First off, I’m running Comodo Defense+ with auto sandbox disabled, because I previously used Tiny Firewall 2005 for many years and am used to a classical style HIPS.
I’ve noticed that the default policy for windows system apps in defense+ allows them to start any app, trusted or unknown, without prompting (look under computer security policy, pre-defined policies, windows system application, exclusions). As an experiment I set windows explorer to use the windows system application policy, and it can then launch any unknown app without a prompt (and without sandboxing if auto sandbox is enabled).
Does this mean that malware exploiting buffer overflow vulerabilities in windows system apps (e.g., conficker, msblaster, sasser, etc which target lsass.exe) can run their payloads freely?
And, can I safely modify the windows system applications policy to ask when launching unknown apps? I can’t see why they would need to do this regularly. Have been running like this for a couple of days with no ill effects or extra pop-ups so far, but if lsass.exe or similar tries to launch newwormpayload.exe, I should hopefully get a pop-up
Thanks for this excellent free product!