Hi, all I have a few questions. Surely with so many enthousiastic users some member must be able to help me out on this questions. Pending files The help explains that files which are waiting for my review are treated as 'untrusted' files. When I look in the Predefined Security policies I can only find: - Windows System Application - Trusted Application - Limited Application - Isolated Application Obviously the last two would be the candidate pilicies for untrusted applications. Anyone knows which, or is Comodo so smart that formerly trusted applications, now changed are treated as limited applications and new applications are treated as Isolated? Registry syntax I can determine from the default registry protection that Comodo uses mnemonics and wildcards (e.g. HKLM\SYSTEM\ControlSet\Services\*). This looks straight forward, until you add a registry "add select from registry key" assistant. When you enter an entry it gets the full name "HKEY_LOCAL_MACHINE\KEY*" with an asteric automatically attached. So does anyone knows the abbreviation for - HKEY_LOCAL_MACHINE - HKEY_CURRENT_CONFIG - HKEY_CURRENT_USER - HKEY_CLASSES_ROOT - HKEY_USERS Also does anyone know the correct syntax for wildcards and adding registry key, key+subkeys, key/fieldname Have posted these questions also (for a second time in Comodo forum, with previous release I did not get an answer, so I hope Coolio can help). Thanks
Edit the predefined security policy access rights and you will see the differences. Isolated is block all and limited is block some. Newly modified files will end up in the my pending files list and are supposed to be treated as untrusted. There seems to be a bug though, where this may not be the case and you will not get any alerts. See http://forums.comodo.com/help_for_v3/does_cpf_30_do_md5sha-t17679.0.html Al
Adric, I appreciate the answer, only it is not an answer to the question raised. Let me refraise the question: Pending files are treated as UNTRUSTED. What security policy is associated with UNTRUSTED files: limited or Isolated? Or, or, may be Comodo applies some intelligence and treats already known pending files as limited and new pending files as isolated? It should make sense because the application has this information to apply this. Regards Kees
The way I understand it is that untrusted means CFP will show an alert for that program and you will be able to block or allow. If you want any special handling for that application, you have to edit it's rule and apply either a predefined policy or your own custom settings depending on what you are trying to accomplish. To me, untrusted means I will get an alert the next time that program is executed and I can decide what to do with it. I don't see any relation with the word untrusted and any of the predefined security policies. I guess 'treated as untrusted' could be interpreted differently though. Al
Have you tested this response (getting an alert)? Reason for asking is that Avast updater changes some dll's (problably to store blacklist fingerprints for fast access in a performance critical module, for instance network module which has only a few worms listed), and I can stil run Avast. At least I do not get a pop-up intercepting a (already running) process. The image execution explicitely mentiones exe files, so this only increases the clowdy terminology. Pending file mechanisme - related security policy - image check before execution seems to be a mixed bag. The previous Comodo release had a bug in the image execution check, so it looks like the overall architecture is not transparently designed. In the previous release I could set a trap for all unknown programs (I have tested this), by adding (at the end of the Defense Plus "Computer Security Policy" list of programs) a group with all executables and set them to limited. In the current release you can only add the default file groups. These default file groups do not contain the executables or exe's option any more. So in practise this makes the custom policy the default policy. I am wondering why CFP V3/D+ users do not known this. A few months ago, it was Aigle who first tested the Beta. He has a profound understanding of HIPS (being EQSecure, NeaovaGaurd). Come to think of it not many other members did some test driving of the HIPS part of CFP V3. I never was a Comodo fan. I could not make the previous release of V3 work on a gaming machine in a decent manner. But I need to say that the latest release works perfectly (with a lot of D+ settings cut down for ease of use) on my wife''s machine. I even replaced TF with CFPV3/D+. Only the the pending files mechanism is still a minor issue. K
That was the thread I pointed you to. Getting a prompt seems to be broken. At least it is for me as seen in my keylogger example in that thread. I'm still of the opinion that V3 was released to early and was not tested thoroughly enough. There are just too many bugs in V3 for my liking. I suggested a Comodo Patch Tuesday for V3, but the silence was deafening.
