Does Comodo with Defense+ HIPS provide child-parent permissions like SSM HIPS?

Discussion in 'other anti-malware software' started by Devinco, Jan 2, 2009.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
  2. 3xist

    3xist Guest

    Yes it offers that & the Buffer Overflow protection (Safe Surf). You can go in D+ Adv. settings to configure.

    Cheers,
    Josh
     
  3. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I am not 100% i understood well the post, but my understanding is, that Comodo will protect you from such cases, unless you have marked that application as "trusted".

    For instance, these are default permissions for rundll32 (Custom policy):

    http://img389.imageshack.us/img389/9532/10md1.png

    As you can see, it is set to "ask". But, if you do install an application and set it as trusted, then all those "ask" will turn into "allow" by the policy rules. In that case, if a malware exploits the trusted process, i guess Comodo won't be able to protect you, since the trusted application will already have been allowed to have extensive "freedom" over other processes.
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks 3xist
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    So let's say that cmd.exe (the DOS command prompt) is set to ask.
    Are you able to allow running Program A from the command prompt and block or ask every other program run from the command prompt?

    In the same way, could services.exe be set to allow the install of some drivers but ask or block the rest?
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes. You can make it very granular. Some processes, by default, aren't so limited. The so-called "Windows applications". They are these ones (services.exe is included, cmd.exe is not, so it is more "secured" by default):

    http://img142.imageshack.us/img142/2192/37038347vx8.png

    For this group of processes, this default policy applies:
    http://img142.imageshack.us/img142/5796/48624410an4.png

    So, theoretically, if you allow a malware to execute and it somehow manages to exploit one of the above processes (without Comodo intercepting it and asking you about it), then it will have "free pass" to do more damage.

    Of course, if you think that this default policy isn't secure enough, you can change it all to ask and allow every action manually. For example, you can make allow/blocked list for the drivers:

    http://img142.imageshack.us/img142/797/71929999wr0.png

    All the "modify" fields, have this option, where you can manually add something, or these fields will be filled automatically from Comodo , once a new action is performed and you are asked to allow or block. Unfortunately i don't think that you can make a rule so that you can allow oen action and automatically block all the following ones. You will have to answer to a pop up "allow" or "block" each time you are asked. At least i can't think of another way.

    So, if you put say the "device driver installation" of services.exe to "ask", simply, you will have to answer to a pop up for every single driver installation, which will end in the "allow" field in the above screenshot.

    If you ask me, the default policies are fine. For the history, for cmd.exe the default policy is set to ask for everything.
     
    Last edited: Jan 2, 2009
  7. Gizzy

    Gizzy Registered Member

    Joined:
    Oct 5, 2007
    Posts:
    149
    Location:
    NJ, USA
    Just leave it as ask and under modify allow the one driver/process/etc and under block put the * wildcard,
    is that what you mean?
     
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Actually i have never tried this approach. Maybe that's what Devinco wants.
     
  9. 3xist

    3xist Guest

    Well I will try to re-answer.

    You can also check:
    a) Defense+>Advanced>Defense+ Settings>Monitor Settings and uncheck the things that you do NOT want monitored, like if you don't want Device Driver Installations monitored and checked, you can uncheck that, etc.
    b) Defense+>Advanced>Computer Security Policy. And clicking on an application there And choosing either Access Rights or Protection Settings to help modify a few things for your applications. But it will only apply to the applications you specifiy too, it won't monitor the settings you want for everything when you choose those certain settings. The best solution I can give you is a).

    Bottom Line: If you want full protection, you want to be preventing any malware, right click the CIS tray icon and choose Configuration>COMODO - Proactive Security will enable full D+ power and you won't need to worry about monitor specific child process, etc... But I tired to answer the best above.

    Hope this clarifies.

    Cheers,
    Josh
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Fuzzfas,

    Thank you for all the screen shots and explanation.

    It really helps to understand it better.
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Gizzy,

    I will have to play around with it and try the wild card idea you suggested.
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    3xist,

    Thanks for the clarification.
    Comodo looks very promising and worth trying.
     
  13. 3xist

    3xist Guest

    I believe you will be happy!

    Cheers,
    Josh
     
Loading...
Thread Status:
Not open for further replies.