Help me with D+, please

A) Here is how to drill down to the item of Comodo Defense+, concerning which I am seeking your help...

click Defense+ at top of Main Comodo GUI > Advanced > Predefined security policies > Hi-light Limited application & click Edit > Protection settings

B) You now see this>


C) I make reference to the item "Windows/WinEvent Hooks" in the above screenshot. Here are Comodo's Help file instructions concerning that item...

D) I have read & re-read the quoted instruction, but I remain unsure that I fully understand them. Here is the help I need...

1) An "explanation for dummies" of what the quoted instructions are saying.

2) Consider an example application -- say firefox.exe. If I put an X in the "Windows/WinEvent Hooks" block for firefox.exe, does that mean (a) that firefox is not allowed to set hooks? OR does it mean that (b) firefox is now protected from any application that tries to hook it?

3) Can you give me an example of when it would be useful to put an X the "Windows/WinEvent Hooks" for a given application?

E) These are quite possibly "dumb questions" so please be gentle with me.

 

it means firefox is not allowed to create a hook and intercept keyboard input, mouse movement etc.

if an application creates a hook it can record keyboard / input mouse movement from any application.

You're a SSM user? non?

 

Demenace, Bellgamin,

I thought that Firefox would be protected from setting hooks etc (the opposite of what dmenace is saying)

What a shame I thought I figured D+ out, when Dmenace is correct I am as confused as Bellgamin

 

If this is correct, then what is the function of protecting "Process Terminations" on the same interface illustrated in my first post?

Here are Comodo's very vague instructions on this function...

QUESTIONS: For example --- If I put a checkmark in "Process Terminations" for firefox.exe, does that mean that...

1) Firefox is protected from being terminated by any other process?

OR does it mean that

2) Firefox will not be allowed to terminate any other process?

I have a license for SSM. I like SSM a lot but it presently lacks file protection. Vitali has said that file protection will be added by the end of summer. I hope so. If it is added, I will return to using SSM very quickly.

 

If I remember well, Comodo Firewall is the only one for which some of these protection settings are set to yes in its security policy (default settings). It seems obvious to me that Comodo Firewall should be protected against Process Terminations and should of course be able to terminate other processes (otherwise it would be of no use).

Another clue can be found if you check the Exceptions to Process Terminations (in the policy of Comodo Firewall). It will tell you that some Windows OS executables are allowed to terminate Comodo Firewall. This is also logical otherwise you would have difficulty to turn of your computer (due to windows not being able to kill the process).

So, the answer to your question: If you put a checkmark in "Process Terminations" for firefox.exe that means that firefox will be protected from being terminated by other processes.

Kees1958, was right in this case.

 

I am not sure about these settings. I just left them alone.

 

All of the items in Protection settings involve what other programs can do to the given program.

Windows hooks are used by programs that want to know about certain things that happen in other programs. An example of a legitimate program that uses hooking is AutoSizer, a program that automatically resizes other program windows. To do its job, AutoSizer needs to know when program windows have been created or changed size. AutoSizer uses a hook to do this. Illegitimate programs can also use hooks to do things such as record keystrokes. AKLT has 2 methods that demonstrate this. Although you can use the Windows/WinEvent Hook protection setting to stop another program from hooking a given program, it's probably even better to just stop untrustworthy programs from setting a hook in the first place.

 

Will it give a pop up in this case then?

But the confusing thing is that the pop ups come even when u don,t activate these, as CFP by default gives pop ups for all such events. So what is, then, the purpose of activating these separately?

Thanks

 

No, unless you specifically also allowed the action in that same program's policy. The protection settings override the 'allow' settings in other programs, which is appropriate. You need to look at the Defense+ log file to see if blocks occurred.

 

I am getting a bit confused.

Ok, a simple Q? Is it really needed for some applications?

I will still leave these settings as default( not activated).

 

I use the protection settings only for security programs. For example, you don't want malware to terminate your security programs.

Let's say you have protected Program A from termination. CFP will not allow Program A to be terminated by any program, unless you specified exceptions in Program A's protection settings.

 

Thanks to all -- especially MrBrian. I shall now use the appropriate Protection Settings so as to protect my security apps from corruption or termination by a nasty.

For info, shown below are the default protection settings for Comodo Firewall Pro itself.

 

Thanks.

 

You're welcome . You may wish to look at your Defense+ log once in awhile, to see if some blocked requests should have been allowed.