CFP Defence+ questions/ help?

I am trying to replace EQSecure with CFP Defence+ gradually. Some questions that arose in my mind are:

1- Can I create following rules in Defence+( seems most are not possible at the moment):

- Alert on creation of any file in root of C
- Deny ( read/ write/ modify) access to a folder( secret folder)
- Mark a folder so that no executable will be allowed to run from this folder
- An child executable xyz.exe allowed to be executed by ANy PARENT.
- An parent executable abc.exe allowed to be executed by ANy CHILD.

2- Where can I edit rules created by pop up alerts
about elevated privilages?

3- Does defnce plus intercepts remote code creation?
Seems it labels it in some other way as I never saw such a pop up.

Thanks

 

Aigle,

When you ask difficult questions you won't get much answers from the helpdesk I have experienced. Since I am not able to register at the English EQSecure portal, that is not any worse than Comodo.

The use of wildcards of Comodo seems to be rather common, only when using the assistant/wizzard to create your own registry protection, it uses the full names in stead of the mnemonics/abbreviations. Have not got an answer on the correct use.

Regarding file protection it is quite easy to try it out, when having a look on existing filke groups. The thing is that you have to create a File Group first.

Adding any file in the root:
?:\*.* is my guess or C:\*.* and select the rules on the right panel.

For programs they use they .* for all, so try it out for fun at registry protection

Protecting a directory
Try the director, when that is not possible add directory plus *.* for all files

There is an executable file group (with all program suffixes), I have thrown D+ away againg, because it is just not ready yet for power users to play with (it will be soon at 3.1 or 3.2 version), so I do not recall this by heart.

Allow xyz to be executed by any parent: go to the predetermined D+ execution control rules: add xyz to execute allow for every predefined ruleset (trusted, system, limited, etc). Problem is you can not control the default custom set (which will always ask)

Parent to be excuted by any child: no idea, current setup of D+ does not seem to have control mechanisme for recursive calls. D+ at the moment is a Release Candidate 3, although they call it version 3.0.something

D+ worked different in first release and 3.0.15, same appears between 3.0.15 and 3.0.16. When functionality changes that much, it is still a release candidate in which developers are applying changes after customer feedback.

Is this bad: no it will be great freeware and 98% of the users will not notice because they are not using it anyway. Will it affect you Aigle as a power user. Yah bet, but I am interested in your experiences, means I am not waisting time because I can not surpress my curiosity (because you are finding out). I already tried with the previous two RC of D+, so I am happy to pass

Please post your experience

 

I already tried C:\* works but it give popups on creation of any file not only in root of C but anywhere in C, in any folder/ subfolder and that is obviously not pleasant at all.

It can be though I have not tried but problem is that u can,t make a deny rule for all processes. U will get popup for each application trying to access this foilder, very annoying.

I don,t think there is any way to make ANY PARENT/ ANY CHILD type of rules in Defence+. What a pitty! Also no way to create a deny rule for execution of all executables from a specific folder.

ATM file protection of EQS is much more better than Defence+.

 

Aigle, you can go to Predefined Security Policies and edit the access rights for any default behaviour there (trusted app, isolated etc). In access rights, you can set Protected file to ask for example and by cliking modify you can allow specific folders or folders to be blocked. I haven't tried it, but i supposed that if you change the setting in all kind of apps, it will allow you to control folder writing. For example this is going to Pred. Policy, editing "Trusted applications rules", "access rights", clicking on "modify" at the level of File Protection:

http://img150.imageshack.us/img150/2791/14606711po0.png

The ANY parent/child part seems more difficult to me. The only thing i can think of is not exactly that. I mean, you could make a custom predefined policy for that exe and specify allowed and blocked applications (under "modify").

http://img150.imageshack.us/img150/974/93150331tb8.png

For point 2, you mean difference between admin and user priviledges? I always run admin, haven't seen that. The only managemend i know of is done per application in Computer Sec. Policy, when you have custom policy, or in Predefined Sec. Policies for group of applications. But never seen anything about admin/user rights.

No idea about point 3.

 

Thanks but it,s not practical at all. How can u add all ur executables in this rule mnually. That,s totally impractical. Also i don,t want to apply a pre-defined policy for other behavs. Pre-defined policy works as a group9 for all appliocation behavs, not for one behav like folder writing.

Same is true of the secoind suggesstion.

CFP Defence+ is simply devoid of such capabilities ATM, sad to say.

 

I'm surprised you guys can go that far. The 4th window was the limit for me.

 

Well, personally i don't. I only made a hypothesis,never bothered to do such things. I have folder protection disabled. To tell the truth, even simple execution protection would be enough. With all the rest Comodo is beyond my normal needs.

Aigle is a HIPS virtuosist

 

I'm referring to CFP's GUI. I would use Defense+ if the GUI was simpler, not windows everywhere, closing windows and opening windows.
2.4's layout was better, much better.

 

Try with "My quarantined files" (Defense+ -> Common Tasks)

Defense+ -> Advanced -> Computer Security Policy -> Add ->
Select -> File Groups -> All Applications
Access Rights -> Run an Executable -> Modify -> Blocked Applications -> Add -> Browse
Move the new policy to the top

The same as previous question but select Allowed Applications rather than Blocked Applications

Computer Security Policy
Select the executable
Edit -> Access Rights -> Run an Executable -> Allow

Access Rights -> protected COM interfaces -> modify

 

Actually not that I need it but it,s a fun to play with malware.

In my experience a good file protection rule set renders most of malware totally useless even when they are allowed to execute.

 

Thanks ggf31416!

It works but I want atleat explorer.exe to be able to access it and that doesn,t seem possible.

No way. All applications policy already exists by default.

U can,t add all executables in the list, no way my dear.

Not applicable. Same as above.

I can see the privilages but I can,t know which applications are are allowed these privilages and which application are blocked in the rules9 made via popups). Am i missing something?

 

You indeed can add executables that you always want to allow or block, by editing the security policy for 'All Files' in Computer Security Policy, and then editing the appropriate tab for 'Run an executable' (see post of ggf31416). Make sure you're specifying the full path to the executable. But don't follow that post's advice to add 'All Files', since it's already there. Just edit the existing 'All Files' entry.

 

If you want a given process to be able to execute any other process without alerts, then in the given process' security policy, in 'Run an executable', in 'Allowed Applications', use * as the allowed application.

 

Could not do it. When I click all applications, I get message that All applications policy already exists.

 

Thanks, good tip.

 

In Computer Security Policy, edit entry 'All Files', then in 'Run an executable' add the folder you wish to block in 'Blocked Applications'. All subfolders will also have execution blocked.

 

Don't try to add 'All Files'. Just edit the existing 'All files' entry in Computer Security Policy. The 'All Files' entry should already be there upon installation, therefore you cannot add it again (unless you deleted it).

 

I couldn't find a way to do this, because I don't know of a way that CFP can specify all files in a directory but not include the subdirectories as well.

 

Specify the given folder in 'My Quarantined Files'. All subfolders will also be included.

 

You're welcome. I would guess that there's no 'Allow' (all) for 'Run an executable' to make it clear that training can't occur for running of executables. But the downside is that you have to know about using * to specify all.

 

Sorry, I missed that.

It works.
Thanks

 

You can add a folder to quarantined items and it will block all access to it but there is no way to add exceptions for it.

 

You're welcome. So, of your 5 rules questions, CFP can do 4, and can't do 1.

 

Yes, actually the three functions that it can do were more important to me. Other two r not so important, so I am happy enough.

 

I forgot about that feature. I think I never used it because it's not configurable per program.