Advice Request Comodo Internet Security Setup/configuration thread

[hjlbx]

you are the expert of comodo here , i know their CCE really loves you

@Umbra

I'm like a large, sharp rock in the CCE's shoe... so how can CCE not love me ?

 

[Deleted member 178]

nice

 

[hjlbx]

so for educational purposes, say "File A" triggers an alert because it wants access "File B" , and i select "treat as allowed" , File A will be allowed in the future, but not File B ?




i guess in the "block" case; because if you "treat as allow" , the file supposed to be safe at the first place.

Selecting "Treat as Allowed Application" assigns HIPS Allowed Application rules to File A. Allowed Application status will grant almost unrestricted access to system resources and ability to perform elevated privileges to File A. (So selecting "Treat as Allowed Application" user better had be absolutely sure file is safe.)

For best security, it is best to select:

• Allow;
• Tick "Remember my answer."

This method creates a permanent Allow rule for only the specific, single action or access outlined in the HIPS alert.

 

[Online_Sword]

nice

I notice that CIS is protected by "DEP".
Would this be a feature of CIS itself, or you are using HMP.A protecting CIS?

 

[hjlbx]

nice

 

[Deleted member 178]

I notice that CIS is protected by "DEP".
Would this be a feature of CIS itself, or you are using HMP.A protecting CIS?

CIS by default i guess, dont see CIS listed in HMPA

 

[hjlbx]

I notice that CIS is protected by "DEP".
Would this be a feature of CIS itself, or you are using HMP.A protecting CIS?

Some Comodo modules are protected by DEP; when they were compiled DEP settings were enabled...

For v 9, DEP compiler settings will be enabled for all module code.

However, there might be empty stubs or other code that shouldn't have DEP protection to work properly... so Comodo might not have precisely 100 % DEP.

 

[CMLew]

Some KeePass module(s) is\are Unrecognized by Comodo = not on their Safe List.

You can handle an Unrecognized file - and stop Comodo from blocking\auto-sandboxing it - in a number of ways:

1. In HIPS alert, select Allow and tick "Remember my answer" (creates permanent HIPS rule for action covered by that individual alert).
2. In Sandbox alert, select "Trust this application" (creates auto-sandbox Ignore rule); need HIPS alerts enabled.
3. Run Rating Scan and select "Add to Trusted Files."
4. Go into File List and manually change rating individual files\entire folder from Unrecognized to Trusted.
5. Enable Training Mode during install and initial use of application; CIS will auto-create rules.
6. Submit file to Comodo for white-listing = add to Safe List.

The above the are the main ways. There are even more ways, but it serves no purpose other than to confuse to cover every single one here.

WARNING ! In the HIPS alert, rule creation applies to the file performing the action - and not the target file ! Until a user fully understands how HIPS alerts "Treat as..." options work in CIS, the user is strongly advised not to use any of the "Treat as..." options.

A mistake with the "Treat as..." options can potentially compromise the entire system's security !

So if you select one of the "Treat as..." options, then it will apply to the file on the left side of the HIPS alert - not the object on the right !

A -> -> -> B

"Treat as..." will be applied to A - and not B.

Thanks! @hjlbx ! Certainly CIS is a great learning tool for me.

 

[Online_Sword]

Do not virtualize Access to specified files/folders...: Yes | Exclusions: my security softwares group

Hi, Umbra.
Maybe you (or me) misunderstand this option.
If you exclude your security softwares here, then your any program running in the auto-sandbox can access the folders of your security softwares directly.
I do not think this is a good option.
If you do not want comodo force your security softwares into the auto-sandbox, then:

Rules: aded "Ignore My security Softs" rule

is just enough.

finished editing my trusted vendors list , easy trick to do it:

1- put HIPS on Training mode, disable auto-sandbox
...
4- add vendors by selecting them via running processes
...

This is not the best practice of reconstructing TVL in my own opinion.
Putting HIPS on Trainning mode while disabling auto-sandbox at the same time is not safe.
Adding vendors manually is not convenient.

To reconstruct TVL effectively after clearing it, we just need to keep HIPS and auto-sandbox enabled.
At the same time, keep the cloud lookup enabled.
Then, we just need to double click the applications whose vendors are reliable.
When these executables are identified as safe by the cloud of comodo, their vendors will be added to the trusted vendor list automatically.

Yes, Comodo could modify TVL automatically by itself !

By the way, maybe you can consider to create a read-only copy of this thread?
Then we can discuss in this thread, while you can copy the configurations shared by experienced users to the read-only thread.

 

[illumination]

Yes, Comodo could modify TVL automatically by itself !

It used too, not sure if it still does, but used to be once you edited the TVL and the next big upgrade or update came along, it would get reset to default again, leaving the user to have to modify it again

 

[Online_Sword]

It used too, not sure if it still does

I test it just now, and the answer is "yes".

 

[hjlbx]

This is not the best practice in my own opinion.
Putting HIPS on Trainning mode while disabling auto-sandbox at the same time is not safe.
Adding vendors manually is not convenient.

In fact, we just need to keep HIPS and auto-sandbox enabled.
At the same time, keep the cloud lookup enabled.
Then, we just need to double click the applications whose vendors are reliable.
When these executables are identified as safe by the cloud of comodo, their vendors will be added to the trusted vendor list automatically.

For tightest security, Comodo recommends removal of all unneeded vendors from Trusted Vendors List.

@Umbra is just indicating a convenient way of doing it... as opposed to long, drawn out manual method of going down the File List and deleting entries.

The method he used is perfectly safe on clean system, but I would keep auto-sandbox enabled.

Comodo Cloud will protect physical system with active Training Mode.

With Comodo Cloud and auto-sandbox enabled, any Unrecognized files will be auto-sandboxed. At the same timeTraining Mode will create HIPS rules for any sandboxed Unrecognized files. In other words, the physical system is protected from persistent infection. If the Unrecognized app is determined to be unsafe\malicious\suspicious then the user simply has to delete the auto-learn HIPS rules.

FYI - I am not sure what is up with Trusted Vendor List updates. Vendors are added to TVL by Comodo techs, but the vendor never gets added to the users local TVL. Newly added vendors are supposed to be updated during signature updates on a user's local CIS installation - I believe. Not sure if it is bug or issue with Comodo infrastructure. There have been complaints about it for a while now...

 

[Online_Sword]

For tightest security, Comodo recommends removal of all unneeded vendors from Trusted Vendors List.

I agree with this, and in fact, I just want to give a more effective way to reconstruct the TVL.
I mean, after we clearing TVL, we do not need to add vendors manually into it
By contrast, we can do this easily by just double clicking applications and let comodo itself to finish the remaining works.

Please test it. You will find it more effective than adding vendors manually.

 

[CMLew]

HJLBX CIS CONFIGURATION
Antivirus

• Real-Time Scan: Stateful
• Scan memory when computer start: Yes
• Use Heuristic Scanning: High
• Exclusions: *\Quarantine

NOTE: Adding *\Quarantine to Exclusions prevents CIS scan engine from scanning and detecting files located in any other security soft's quarantine directory - for example, the included Comodo Cleaning Essentials quarantine !)

Scans

Quick:

• Use cloud while scanning - Yes
• Heuristics - Low
• Scan archives - No
• Schedule - No

Full:

• Use cloud while scanning - No
• Heuristics - High
• Scan archives - No
• Schedule - No

NOTE: Scanning archives is a waste of resources ! Only scan archives if you suspect infection and use Comodo Cleaning Essentials module for the task instead of built-in CIS scan engine.

Hi @hjlbx

Referring to the above quote, care to show how to add the quarantine into the exclusion? So far I clicked but i can only add file groups or files.

Also, may I know where to turn off the scan archive? Somehow I couldn't find the box. Care to share where is it located?

 

[hjlbx]

I agree with this, and in fact, I just want to give a more effective way to reconstruct the TVL.
I mean, after we clearing TVL, we do not need to add vendors manually into it.
By contrast, we can do this easily by just double clicking applications and let comodo itself to finish the other works.

Please test it. You will find it more effective than adding vendors manually.

Your method is correct, but will only work for vendors included on Comodo TVL. Safe vendors not already on Comodo TVL can only be added manually... unless you want to wait 3 years for Comodo reply to Pending Files.

 

[Online_Sword]

Your method is correct, but will only work for vendors included on Comodo TVL.

There are still vendors not in their list?

 

[hjlbx]

@CMLew

• Add file to Exclusions... select any file on system.
• Double click on that file path in CIS AV Exclusion GUI.
• Box will open.
• Delete contents and enter "*\Quarantine" - without quotes.

You have now excluded Quarantine file path for virtually all AVs, second opinion scanners, etc. Prevents detection of already quarantined files.

Antivirus > Scans > Double-click Full > Options > un-tick "Decompress and scan compressed files"

 

[hjlbx]

There are still vendors not in their list?

Millions of files in Comodo Safe List... but most are from XP era...

 

[CMLew]

@CMLew

• Add file to Exclusions... select any file on system.
• Double click on that file path in CIS AV Exclusion GUI.
• Box will open.
• Delete contents and enter "*\Quarantine" - without quotes.

You have now excluded Quarantine file path for virtually all AVs, second opinion scanners, etc. Prevents detection of already quarantined files.

Antivirus > Scans > Double-click Full > Options > un-tick "Decompress and scan compressed files"

Thanks! @hjlbx

Learn something new.

 

[Deleted member 178]

I disabled auto-sandbox for the TVL because i have appguard backing me up