D+ settings still strong but less talkative

Hi,

Yep after having tried two Release Candidates of CFP which could not be made quiet. The 3.016 release is pretty good and the "rule setting -> protection" is becoming transparent. So a compliment from a Comodo sceptic

WARNING: ONLY USE COMODO WHEN YOU HAVE GOOD RECOVERY IN PLACE, It is still a buggy application

In their effort to deal with all the critics (D+ was chatty, without D+ version 3.015 failed some leaktests) and balance the features of this product with usability, the 3.016 has a basic and FW-leaktest only install mode.

For those of you only wanting a FW, this is great. D+ can be set a little more protective without becoming a screaming HIPS. Below are my set up tips.

Reducing D+ from Anti Executable to a Intrusion Behaviour 'Asker'
1. Double click the CFP icon, click D+ in the horizontal menu bar, chosse (click) Advanced in the vertical Defense + Tasks menu list.

2. Click Image Execution Control Settings on the screen, click the General tab, move slider to disable. Now you will not be warned when a new program arrives or old one is changed (disable AE function). Choose apply. And exit screen.

3. Right click CFP icon and either choose "train" or "train in safe mode"(last is preferred) for both the firewall and D+. Now you do not have to review pending files anymore.

Reducing D+ from a chatty IDS to and IDS only asking for serious threats'
4. Double click the CFP icon, click D+ in the horizontal menu bar, choose (click) Advanced in the vertical Defense + Tasks menu list.

5. Choose Defense + settings, click the Monitor settings tab and choose the options as shown in the attached picture. Choose Apply.
Tip: When you don't know why you should choose these options, Google around and educate yourself, when you think that is to much trouble: stop reading this post and use a smart behaviour blocker like ThreatFire/Primary Response Safe Connect/Mamuto/PrevX, because HIPS are not for you.

6. Click the Common Tasks in the vertical Defense + Tasks menu list. Choose my protected files. Select the "All Applications" File group, right click and choose remove (this will not delete this group only remove it from your protected files). Next click Add (top right options menu), hoover mouse over File Groups and choose Windows System Applications, do the same with Windows Updater Applications.

The above will limit D+ pop-ups to critical actions. Enjoy

 

Because asked by members, here are my registry and file settings. Collapsed groups are default groups.

My setup protects more static registry keys (in XP this should not cause extra pop-ups) and less files (only specified/targeted files to reduce pop-ups). This version 3.0.18 is stable on XP.

In conjunction with a policy/virtualisation Sandbox this is a strong setup.

 

Hi,

About the "My protected Files" feature, what will it exactly protect you from, and did you have to add all those entries individually? I ask this, because with Neoava Guard you can protect C/Windows + System32 and it will alert you as soon as some process tries to modify (system) files inside those folders.

 

@Kees- I can't read the registry entries. Are they pretty much the same as you recommended for Threatfire advanced rules?

 

Bellgamin,

Click on the image, it will be shown larger. Well yes, but in the mean time I collected some static registry items of EQSecurity users, brain picked a few from DriveSentry and HauteSecure, so this list is improved. Note the notation is COmodo Specific.

Rasheed,

You can add that in Comodo also, only ,y Registry and File protection is as static as possible. Comodo's D+ is a traditional HIPS, therefore you do not want wide scope rules (you will be bombarded with pop-ups by D+). The registry protection cover all Windows XP, boot, log-on, start up executables/libraries.

 

That setting is not good at all with NG. Infact NG has no such feature, it,s basically secret folder feature.

In the past when I tried a similar setting, it frooze my system.

 

@ aigle

We already had a little chat about this remember? This feature simply works correctly, see pic, configured like this, malware can´t tamper with any system file.

 

May be u are right. I need to test it again but not now, may be later. Not using NG ATM.

 

TIP

Set add all vendors of security aps and most used aps to my trusted vendors.

For the security software (funny enough also explorer.exe) which has not got signed files, add them to you own safe files.

Set Image execution control to normal, so when those trusted aps change you will get a warning (only suspicious when you did not update them).

Advantage of this is that when other users of the PC get a comodo warning it will tell them that those programs are safe.

 

@Kees

Thanks Kees for posting this info. D+ is much quieter now Any recommendations on the protected COM interfaces? I find applications commonly access ntsvcs, spoolss and {4590F811-1D3A-11D0-891F-00AA004B2E24}. Is it safe to allow these?

Jason

----------------------
COMODO Firewall Pro 3
ESET NOD32 Antivirus 3

 

I considered removing a few, but then I thought lets surf on the knowledge of the Comodo experts

SO what I know is:
4590F811-1D3A-11D0-891F-00AA004B2E24 = WBEM Locator = Locator of the Web Based Enterprise Management System, it is Java technology based equivalent of all the remote management services of Microsoft. You will find Java based aps tinkering with this [D]COM (distributed computing object model) feature (problably FireFox, Opera, LimeWire etc).

ntsvcs
Something with Remote Procedure Calls and named pipes allocation. Remote Procedure Calls are pieces of codes which reside on a different location (not the hosT) and can be executed (called) from the host.

Spoolss
It is the spooling service (printing a file from disk to printer in the background). Through Com object it is possible to fiddle with it (via named pipes and a null sessions) and send data remotely through this leak.

Is it dangerous:
All of these mecahnismes are intended to facility distributed computing, so by nature they are vulnarable to attacks.

In all hardening best practises it is advised to shut down some remote Windows features down. These Com objects are problably of the same threat level as the remote windows services, but are needed for a proper running system. So that is why Comodo watches them. This is COM object is typically a example of a HIPS informing a user, but the impact is absolutely a big question to the user. Therefore as an average user the pop-up is more or less useless. Some COM objects are self explanatory.

So for the following messages I apply this rule of thumb:
- DNS Client Service + Loopback networking + unknown COM objects warinings FOLLOWED BY OUTBOUND internet ==> very suspicious, press print screen (save with paint as a picture), allow without remember, Google around later.
- Same with registry change or FIle change or Driver loading or Physical memory or Direct Disk access ==> press print screen same procedure only block without remember, Google around

PS
When you are not getting any pop-ups any more it is a good idea to protect the core windows services as described in post 6 and 10.

 

Hi Kees! I was so annoyed that I removed it and all Pseudo COM interfaces( Privileges).
How much it,s going to compromise the security?
Are these things coverd by other classical HIPS( like EQS, SSM) in some other ways?

 

Aigle,

I think the priveleges ones are the most important.

Here is a link for GUID's http://www.myplugins.info/guids/

When you want to look up a COM object like

{9BA05972- F6A8- 11CF- A442-00A0C90A8F39} just look at the two first digits and click on these two digits on this screen, see pic.

Here you see that this com is associated with SHELL WINDOWS functionality, not nice when this COM object is accessed in a wrong way, but because I have protected most shell related registry keys it is not a lasting damage.

When a program gets temporary Debug priviliges this is a problem of a different category. Then again, a more knwoledgeable member should explain. For me it is about 24 years ago that I programmed.

Regards Kees

 

I really hate these privilege pop ups. They are soooooooo common for all applications. I can,t keep these filters on my system.

After all there are other HIPS that intercept such behavior only when an application actually tries to do something rather than just giving pop ups about privileges.

 

After some testing, these COM objects help to strengthen the firewall (stops PCFLANK at the right moment to pass the test)

I created my own (COM startup warning of applications), see pic

I do not thnink Opera is needed since it is Java based

 

U were using EQS again.

 

Yes, I was

https://www.wilderssecurity.com/showpost.php?p=1192201&postcount=2035

GOTD Mamutu for a second lisence for free.

 

Hi

I was interested in the various posts/threads alluding to Kees rules for "Quietening" Comodo D+

I use CPF with the D+ activated although I cannot claim that I am knowledgeable about HIPS and or their settings. I probably fall into the category of one who allows the wrong warning and disallow when it is right to allow it.

That said CPF+D+ seems to work for me. No horror stories yet. D+, for me is irritatingly "noisy" and I wonder how much kees rules to "silence" CPF+D+ actually diminishes D+ effectiveness?

If it does diminish the effectiveness would a better option be CPF only No D+ and Threatfire.

Put simply, Is CPF+D+ and Kees rules, as secure or more secure than CPF only with Threatfire and in addition which combo is the least noisy

Thanks for your help

Terry

 

Terry,

D+ with those rules leaves the most common intrusions untouched. Meaning you put deliberately holes in your defense. When you use a policy sandbox like GeSWall and DefenseWall or run Limited user you do not have to worry abouth those common intrusions anyway.

Other option is to add an behavior blocker like ThreatFire or Mamuto to deal with these common intrusions in an intelligent way. TF has some registry protection and some file protection. The D+ defaults cover more. D+ on or off does not seem to make a big difference in CPU usage. That said TF is always a good choice (with or without D+ reduced pop-up set up).

Regards Kees

 

Hi,

When you want to block the nag screen of Avira, you must enable image execution control and add Avira's notify to the blocked programs in rule for Avira's update.

Regards

 

thanks for the post kees1958 I tried this setup out on a friends pc and she doesn't get as many pop ups now,

I've noticed some duplicates in your protected registry keys and I was wondering if there's any problems with having duplicate entries?

does it alert you for the first listed one and ignore the second?

thanks anyone that can answer my question about duplicate entries not causing any harm in D+ or any other hips for that matter.

 

Gizzy,

No CFP will tell you that there are duplicates and offers to omit them. Rule sequence determines blocking/noticing. Because it is on a fire/pass basis, there is no 'fallthrough' logic problem. I sort of build up a list of startup protection. Started with a document "where malware hides" send to me by ZopZop, then ToppeID helped with references of existing tested Regdefend filters, based on Tony Klein's knowledge. By checking the release notes of RunScanner I occasionally have to add an entry.

So check RunScanner release notes for updates.

Regards

 

Hello Kees1958,
Thank you for taking the time to reply,

I was wondering about the duplicates because CFP does alert you of duplicates but only if they're in the same group,

though I suppose I could just use one group for all my keys,

I've been trying to create my own rules for CFP (so far it's a combination of keys and files from yours and comodo's default) and I guess duplicates don't hurt because as I was searching through the keys in comodo I noticed at least 3 duplicates so far and there's been no problems with it,

I think I understand what you say about how the rules work it doesn't matter how many entries are there as long as it's in the rules it'll block it or give an alert about it, correct?

and thanks for explaining how you came to get your ruleset I'll be checking the release notes of runscanner when new versions come out.

and one last thing since I'm posting anyway does it matter between capital or lower case? like why are some keys *SOFTWARE* and some *software*, or does that just fall under the same category as in if it's in the rules you'll be alerted? I know I'm probably thinking way too much into how these rules work.

alright I've taken enough of your time.

 

That is what I did

Yes

At some other applications it does matter. The HKLM (HKEY ocal machine) has the uppercase, the HKCU (HKEY Current User) the lowercase. At most aps when using a wild card correct use of upper/lower case does not matter. I posted a request on the Comodo forums on the symantics, but never got an answer. So I can not tell you

 

Thank you for all of your help in explaining this to me Kees1958,

I really appreciate it,