CFP Defence+ questions/ help?

Discussion in 'other firewalls' started by aigle, Feb 6, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am trying to replace EQSecure with CFP Defence+ gradually. Some questions that arose in my mind are:

    1- Can I create following rules in Defence+( seems most are not possible at the moment):

    - Alert on creation of any file in root of C
    - Deny ( read/ write/ modify) access to a folder( secret folder)
    - Mark a folder so that no executable will be allowed to run from this folder
    - An child executable xyz.exe allowed to be executed by ANy PARENT.
    - An parent executable abc.exe allowed to be executed by ANy CHILD.

    2- Where can I edit rules created by pop up alerts
    about elevated privilages?

    3- Does defnce plus intercepts remote code creation?
    Seems it labels it in some other way as I never saw such a pop up.

    Thanks
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    When you ask difficult questions you won't get much answers from the helpdesk I have experienced. Since I am not able to register at the English EQSecure portal, that is not any worse than Comodo.

    The use of wildcards of Comodo seems to be rather common, only when using the assistant/wizzard to create your own registry protection, it uses the full names in stead of the mnemonics/abbreviations. Have not got an answer on the correct use.

    Regarding file protection it is quite easy to try it out, when having a look on existing filke groups. The thing is that you have to create a File Group first.

    Adding any file in the root:
    ?:\*.* is my guess or C:\*.* and select the rules on the right panel.

    For programs they use they .* for all, so try it out for fun at registry protection

    Protecting a directory
    Try the director, when that is not possible add directory plus *.* for all files

    There is an executable file group (with all program suffixes), I have thrown D+ away againg, because it is just not ready yet for power users to play with (it will be soon at 3.1 or 3.2 version), so I do not recall this by heart.

    Allow xyz to be executed by any parent: go to the predetermined D+ execution control rules: add xyz to execute allow for every predefined ruleset (trusted, system, limited, etc). Problem is you can not control the default custom set (which will always ask)

    Parent to be excuted by any child: no idea, current setup of D+ does not seem to have control mechanisme for recursive calls. D+ at the moment is a Release Candidate 3, although they call it version 3.0.something

    D+ worked different in first release and 3.0.15, same appears between 3.0.15 and 3.0.16. When functionality changes that much, it is still a release candidate in which developers are applying changes after customer feedback.

    Is this bad: no it will be great freeware and 98% of the users will not notice because they are not using it anyway. Will it affect you Aigle as a power user. Yah bet, but I am interested in your experiences, means I am not waisting time because I can not surpress my curiosity (because you are finding out). I already tried with the previous two RC of D+, so I am happy to pass

    Please post your experience
     
    Last edited: Feb 6, 2008
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I already tried C:\* works but it give popups on creation of any file not only in root of C but anywhere in C, in any folder/ subfolder and that is obviously not pleasant at all.
    It can be though I have not tried but problem is that u can,t make a deny rule for all processes. U will get popup for each application trying to access this foilder, very annoying.

    I don,t think there is any way to make ANY PARENT/ ANY CHILD type of rules in Defence+. What a pitty! Also no way to create a deny rule for execution of all executables from a specific folder.

    ATM file protection of EQS is much more better than Defence+.
     

    Attached Files:

  4. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Aigle, you can go to Predefined Security Policies and edit the access rights for any default behaviour there (trusted app, isolated etc). In access rights, you can set Protected file to ask for example and by cliking modify you can allow specific folders or folders to be blocked. I haven't tried it, but i supposed that if you change the setting in all kind of apps, it will allow you to control folder writing. For example this is going to Pred. Policy, editing "Trusted applications rules", "access rights", clicking on "modify" at the level of File Protection:

    http://img150.imageshack.us/img150/2791/14606711po0.png

    The ANY parent/child part seems more difficult to me. The only thing i can think of is not exactly that. I mean, you could make a custom predefined policy for that exe and specify allowed and blocked applications (under "modify").

    http://img150.imageshack.us/img150/974/93150331tb8.png

    For point 2, you mean difference between admin and user priviledges? I always run admin, haven't seen that. The only managemend i know of is done per application in Computer Sec. Policy, when you have custom policy, or in Predefined Sec. Policies for group of applications. But never seen anything about admin/user rights.

    No idea about point 3.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks but it,s not practical at all. How can u add all ur executables in this rule mnually. That,s totally impractical. Also i don,t want to apply a pre-defined policy for other behavs. Pre-defined policy works as a group9 for all appliocation behavs, not for one behav like folder writing.

    Same is true of the secoind suggesstion.

    CFP Defence+ is simply devoid of such capabilities ATM, sad to say.
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'm surprised you guys can go that far. The 4th window was the limit for me. :p
     
  7. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Well, personally i don't. I only made a hypothesis,never bothered to do such things. I have folder protection disabled. To tell the truth, even simple execution protection would be enough. With all the rest Comodo is beyond my normal needs.

    Aigle is a HIPS virtuosist :D
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'm referring to CFP's GUI. I would use Defense+ if the GUI was simpler, not windows everywhere, closing windows and opening windows.
    2.4's layout was better, much better.
     
  9. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Try with "My quarantined files" (Defense+ -> Common Tasks)

    Defense+ -> Advanced -> Computer Security Policy -> Add ->
    Select -> File Groups -> All Applications
    Access Rights -> Run an Executable -> Modify -> Blocked Applications -> Add -> Browse
    Move the new policy to the top

    The same as previous question but select Allowed Applications rather than Blocked Applications

    Computer Security Policy
    Select the executable
    Edit -> Access Rights -> Run an Executable -> Allow

    Access Rights -> protected COM interfaces -> modify
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Actually not that I need it but it,s a fun to play with malware.

    In my experience a good file protection rule set renders most of malware totally useless even when they are allowed to execute.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks ggf31416!
    It works but I want atleat explorer.exe to be able to access it and that doesn,t seem possible.


    No way. All applications policy already exists by default.


    U can,t add all executables in the list, no way my dear.


    Not applicable. Same as above.


    I can see the privilages but I can,t know which applications are are allowed these privilages and which application are blocked in the rules9 made via popups). Am i missing something?
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You indeed can add executables that you always want to allow or block, by editing the security policy for 'All Files' in Computer Security Policy, and then editing the appropriate tab for 'Run an executable' (see post of ggf31416). Make sure you're specifying the full path to the executable. But don't follow that post's advice to add 'All Files', since it's already there. Just edit the existing 'All Files' entry.
     
    Last edited: Feb 25, 2008
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you want a given process to be able to execute any other process without alerts, then in the given process' security policy, in 'Run an executable', in 'Allowed Applications', use * as the allowed application.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Could not do it. When I click all applications, I get message that All applications policy already exists.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks, good tip.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In Computer Security Policy, edit entry 'All Files', then in 'Run an executable' add the folder you wish to block in 'Blocked Applications'. All subfolders will also have execution blocked.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Don't try to add 'All Files'. Just edit the existing 'All files' entry in Computer Security Policy. The 'All Files' entry should already be there upon installation, therefore you cannot add it again (unless you deleted it).
     
    Last edited: Feb 25, 2008
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I couldn't find a way to do this, because I don't know of a way that CFP can specify all files in a directory but not include the subdirectories as well.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Specify the given folder in 'My Quarantined Files'. All subfolders will also be included.
     
    Last edited: Feb 25, 2008
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome. :) I would guess that there's no 'Allow' (all) for 'Run an executable' to make it clear that training can't occur for running of executables. But the downside is that you have to know about using * to specify all.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sorry, I missed that.

    It works. :thumb: :thumb:
    Thanks
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You can add a folder to quarantined items and it will block all access to it but there is no way to add exceptions for it.
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome. :) So, of your 5 rules questions, CFP can do 4, and can't do 1.
     
    Last edited: Feb 26, 2008
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, actually the three functions that it can do were more important to me. Other two r not so important, so I am happy enough.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I forgot about that feature. I think I never used it because it's not configurable per program.
     
    Last edited: Feb 26, 2008
Loading...
Thread Status:
Not open for further replies.