2 questions about Defense+

I have 2 questions concerning Defernse+, the HIPS module of Comodo Firewall Pro...

Q1- I get more alerts when using D+ in Safe Mode than I do when using Paranoid. Why?

Q2- For D+, what is the practical difference between placing a given process within "trusted" category VERSUS adding that process to "My Own Safe Files"?

P.S. I asked these same questions in Comodo's support forum & received naught but a barbed comment to read the help files (which I already had done). A silly, sad place to seek help for an otherwise excellent HIPS.

 

Q1: beats me, safe mode shoudl be less, because actions of safe programs should be learned

Q2: advantage of mentioning it in my safe files (or the vendor), is that in pop-ups it will be mentioned as a SAFE program (in stead of Unknown) and its actions will be learned (see Q1).

I do knot know whether you have changed your predefined trusted programs policy, but the chance of getting a pop-up for a trusted program is normally very low.

Try PM egemen or a developer in the forum. Forum is crowded with CFP fans of which a low percentage is able to provide answers. Problably only feel safe because they get a lot of pop-ups initially. It is like having this great CAR (called Comodo FW) with lots of engine power. You feel it when you drive fast and dangereously. When you drive real slow and safe you do not notice its power. Comodo fans have an answer to that: just replace the hood with a transparent one (of fiberglass). When driving slow and safely, they can see the engine, wow great man. Seeing pop-ups is looking under the hood for most CFP fans.

I was a Comodo critic, but I must say V3 is a good program.

 

A1 - I don't believe that's possible.

A2 - 'Trusted Application' is a predefined policy. To see what this predefined policy does, look at the predefined policy's definition. I don't have CFP on this machine, but if I recall correctly, this means the process can do anything without alert except launch programs and modify protected files. Adding the process to 'My Own Safe Files' has the same effect as having the process on Comodo's whitelist. The effect of having a program on the whitelist depends on the Defense+ mode. There's no effect if you're using Paranoid Mode. On the other hand, if you're using Safe Mode, then actions between two whitelisted items will not result in an alert.

 

regarding comodo 3 how I have done it is on a fresh windows install I install comodo 3 last otherwise if you install it first you will be bombarded with pop ups
while installing everything else.

Then for the first few days on my new installation I put D+ in "Training mode"
that way you will get 0 popups because comodo is learning all about your pc.

then after a few days use after comodo has learn't all about your setup I Lock
down my pc and put D+ in Paranoid mode.

this is the most easiest and secure way.

 

Correction: a 'Trusted Application' is allowed to modify protected files, by default.

 

You are too too correct. Glowing exception-- MrBrian gave VERY good advice.

NOTE- For purposes of following discussion I will use "whitelisted" to refer to apps on Comodo's whitelist PLUS apps which the user puts into My Own Safe Files (MOSF).

From various inputs concerning Q2, especially those by MrBrian, I have learned that...

1- "Trusted" and "safe" (whitelisted) are not synonymous states.

2- The 'Trusted Application' predefined policy in D+ should be used very sparingly, because it gives too much power. Examples:

(a) A Trusted Application program can modify any protected file without alert, while a whitelisted program attempting to change a protected file WILL generate an alert.

(b) If a Trusted Application program suffers a buffer overflow exploit, the program will be allowed to change protected files, among other things. Not so for whitelisted programs.

Ergo, I have pretty much decided NOT to put any process into Trusted status, but to use MOSF instead. However, I am still learning so....

 

Statement 1 is a factual statement. Statement 2 is only my opinion. I formed that opinion because legitimate programs can potentially do bad things when exposed to malicious content. I decided to use Paranoid Mode because I didn't want bad behavior committed by legitimate programs exposed to malicious content to be learned by Defense+. If you plan to use Paranoid Mode, it won't make any difference whether a given program is on the whitelist or not, except that the whitelist status is given in alerts. If you do use 'Trusted Application', IMHO it's best to use it on programs that are not likely to be exposed to malicious content.