Using Comodo Internet Security as an anti-executable

I believe it is effective on x64. In fact, I've tested it only on x64; when I've denied execution, execution didn't take place as far as I know.

 

I've updated the guide to v2.0. Feedback is welcome!

 

Why don't you add "Windows Socket Interface" in Image Execution Control ? Or do you think that would be overkill

 

Would this enhance the anti-executable protection in any way? Although the guide doesn't focus on the firewall, you can use the firewall in any way that you want and still retain the anti-executable functionality. You can also use other Defense+ functionality and still retain the anti-executable functionality.

 

The All Applications file group consists of the wildcard *, so it should cover all of the file types that CIS can handle at a given Image Execution Control Level.

 

Guide updated to v2.01. The recommendation in step 10 was changed.

 

Nice job on this MrBrian. Testing it out in my VM and it seems to work well. Only minor issue is that I'm getting execute popups for svchost.exe trying to 'execute' various .exe's, most of them in my downloads folder. They are clearly not being executed, so I'm unclear what is really happening.

 

Thank you for the feedback Scoobs72 .

I noticed the same issue in testing. You're using the DLL interception option, correct (i.e. option 2 in step 10)?. I believe the reason that you see these extra prompts is because the Aggressive setting for Image Execution Control Level also covers prefetching and caching. To avoid these prompts, please try using the Defense+ prompt suppression feature, as is currently recommended in the guide when using option 2 in step 10. See the Notes section in the guide for details on how to do this. If you do this, please report if you experience any problems.

I've posted a wishlist item that CIS ought to be able to detect DLLs in the Normal setting for Image Execution Control Level, in order to avoid this issue.

 

Yes, that's right. The Defense+ suppression solution solves the problem, although right now I'm not using it until I've road-tested the solution a bit more.

Also, I think (tentatively) there may be an error in the guide. In section 20, your blocked applications screenshot is showing files, not directories. This results, for example, in anything that commences C:\windows\systems32\tasks* being blocked opposed to everything in the directory c:\windows\system32\tasks\ being blocked. I've amended my entries in this table to include \ so that they all show as directories.

Thanks for all your efforts on this

 

You're welcome .

The entries in step 20 are correct as far as I know - it should have the asterisk and not an ending backslash. It looks strange I know. Test it out by putting an .exe in one of those folders (or subfolders thereof) and try to execute it - it should be blocked. Let me know if I'm wrong. In any event, I'll change that step to make things more clear.

Your continued feedback is very welcome - good or bad - especially since I'm actually using AppLocker and not CIS on my newest computer. I created the guide for those who don't have access to SRP or AppLocker, so that nobody needs to be left out from execution protection .

 

I just tested this. The suggested changes won't work properly. Ending with an asterisk does work.

For example, these entries do not work:
c:\windows\system32\tasks
c:\windows\system32\tasks\

This entry works:
c:\windows\system32\tasks*

 

i am new to comodo and i am learning here where can i go to apply certain rules for example
c:\windows\system32\tasks* thanks

 

That was referring to step 20. You don't need to change anything if you already followed the guide - just be sure that the folder entries from steps 20 and 21 end with * . The Defense+ policies are listed when you go to Defense+ -> Advanced -> Computer Security Policy.

I updated the guide to v2.02 to add an explanation of the above.

 

thanks mr brian

 

I haven't updated the tutorial for CIS v5.x, because v5.x doesn't allow control over DLLs.

Download location for CIS v4.1.150349.920 x86: http://www.filehippo.com/download_comodo/7708/
Download location for CIS v4.1.150349.920 x64: http://download.chip.eu/de/Comodo-Internet-Security-64-Bit-_6804435.html