Support for Improvement to Comodo Products

[AtlBo]

Started a thread on the Comodo forum about unblocking applications here:

Using Widget to Unblock - Install / Setup / Configuration Help - CIS

This issue has been on my mind for some time now, so if anyone is interested I would appreciate your 2 cents.

My proposal centers around the idea that unblocks should not change the file/app rating from "Unrecognized" to "Trusted". The two ways (without creating a rule) to unblock an auto-contained app/file are "Unblock this application" on the container alert and "Unblock Applications" on the widget or GUI->Tasks->General. The alert unblock only creates a single container allow rule, but it presently also changes the rating of the file/app from "Unrecognized" to "Trusted". The "Unblock Applications" element creates allow rules for ALL elements (Firewall/HIPS/Containment). Either way, the trust rating goes to "Trusted", so all protections are off, even if only the container alert unblock->allow rule is created with by using that dialog to unblock.

Basically, the proposal suggests removing the "Unblock this application" unblock from the Containment alert, adding instructions to use "Unblock Applications". This would give the user pause to think. Also, the proposal suggests splitting the unblock process in "Unblock Applications" into 3 parts, one for Firewall, one for HIPS, and one for Containment. In order to achieve the single block, auto-created rules created by unblocking a specific protection should not change the app/file rating from "Unrecognized" to "Trusted". This way, Comodo's default monitoring rules for the other protections remain in place.

Honestly, it's a simple fix. It's not a problem for Comodo to create simple allow rules for "Unrecognized" when a user wants to unblock a specific protection. The single all on or all off is horrible though. There isn't a single reason why the rating should be changed given the all encompassing affect of doing so. Again, allow rules can be created for "Unrecognized" just as easily as for "Trusted".

If anyone gets a chance, please take a look at the thread and add your ideas or support. FutureTech said devs were working on this, but I don't know if he meant previously or just started, but I would like this to get pushed through FAST. It's a big problem with Comodo as things are. Thanks for any support any of you guys can provide.

BTW, not sure if the "Trusted" rating turns off heuristic command line monitoring for an app/file also. This should be the last line of defense in Comodo products, meaning it's there even if you choose to run outside the box with a file/app Comodo considers "Unrecognized" by default. If HC-L does turn off with "Trusted" rating, it should be very difficult for a user to change the Trust rating of a file and never via an unblock element on the widget or an alert. Even if HC-L stays on for all tile/app ratings (I don't think it does), the blocking mechanisms should be changed, anyway, I feel. Thx

 

[SHvFl]

Good luck. You have more chances of getting banned for making a topic than comodo taking feedback.

 

[ZeroDay]

Good luck. You have more chances of getting banned for making a topic than comodo taking feedback.

I was just about to say the same lol.

 

[AtlBo]

LOL, so far everything is OK.

This is a gaping hole in the software, but mainly if Comodo fix this, they will be able to properly create endpoint software that can be easily managed. The dialog doesn't even have to be in enterprise versions, assuming users can communicate issues w/IT admins and admins can quickly respond when necessary. I mean, that is their job, and it would only happen for "Unrecognized".

Thing is if there is going to be a home version, this has to be there. Otherwise, it might as well be Bouncer really.

 

[Antimalware18]

My two main problems with Comodo always was:

1. On any system I've ever ran it on, if a application or installer is blocked and I would allow it it would NEVER work 100% correctly afterwards
even if its rating was "Trusted" Or maybe that was the "Disappearing rule bug".

2.And I know I say it alot and bash the product alot because of it but: Those horrific signatures.

Make a thread about those signatures so a individual wouldn't have to use another AV to fill that "hole"
Guaranteed
you'd get banned before you were finished typing

 

[AtlBo]

1. On any system I've ever ran it on, if a application or installer is blocked and I would allow it it would NEVER work 100% correctly afterwards
even if its rating was "Trusted" Or maybe that was the "Disappearing rule bug".

Hey @Antimalware18. Thanks for the reply. This sounds like it could be that you unblocked hoping to only unblock containment. Not with Comodo, unfortunately. Unblock from the containment alert->file/app becomes automatically "Trusted" and all monitoring basically ceases (maybe some basic HIPs that's all). Only one rule is created , a Containment ignore->Trusted rule, but monitoring is basically over. Unblock from "Unblock Applications" and you get total global blanket unblock. You get 100% an allow rule in each of the 3 areas. Of course, the file rating goes to "Trusted" also which is again horrible.

So maybe what you were expecting is to unblock one element (almost always containment for anyone). Then you would have expected HIPs/Firewall alerts as normal for your setting (Safe Mode/Paranoid etc.). Nope, almost nothing.

For me, the worst part (if I am right that "Trusted" for a file/app turns off c-l monitoring for the file/app) is that command-line monitoring is automatically not present for any file/app with a "Trusted" rating. No exceptions. So if you run a Comodo "Unrecognized" outside the container via either unblock (container alert will be the clue it is Comodo "Unrecognized"), then all protections are off and command-line isn't monitoring for droppers and scripts either. No protection at all

Maybe you can see from the pic in the link thread how splitting the unblocks while keeping "Unrecognized" file status would keep the protections that aren't unblocked on. Also, it would mean I know for sure command-line monitoring is functionning as it should.

 

[Antimalware18]

Hey @Antimalware18. Thanks for the reply. This sounds like it could be that you unblocked hoping to only unblock containment. Not with Comodo, unfortunately. Unblock from the containment alert->file/app becomes automatically "Trusted" and all monitoring basically ceases (maybe some basic HIPs that's all). Only one rule is created , a Containment ignore->Trusted rule, but monitoring is basically over. Unblock from "Unblock Applications" and you get total global blanket unblock. You get 100% an allow rule in each of the 3 areas. Of course, the file rating goes to "Trusted" also which is again horrible.

That would probably have been the issue then.

Add that to my "wish list" a "global unblock" button in the sandbox/hips popup. or would that weaken security to much?

Personally the issue wasn't really with any of my apps. I share this PC with my wife and she plays/runs alot of game apps and when she has a
game series of 32+ games with a little over half of them unsigned (1990's games) and a few more with signatures that Comodo didn't recognize....

there was alot of room for raging there on my part

 

[AtlBo]

Add that to my "wish list" a "global unblock" button in the sandbox/hips popup. or would that weaken security to much?

I can see how your wife would have gone mad with alot of "Unrecognized" apps to run . Actually, the global unblock is what you get now when you unblock from the Containment alert or the "Unblock Applications" dialog.

How about this...a regional unblock for HIPs alerts say that turns off all HIPs monitorings if it's those you want off for an app? That might be a good idea for HIPs or firewall. Don't think so personally for the sandbox, because it's so critical to the protection scheme. What I am looking at is actually a layer above where you are focusing. It's the behavior of the "Unblock Applications" unblock that is the problem in the big picture and also the "Unblock this application" on the Containment alert.

I ran scenarios I will post later. These are the responses of Comodo to "Unrecognized" and then its responses to the various ways to unblock. They show that the file rating can stay the same ("Unrecognized") and still single protection unblock easily be added to the "Unblock Applications" dialog. This would add much needed respect for Comodo's trust choices and also to running in the container. Also, the stature of HIPs and Firewall would be raised. For certain, unblocking for the container shouldn't be an easy unblock no matter what. This handles that, and you still can have the other components if you want them or then unblock everything all at the same time if you would rather. With the some simple rules creation from Comodo from the concept proposed split protections unblock, trust can stay "Unrecognized' and any individual protection or protections be off for any app/file no problem, even though "Unrecognized" usually means individual protections are on.

 

[ravi prakash saini]

@AtlBo how can I be of any help

 

[509322]

Started a thread on the Comodo forum about unblocking applications here:

Using Widget to Unblock - Install / Setup / Configuration Help - CIS

This issue has been on my mind for some time now, so if anyone is interested I would appreciate your 2 cents.

My proposal centers around the idea that unblocks should not change the file/app rating from "Unrecognized" to "Trusted". The two ways (without creating a rule) to unblock an auto-contained app/file are "Unblock this application" on the container alert and "Unblock Applications" on the widget or GUI->Tasks->General. The alert unblock only creates a single container allow rule, but it presently also changes the rating of the file/app from "Unrecognized" to "Trusted". The "Unblock Applications" element creates allow rules for ALL elements (Firewall/HIPS/Containment). Either way, the trust rating goes to "Trusted", so all protections are off, even if only the container alert unblock->allow rule is created with by using that dialog to unblock.

Basically, the proposal suggests removing the "Unblock this application" unblock from the Containment alert, adding instructions to use "Unblock Applications". This would give the user pause to think. Also, the proposal suggests splitting the unblock process in "Unblock Applications" into 3 parts, one for Firewall, one for HIPS, and one for Containment. In order to achieve the single block, auto-created rules created by unblocking a specific protection should not change the app/file rating from "Unrecognized" to "Trusted". This way, Comodo's default monitoring rules for the other protections remain in place.

Honestly, it's a simple fix. It's not a problem for Comodo to create simple allow rules for "Unrecognized" when a user wants to unblock a specific protection. The single all on or all off is horrible though. There isn't a single reason why the rating should be changed given the all encompassing affect of doing so. Again, allow rules can be created for "Unrecognized" just as easily as for "Trusted".

If anyone gets a chance, please take a look at the thread and add your ideas or support. FutureTech said devs were working on this, but I don't know if he meant previously or just started, but I would like this to get pushed through FAST. It's a big problem with Comodo as things are. Thanks for any support any of you guys can provide.

BTW, not sure if the "Trusted" rating turns off heuristic command line monitoring for an app/file also. This should be the last line of defense in Comodo products, meaning it's there even if you choose to run outside the box with a file/app Comodo considers "Unrecognized" by default. If HC-L does turn off with "Trusted" rating, it should be very difficult for a user to change the Trust rating of a file and never via an unblock element on the widget or an alert. Even if HC-L stays on for all tile/app ratings (I don't think it does), the blocking mechanisms should be changed, anyway, I feel. Thx

If you're lucky, one of the forum mods will ask you to create a poll to allow others to vote on it.

Then, you'll be lucky if 20 people vote on it.

The creation of single allow rules - say for the HIPS, but not sandbox and firewall - for "Unrecognized" files is already present in CIS. The user just needs to know how to create the rules.

Changing the file rating of a file is what turns on\off alerts for that particular file.

The alert unblock only creates a single container allow rule, but it presently also changes the rating of the file/app from "Unrecognized" to "Trusted".

If the file rating is changed from Unrecognized to Trusted, then there is no need to create an auto-sandbox exclusion rule. So it looks like a bug, but with COMODO you just never know how they intended it to work.

 

[Deleted member 178]

Good luck. You have more chances of getting banned for making a topic than comodo taking feedback.

I was just about to say the same lol.

same here lol

but mainly if Comodo fix this

they can't fix a 12 years old bug, dont expect they will fix yours lol

So it looks like a bug, but with COMODO you just never know how they intended it to work.

+1

 

[jamescv7]

The flow of Comodo's behavior on alerts are so complex which makes it too way difficult to handle on major users, we are unsure how the developers wanted too portray cause from the first place it's not user friendly and considered a geek software.

The Autosandbox mechanism of Comodo is so far unique yet pretty complicated because of connection alerts from HIPS, Cloud and others.

 

[AtlBo]

The creation of single allow rules - say for the HIPS, but not sandbox and firewall - for "Unrecognized" files is already present in CIS. The user just needs to know how to create the rules.

Good point, but that sure seems complicated to me, and I think it might stifle even intermediate level users. They start asking themselves about the trust rating and what do I need to do and then maybe change the rating or mess something else up too with another setting, etc. Who knows what happens with Grandma, but probably her pension check is more or less in grave danger somehow.

That aside, thanks for the comments. I should qualify a little in that there are some unknowns for me with trust in Comodo products. I could go on and on about what can be known for certain from Comodo help and what must be wringed from the program through use, but really none of that really changes for me the idea that "Unblock Applications" could be made adaptive and useful. I think it's a good idea.

Honestly, the unknowns surrounding trust I don't think affect the concept for split unblocking in that turning a monitoring component off when file rating is "Unrecognized" is possible (by global rules in each component protections are each on by default for this rating). Since this is possible, I can say that I know the file rating can stay "Unrecognized" and a single component be set to off (again by default on for "Unrecognized"). That in turn means unblocking (turning off protection) for a single component is possible for each of them. So, I don't understand why the rating has to go to "Trusted", considering that normal command line monitoring stops and all other protections too (OK hope I am not wrong about this...it's my impression since I don't see c-l alerts for "Trusted"). I mean, with unblocking we are talking about a file/app that a user just unblocked that is "Unrecognized" by Comodo, and just like that any user can turn it into a "Trusted" file/application? Bad idea. This could be who knows what kind of malware, etc. Better to have the option to leave on HIPS and Firewall and make sure command line monitoring is 100% being applied to the file/app. This means keep the rating of a file a user chooses to unblock as "Unrecognized". At least this way keeps the command line monitoring going, even if the user does turn off all elements, Firewall,HIPS and Containment.

All of this leads to the concept for funneling users into "Unblock Applications" to unblock. One single place to do this eliminates any confusion that could arise. There user can choose which protections to unblock and appropriate actions are taken by Comodo to create any necessary rules. File rating is kept at "Unrecognized" (FOR SURE) and the created rules are set to function based on this. Command-line monitoring is functioning as desired because of the rating and everyone is happy except the malware writers...the concept.

 

[509322]

Good point, but that sure seems complicated to me, and I think it might stifle even intermediate level users.

Welcome to the world of COMODO. It is up to the user to learn how to use the product. It has been like this from Day 1.

 

[Andytay70]

Comodo need to listen to their users a lot more but that will never happen as all they listen to is positive views and never the negative ones.
I refuse to use their forum as a post i made about the icon near the clock developed a flicker every time i started a program got deleted!
Dont get me wrong Comodo fw is a good program when its working but when its not its very frustrating!
Sorry for the rant BTW!

 

[Deleted member 178]

Comodo listen its fanboys when it is to add crap bloating features, but not the neutral users addressing serious issues.

 

[bribon77]

AtlBo. His idea is very good and I share it .... BUT I do not know if that is possible we are possible if it is but that they do not know it.

It also happens in other security programs that once you remove it from quarantine no longer no longer detects it.

 

[Andytay70]

Get rid of some of the forum mods and give the Job to people who want to listen and make it a great product.

 

[Sunshine-boy]

Comodo Internet Security Release Notes(6 April 2017)

Any one knows about this sandbox bypasses?I'm wondering why no one talked about it

 

[AtlBo]

Any one knows about this sandbox bypass?I'm wondering why no one talked about it

@publicenemy thx for the notice. Didn't see it before. As much malware as cruelsister has thrown at CFW going back to version 8, I feel certain it functions basically 100% as intended/required. They did address the issue with that 6206 update looks like, so that's the main thing.