Configuring CIS for Maximum Security with ZERO Alerts

Discussion in 'other anti-malware software' started by ssj100, May 25, 2009.

Thread Status:
Not open for further replies.
  1. ssj100

    ssj100 Guest

    https://forums.comodo.com/feedbackc...ximum_security_with_zero_alerts-t37233.0.html

    There has been a lot of discussion on Wilders recently about "work-place" modes but I haven't seen any discussion about using CIS to put in effect this "work-place mode".

    I've just been experimenting around with Comodo Firewall and Defense+ and decided to finally put a similar equivalent of "work-place mode" (see above link).

    Now, I am a fan of balancing usability and convenience with the level of security achieved. I am still trying to get my head around this balance and what advantages and disadvantages there are of setting CIS in "work place mode". The discussion that takes place in the above thread is very very interesting too, and makes me realise that I don't actually know that much about configuring Defense+ fully.

    What I do know is that enabling "work-place mode" as described above is excellent if you are not wanting to perform any significant updates of programs. If I wanted to perform a significant update, I would simply disable "work-place mode".

    I think this is quite amazing. This way, anyone can use my computer and I won't have to worry about malware getting on it.

    However, one reason why I'm posting this is to ask people to test the claim made in the bolded text above. My challenge for you testers out there is to get a piece of malware past CIS (starting with a clean PC) when configured in "work-place mode". Obviously you would not be allowed to use other applications like Sandboxie to protect you!

    Any feedback on this will be much apprieciated.

    Finally, a clear positive of CIS "work-place mode" is that it is so easy to configure it to be in and out of "work-place mode". The other positive is the password protection, meaning no one but you can disable "work-place mode". I really like that feature! Also, if I'm not mistaken, usability and and convenience is still greatly preserved in this version of "work-place mode"!

    Please anyone, feel free to provide advantages and disadvantages of the above setup. Thanks!
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    SSJ,

    An alternative method is creating additional File Groups which covers the C:\ root, C:\Windows and C:\Program Files. Place this before the all programs rule (*) and assign this new file group (actually a program group) the default custom policy.

    Change the policy of the * (all applications rule) to limited, restricted (or contained, I can't recall) or blocked policy (what ever you think is best). The all application group is now a collection basket for programs in all other places (likely new arrivals).

    The more restrictive policy is enforced on new arrivals. This also works in safe mode.

    Regards Kees
     
  3. 3xist

    3xist Guest

    Hey ssj100.

    Yes. Comodo Moderators and my self were experimenting and talking about this "Parent Control Mode" for a long time - This mode is for Parent's who don't want kids downloading stuff or clicking anything then finding out it's malware, If the kids do, they will get a error message up and the kid will be like "Oh Well" and that will be it. :)

    Yes, It's also great for other people who use your PC. I always put it on when my mates when to use my computer for Social Networking Sites, Instant Messaging and just Browsing. Anything they download or tries to download is blocked automatically. :)

    However, Don't use it like it's a normal mode and you can use it for whatever reasons. Updating Software, installing software may have problems - However, I can assure you Vendors on the Trusted Vendors list in CIS, Updates work FINE. I haven't fully tested but this is what I know, Maybe the community can help? ;)

    Anyway, Bottom line: Next CIS 3.9 build with family signatures for AV will have "Smart Mode!" It's like this parent mode, but will be on summary page, and will automatically allow and block certain requests - THIS is the mode to put CIS on when installing for others, You will notice little, if not any, Alerts from CIS. It will be dead set quite! So wait for the time to come :) This parent control is a taste of Smart Mode...

    Get Ready! :) v4 will push it even further...

    Cheers,
    Josh
     
  4. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    I have been using defence+ this way for as long as the options have been available to do it. I have had very few problems in normal use and none with recent versions (3.8 and 3.9).

    One limitation is that I find I have to change configurations to install/update software. This requires remembering so it might be good to block installations in normal configuration to avoid installations failing half way through (they can fail).

    The other limitation is CIS allows "safe" applications (e.g. browser) to do almost anything. It is hard to tighten the rules for safe applications. I don't see why a browser should be allowed to install a device driver or do direct disk access etc. Some people use sanboxie but I would rather not run multiple security applications.

    I add additional rules to limit what selected safe applications (browsers, Microsoft office, media players, etc.) are allowed to do. This can be achieved by rules for groups of applications. I have a group called dangerous applications and I add blocking rules to it.
     
  5. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    How do you create a rule covering root and not everything under it?

    I have thought about rules like this but end up having to add allow rules for files under c:\windows in defence+ reducing security when logged in as administrator.
     
  6. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    A user installs a browser add-on that is malicious. A Word document contains a malicious script. A buffer overflow gets past the memory firewall. All these would lead to a malicious application being treated as safe by defence+.

    There should be protection for this sort of thing but who knows if it is watertight. Having extra lines of defence would be safer.

    A safe application can do most things that defence+ monitors without a pop-up. It can write to an existing exe without a pop-up. It can do direct disk access which I think would bypass normal file protection. It can terminate processes. It can install a device driver. It the user is an administrator the damage could be bad and no pop-up.

    It would be hard for it to permanently install an exe as this would always be considered unsafe.
     
  7. eXPerience

    eXPerience Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    98
    dear tcarrbrion,
    a browser add-on must first be installed, which will be blocked.
    Word document needs to get special access and will be blocked as it doesn't get special priviliges as it will be new and it doesn't fit within Cleanpc mode
    a buffer overflow could indeed do damage, but that's with every application.

    I don't really understand the problem. This is just Comodo in a normal mode, but every pop-up it would normally give will be automaticly blocked. So there is actually no way to bypass the security :doubt:

    yours sincerely
     
  8. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    I never get a pop-up installing a firefox add-on. No exe is installed so defence+ does not care.

    It is only the rules for Word that matter here - a safe application. It does not matter that the document is new.

    In the examples I give defence+ will automatically allow as Word is safe. No pop-up (even without parental control on), nothing blocked.
     
  9. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    It is not useless. I would call it very good especially if combined with a limited user account. There is, I think, room for improvement. A lot of work has been done on reducing pop-ups but not so much on ease of configuration.

    I use CIS as my only security application.
     
  10. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    tcarrbrion, I had been wanting to find out myself regarding the possible methods for detecting add-ons that aren't executables. As of now, I don't think any security software detects such installations.

    I was wondering that, with CIS protecting the folder - the add-on would deposit it's files to - the appendication might be prevented.

    I think CIS has pretty much all areas covered, if configured properly.
    - A safe application cannot execute an unknown/unsafe application. CIS will block it.
    - A safe application cannot access areas protected by CIS. This way, you can even limit accesses to safe application. I guess, most users will block device driver installations, direct disk access for safe applications. So, no problem over there.
    - If a safe executable gets over-written it's hash value would change and would be treated as unsafe from then on by "Image Execution Control".
     
  11. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I just found out that CIS hash check won't throw alerts for file signature changes of safe applications - so certified by a user or the COMODO safelist - after any modifications. Which means that CIS will only detect (add the files to "My Pending Files") and not prevent the running of the changed executables.

    Egemen had provided an explanation for this. And I agree with his reasons. If CIS alerted for executable alterations every-single-time, users would be getting loads of alerts. That would be a huge sacrifice, usability-wise. But, on the other hand, it could lead to a huge security compromise if a safe application was hijacked to perform malicious actions.
     
    Last edited: May 27, 2009
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Go to my protected files, create a file group containing these disk areas, then use this file group (have a look at your current * application, try to change it, you will see what happens)
     
  13. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    Defence+ only monitors executables. DLLs are always allowed unless you increase image execution control to aggressive. Looking as the extensions I have for Firefox they appear to be script files and will be ignored by defence+. The script engine should limit what the add-on can do but there could be bugs that let it do more than it should. I don't know enough about how the extensions work.

    This is still monitored for safe applications and will be blocked.

    These are automatically allowed for all safe applications. No chance to block them unless you add a special rule to block them for specific applications.

    All these things should be secure but unless defence+ covers everything you cannot be sure.
     
  14. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    If you create a file group containing c:\windows* and c:\program files* you can allow execution of this group and block execution of everything else but then, if running as administrator, any malware downloaded to these areas is freely executable. It will be limited in what it can do but this will decrease your protection.

    I would like the option to get a pop-up for executing programs in the safe areas and block everything else.
     
Loading...
Thread Status:
Not open for further replies.