Help me with D+, please

Discussion in 'other anti-malware software' started by bellgamin, Jun 11, 2008.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    A) Here is how to drill down to the item of Comodo Defense+, concerning which I am seeking your help...

    click Defense+ at top of Main Comodo GUI > Advanced > Predefined security policies > Hi-light Limited application & click Edit > Protection settings

    B) You now see this>
    ScrHnt2.gif

    C) I make reference to the item "Windows/WinEvent Hooks" in the above screenshot. Here are Comodo's Help file instructions concerning that item...

    D) I have read & re-read the quoted instruction, but I remain unsure that I fully understand them. Here is the help I need...

    1) An "explanation for dummies" of what the quoted instructions are saying.

    2) Consider an example application -- say firefox.exe. If I put an X in the "Windows/WinEvent Hooks" block for firefox.exe, does that mean (a) that firefox is not allowed to set hooks? OR does it mean that (b) firefox is now protected from any application that tries to hook it?

    3) Can you give me an example of when it would be useful to put an X the "Windows/WinEvent Hooks" for a given application?

    E) These are quite possibly "dumb questions" so please be gentle with me. :doubt:
     
  2. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    it means firefox is not allowed to create a hook and intercept keyboard input, mouse movement etc.

    if an application creates a hook it can record keyboard / input mouse movement from any application.

    You're a SSM user? non?
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Demenace, Bellgamin,

    I thought that Firefox would be protected from setting hooks etc (the opposite of what dmenace is saying)

    What a shame I thought I figured D+ out, when Dmenace is correct I am as confused as Bellgamin :)
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    If this is correct, then what is the function of protecting "Process Terminations" on the same interface illustrated in my first post?

    Here are Comodo's very vague instructions on this function...

    QUESTIONS: For example --- If I put a checkmark in "Process Terminations" for firefox.exe, does that mean that...

    1) Firefox is protected from being terminated by any other process?

    OR does it mean that

    2) Firefox will not be allowed to terminate any other process?


    I have a license for SSM. I like SSM a lot but it presently lacks file protection. Vitali has said that file protection will be added by the end of summer. I hope so. If it is added, I will return to using SSM very quickly.
     
  5. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    If I remember well, Comodo Firewall is the only one for which some of these protection settings are set to yes in its security policy (default settings). It seems obvious to me that Comodo Firewall should be protected against Process Terminations and should of course be able to terminate other processes (otherwise it would be of no use).

    Another clue can be found if you check the Exceptions to Process Terminations (in the policy of Comodo Firewall). It will tell you that some Windows OS executables are allowed to terminate Comodo Firewall. This is also logical otherwise you would have difficulty to turn of your computer (due to windows not being able to kill the process).

    So, the answer to your question: If you put a checkmark in "Process Terminations" for firefox.exe that means that firefox will be protected from being terminated by other processes.

    Kees1958, was right in this case.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am not sure about these settings. I just left them alone.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    All of the items in Protection settings involve what other programs can do to the given program.

    Windows hooks are used by programs that want to know about certain things that happen in other programs. An example of a legitimate program that uses hooking is AutoSizer, a program that automatically resizes other program windows. To do its job, AutoSizer needs to know when program windows have been created or changed size. AutoSizer uses a hook to do this. Illegitimate programs can also use hooks to do things such as record keystrokes. AKLT has 2 methods that demonstrate this. Although you can use the Windows/WinEvent Hook protection setting to stop another program from hooking a given program, it's probably even better to just stop untrustworthy programs from setting a hook in the first place.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Will it give a pop up in this case then?

    But the confusing thing is that the pop ups come even when u don,t activate these, as CFP by default gives pop ups for all such events. So what is, then, the purpose of activating these separately?

    Thanks
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    No, unless you specifically also allowed the action in that same program's policy. The protection settings override the 'allow' settings in other programs, which is appropriate. You need to look at the Defense+ log file to see if blocks occurred.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am getting a bit confused.

    Ok, a simple Q? Is it really needed for some applications?

    I will still leave these settings as default( not activated).
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I use the protection settings only for security programs. For example, you don't want malware to terminate your security programs.

    Let's say you have protected Program A from termination. CFP will not allow Program A to be terminated by any program, unless you specified exceptions in Program A's protection settings.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    Thanks to all -- especially MrBrian. I shall now use the appropriate Protection Settings so as to protect my security apps from corruption or termination by a nasty.

    For info, shown below are the default protection settings for Comodo Firewall Pro itself.

    ScrHnt5.gif
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :). You may wish to look at your Defense+ log once in awhile, to see if some blocked requests should have been allowed.
     
Loading...
Thread Status:
Not open for further replies.