An approach for configuring Comodo Internet Security Defense+ for fewer alerts

I have outlined my new approach for configuring Comodo Internet Security Defense+ for fewer alerts here. Since this approach also results in a considerably smaller ruleset, those of you who want to reduce the amount of time spent remembering the answer to a Defense+ alert may also be interested.

 

Brian,

I saw it, It's excellent! Well done. I hope Egemen, Melih and other Developers take note and atleast put ONE of your concepts into consideration for CIS v4.0 (for the usability side).

Great work!

Cheers,
Josh

 

Thank you for the kind words Josh . There's actually nothing too novel in my approach, except for the idea of putting most of the execution rules in the 'All Applications' policy instead of individual parent/child policies. It would be nice if future versions of CIS had the option of automating this for those that desire to do so.

 

For the sake of usability, I would recommend that future versions of CIS Defense+ policy by default emphasize mainly the prevention of malware execution, as has been done in my approach. I would remove the parent/child execution alerts by default, and replace it with execution alerts that don't mention the parent, with the resulting execution rules placed in the 'All Applications' policy.

My approach leaves out a lot of monitoring related to detection of malware that is already running, in order to not burden the user with too many alerts. In future versions of CIS, including a first-class behavior blocker similar to ThreatFire would help in the detection of malware already running, without sacrificing usability. Combined with the planned addition of rollback technology in case of malware infection, and an improving Comodo Antivirus, CIS would become quite astounding!

 

Melih is interested in the behavior analysis bit.

And yes, Time Machine in CIS 4.0 is going to be very good. But v3.9 first!

Cheers,
Josh

 

Wonderful news! Thank you for the link Josh .

 

Melih is interested in BB's man i predict CIS becoming either one of the best products (if they do it right since their adding SOOO much) or it could possibly flop after all that stuff is added (if they do it wrong and just make a messy app) they have REALLY gotta be careful with how they package this app with all those components to make it simple and not a huge anchor on the system...

i really hope its the first one that happens, i have lots of hope for CIS, and if it gets far enough, i plan to use it solely.

 

I hope Comodo can introduce Behavior Analysis my self... And also keep the HIPS too. This will make Defense+ even more usable with the detection layers being BOClean/CAV.

Will also work well with heuristics IMO.

Cheers,
Josh

 

Thanks for taking the time for the detailed posts. This is very interesting.

I have been trialing Returnil's new anti-executable and driver protection option, but this looks like a more comprehensive solution with a good balance of usability. Perhaps Comodo could add a dropped rights function similar to the runsafer option in OA.

Would you make any changes in your ruleset for say, using on XP Home as admin vs. Vista running as a standard user?

 

You're welcome

I would likely make some changes to Vista's ruleset, but sorry I don't know what changes to make, since I don't use it.

 

If you're running Vista as a standard user, you don't need to use the 'Basic User' security level in Software Restriction Policies.

 

FYI: some changes have been made to my recommendations, such CIS self-protection settings and the policy for rundll32.exe. Please see thread mentioned in first post for more details.