D+ settings still strong but less talkative

Discussion in 'other anti-malware software' started by Kees1958, Feb 9, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    Yep after having tried two Release Candidates of CFP which could not be made quiet. The 3.016 release is pretty good and the "rule setting -> protection" is becoming transparent. So a compliment from a Comodo sceptic

    WARNING: ONLY USE COMODO WHEN YOU HAVE GOOD RECOVERY IN PLACE, It is still a buggy application

    In their effort to deal with all the critics (D+ was chatty, without D+ version 3.015 failed some leaktests) and balance the features of this product with usability, the 3.016 has a basic and FW-leaktest only install mode.

    For those of you only wanting a FW, this is great. D+ can be set a little more protective without becoming a screaming HIPS. Below are my set up tips.

    Reducing D+ from Anti Executable to a Intrusion Behaviour 'Asker'
    1. Double click the CFP icon, click D+ in the horizontal menu bar, chosse (click) Advanced in the vertical Defense + Tasks menu list.

    2. Click Image Execution Control Settings on the screen, click the General tab, move slider to disable. Now you will not be warned when a new program arrives or old one is changed (disable AE function). Choose apply. And exit screen.

    3. Right click CFP icon and either choose "train" or "train in safe mode"(last is preferred) for both the firewall and D+. Now you do not have to review pending files anymore.

    Reducing D+ from a chatty IDS to and IDS only asking for serious threats'
    4. Double click the CFP icon, click D+ in the horizontal menu bar, choose (click) Advanced in the vertical Defense + Tasks menu list.

    5. Choose Defense + settings, click the Monitor settings tab and choose the options as shown in the attached picture. Choose Apply.
    Tip: When you don't know why you should choose these options, Google around and educate yourself, when you think that is to much trouble: stop reading this post and use a smart behaviour blocker like ThreatFire/Primary Response Safe Connect/Mamuto/PrevX, because HIPS are not for you.

    6. Click the Common Tasks in the vertical Defense + Tasks menu list. Choose my protected files. Select the "All Applications" File group, right click and choose remove (this will not delete this group only remove it from your protected files). Next click Add (top right options menu), hoover mouse over File Groups and choose Windows System Applications, do the same with Windows Updater Applications.

    The above will limit D+ pop-ups to critical actions. Enjoy
     

    Attached Files:

    Last edited: Feb 9, 2008
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Because asked by members, here are my registry and file settings. Collapsed groups are default groups.

    My setup protects more static registry keys (in XP this should not cause extra pop-ups) and less files (only specified/targeted files to reduce pop-ups). This version 3.0.18 is stable on XP.

    In conjunction with a policy/virtualisation Sandbox this is a strong setup.
     

    Attached Files:

  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Hi,

    About the "My protected Files" feature, what will it exactly protect you from, and did you have to add all those entries individually? I ask this, because with Neoava Guard you can protect C/Windows + System32 and it will alert you as soon as some process tries to modify (system) files inside those folders.
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @Kees- I can't read the registry entries. Are they pretty much the same as you recommended for Threatfire advanced rules?
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Bellgamin,

    Click on the image, it will be shown larger. Well yes, but in the mean time I collected some static registry items of EQSecurity users, brain picked a few from DriveSentry and HauteSecure, so this list is improved. Note the notation is COmodo Specific.

    Rasheed,

    You can add that in Comodo also, only ,y Registry and File protection is as static as possible. Comodo's D+ is a traditional HIPS, therefore you do not want wide scope rules (you will be bombarded with pop-ups by D+). The registry protection cover all Windows XP, boot, log-on, start up executables/libraries.
     
    Last edited: Feb 26, 2008
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That setting is not good at all with NG. Infact NG has no such feature, it,s basically secret folder feature.

    In the past when I tried a similar setting, it frooze my system.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ aigle

    We already had a little chat about this remember? This feature simply works correctly, see pic, configured like this, malware can´t tamper with any system file. :)
     

    Attached Files:

  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    May be u are right. I need to test it again but not now, may be later. Not using NG ATM.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    TIP

    Set add all vendors of security aps and most used aps to my trusted vendors.

    For the security software (funny enough also explorer.exe) which has not got signed files, add them to you own safe files.

    Set Image execution control to normal, so when those trusted aps change you will get a warning (only suspicious when you did not update them).

    Advantage of this is that when other users of the PC get a comodo warning it will tell them that those programs are safe.
     

    Attached Files:

    • CFP3.JPG
      CFP3.JPG
      File size:
      135.1 KB
      Views:
      67
  10. jbausewein

    jbausewein Registered Member

    Joined:
    Feb 23, 2008
    Posts:
    1
    @Kees

    Thanks Kees for posting this info. D+ is much quieter now :) Any recommendations on the protected COM interfaces? I find applications commonly access ntsvcs, spoolss and {4590F811-1D3A-11D0-891F-00AA004B2E24}. Is it safe to allow these?

    Jason

    ----------------------
    COMODO Firewall Pro 3
    ESET NOD32 Antivirus 3
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I considered removing a few, but then I thought lets surf on the knowledge of the Comodo experts :oops:

    SO what I know is:
    4590F811-1D3A-11D0-891F-00AA004B2E24 = WBEM Locator = Locator of the Web Based Enterprise Management System, it is Java technology based equivalent of all the remote management services of Microsoft. You will find Java based aps tinkering with this [D]COM (distributed computing object model) feature (problably FireFox, Opera, LimeWire etc).

    ntsvcs
    Something with Remote Procedure Calls and named pipes allocation. Remote Procedure Calls are pieces of codes which reside on a different location (not the hosT) and can be executed (called) from the host.

    Spoolss
    It is the spooling service (printing a file from disk to printer in the background). Through Com object it is possible to fiddle with it (via named pipes and a null sessions) and send data remotely through this leak.

    Is it dangerous:
    All of these mecahnismes are intended to facility distributed computing, so by nature they are vulnarable to attacks.

    In all hardening best practises it is advised to shut down some remote Windows features down. These Com objects are problably of the same threat level as the remote windows services, but are needed for a proper running system. So that is why Comodo watches them. This is COM object is typically a example of a HIPS informing a user, but the impact is absolutely a big question to the user. Therefore as an average user the pop-up is more or less useless. Some COM objects are self explanatory.

    So for the following messages I apply this rule of thumb:
    - DNS Client Service + Loopback networking + unknown COM objects warinings FOLLOWED BY OUTBOUND internet ==> very suspicious, press print screen (save with paint as a picture), allow without remember, Google around later.
    - Same with registry change or FIle change or Driver loading or Physical memory or Direct Disk access ==> press print screen same procedure only block without remember, Google around

    PS
    When you are not getting any pop-ups any more it is a good idea to protect the core windows services as described in post 6 and 10.
     
    Last edited: Feb 24, 2008
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Kees! I was so annoyed that I removed it and all Pseudo COM interfaces( Privileges).
    How much it,s going to compromise the security?
    Are these things coverd by other classical HIPS( like EQS, SSM) in some other ways?
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    I think the priveleges ones are the most important.

    Here is a link for GUID's http://www.myplugins.info/guids/

    When you want to look up a COM object like

    {9BA05972- F6A8- 11CF- A442-00A0C90A8F39} just look at the two first digits and click on these two digits on this screen, see pic.

    Here you see that this com is associated with SHELL WINDOWS functionality, not nice when this COM object is accessed in a wrong way, but because I have protected most shell related registry keys it is not a lasting damage.

    When a program gets temporary Debug priviliges this is a problem of a different category. Then again, a more knwoledgeable member should explain. For me it is about 24 years ago that I programmed.

    Regards Kees
     

    Attached Files:

    • guid.JPG
      guid.JPG
      File size:
      127.8 KB
      Views:
      19
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I really hate these privilege pop ups. They are soooooooo common for all applications. I can,t keep these filters on my system.

    After all there are other HIPS that intercept such behavior only when an application actually tries to do something rather than just giving pop ups about privileges.
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    After some testing, these COM objects help to strengthen the firewall (stops PCFLANK at the right moment to pass the test)

    I created my own (COM startup warning of applications), see pic

    I do not thnink Opera is needed since it is Java based
     

    Attached Files:

  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U were using EQS again.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  18. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi

    I was interested in the various posts/threads alluding to Kees rules for "Quietening" Comodo D+

    I use CPF with the D+ activated although I cannot claim that I am knowledgeable about HIPS and or their settings. I probably fall into the category of one who allows the wrong warning and disallow when it is right to allow it.

    That said CPF+D+ seems to work for me. No horror stories yet. D+, for me is irritatingly "noisy" and I wonder how much kees rules to "silence" CPF+D+ actually diminishes D+ effectiveness?

    If it does diminish the effectiveness would a better option be CPF only No D+ and Threatfire.

    Put simply, Is CPF+D+ and Kees rules, as secure or more secure than CPF only with Threatfire and in addition which combo is the least noisy

    Thanks for your help

    Terry
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Terry,

    D+ with those rules leaves the most common intrusions untouched. Meaning you put deliberately holes in your defense. When you use a policy sandbox like GeSWall and DefenseWall or run Limited user you do not have to worry abouth those common intrusions anyway.

    Other option is to add an behavior blocker like ThreatFire or Mamuto to deal with these common intrusions in an intelligent way. TF has some registry protection and some file protection. The D+ defaults cover more. D+ on or off does not seem to make a big difference in CPU usage. That said TF is always a good choice (with or without D+ reduced pop-up set up).

    Regards Kees
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    When you want to block the nag screen of Avira, you must enable image execution control and add Avira's notify to the blocked programs in rule for Avira's update.

    Regards
     
  21. Gizzy

    Gizzy Registered Member

    Joined:
    Oct 5, 2007
    Posts:
    149
    Location:
    NJ, USA
    thanks for the post kees1958 I tried this setup out on a friends pc and she doesn't get as many pop ups now,

    I've noticed some duplicates in your protected registry keys and I was wondering if there's any problems with having duplicate entries?

    does it alert you for the first listed one and ignore the second?

    thanks anyone that can answer my question about duplicate entries not causing any harm in D+ or any other hips for that matter.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Gizzy,

    No CFP will tell you that there are duplicates and offers to omit them. Rule sequence determines blocking/noticing. Because it is on a fire/pass basis, there is no 'fallthrough' logic problem. I sort of build up a list of startup protection. Started with a document "where malware hides" send to me by ZopZop, then ToppeID helped with references of existing tested Regdefend filters, based on Tony Klein's knowledge. By checking the release notes of RunScanner I occasionally have to add an entry.

    So check RunScanner release notes for updates.

    Regards
     
  23. Gizzy

    Gizzy Registered Member

    Joined:
    Oct 5, 2007
    Posts:
    149
    Location:
    NJ, USA
    Hello Kees1958,
    Thank you for taking the time to reply, :)

    I was wondering about the duplicates because CFP does alert you of duplicates but only if they're in the same group,

    though I suppose I could just use one group for all my keys,

    I've been trying to create my own rules for CFP (so far it's a combination of keys and files from yours and comodo's default) and I guess duplicates don't hurt because as I was searching through the keys in comodo I noticed at least 3 duplicates so far and there's been no problems with it,

    I think I understand what you say about how the rules work it doesn't matter how many entries are there as long as it's in the rules it'll block it or give an alert about it, correct?

    and thanks for explaining how you came to get your ruleset I'll be checking the release notes of runscanner when new versions come out.

    and one last thing since I'm posting anyway does it matter between capital or lower case? like why are some keys *SOFTWARE* and some *software*, or does that just fall under the same category as in if it's in the rules you'll be alerted? I know I'm probably thinking way too much into how these rules work.

    alright I've taken enough of your time. :blink:
     
    Last edited: Apr 12, 2008
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    That is what I did

    Yes


    At some other applications it does matter. The HKLM (HKEY ocal machine) has the uppercase, the HKCU (HKEY Current User) the lowercase. At most aps when using a wild card correct use of upper/lower case does not matter. I posted a request on the Comodo forums on the symantics, but never got an answer. So I can not tell you
     
    Last edited: Apr 12, 2008
  25. Gizzy

    Gizzy Registered Member

    Joined:
    Oct 5, 2007
    Posts:
    149
    Location:
    NJ, USA
    Thank you for all of your help in explaining this to me Kees1958,

    I really appreciate it, :thumb:
     
Loading...
Thread Status:
Not open for further replies.