new Access Name to the Process Access Rights called “Write/Modify Executables”. It could be set to Ask by default for safe and trusted files, and Parental Control would block the action for inexperienced users. The “Installer or Updater” predefined policy would set this Access Name to Allow. This proposal eliminates the need for Defense+ to learn the behavior of safe/trusted apps, while preventing tcarrbrion’s security hole scenario. Comments?

Only when running, not when saving.

I don’t think it it does evaporate. The only pop-up is when you run the modified application with a safe name.

This is what I suspect.

This sounds great.

Then uses would complain of pop-ups every time they download a program from the internet.

It might work if it was limited to just c:\program files and c:\windows.

Or, better, the entry for executables in “my protected files” could just contain c:\program files*.exe and c:\windows*.exe (and same for dll) and then downloading elsewhere would not give a pop-up and there would be no need for it to automatically add *.exe to allowed files for firefox etc.