Windows System Apps can start any untrusted application - safe to disable?


First off, I’m running Comodo Defense+ with auto sandbox disabled, because I previously used Tiny Firewall 2005 for many years and am used to a classical style HIPS.

I’ve noticed that the default policy for windows system apps in defense+ allows them to start any app, trusted or unknown, without prompting (look under computer security policy, pre-defined policies, windows system application, exclusions). As an experiment I set windows explorer to use the windows system application policy, and it can then launch any unknown app without a prompt (and without sandboxing if auto sandbox is enabled).

Does this mean that malware exploiting buffer overflow vulerabilities in windows system apps (e.g., conficker, msblaster, sasser, etc which target lsass.exe) can run their payloads freely?

And, can I safely modify the windows system applications policy to ask when launching unknown apps? I can’t see why they would need to do this regularly. Have been running like this for a couple of days with no ill effects or extra pop-ups so far, but if lsass.exe or similar tries to launch newwormpayload.exe, I should hopefully get a pop-up :slight_smile:

Thanks for this excellent free product!

There are two very powerful policies that are allowed to start other applications without notifying the user: Windows System Policy and Installer/Updater Policy. It goes without saying that they need to be used with utmost restraint.

However when an unknown application gets started it will get scrutinised for BO and whether it is a virus.

You seem like an experienced user to me and may like this part of the online help: Unknown Files: The Sand-boxing and Scanning Processes for reference.

Let us know if you have any questions. Coming from another product may need some adjustments to get to grips with similarities and differences between the two products.