Understanding Security Alerts
CIS alerts warn you about security related activities at the moment they occur. Each alert contains information about a particular issue so you can make an informed decision about whether to allow or block it. Alerts also let you specify how CIS should behave in future when it encounters activities of the same type. The alerts also enable you to reverse the changes made to your computer by the applications that raised the security related event.
Alert Types
Comodo Internet Security alerts come in five main varieties. Click the name of the alert (at the start of the following bullets) if you want more help with a particular alert type.
-
Antivirus Alerts - Shown whenever virus or virus-like activity is detected. AV alerts will be displayed only when Antivirus is enabled and the option 'Do not show antivirus alerts' is disabled in Real-time Scanner Settings.
-
Firewall Alerts - Shown whenever a process attempts unauthorized network activity. Firewall alerts will be displayed only when the Firewall is enabled and the option 'Do not show popup alerts' is disabled in Firewall Settings.
-
HIPS Alerts - Shown whenever an application attempts an unauthorized action or tries to access protected areas. HIPS alerts will only be generated if HIPS is enabled and Do NOT show popup alerts is disabled.
-
Behavior Blocker / Auto-Sandbox Alerts (including Elevated Privilege Alerts) - Shown whenever an application tries to modify operating system or related files and when the Behavior Blocker automatically sandboxes an unrecognizable file. Behavior Blocker / Auto-Sandbox Alerts will be displayed only when auto-sandboxing is enabled under Behavior Blocker settings. Privilege Alerts will only be shown if enabled.
- Viruscope Alerts – Shown whenever a currently running process attempts to take suspicious actions. Viruscope alerts allow you to quarantine the process & reverse its changes or to let the process go ahead. Be especially wary if a Viruscope alert pops up 'out-of-the-blue' when you have not made any recent changes to your computer. Viruscope Alerts will be displayed only when Viruscope is enabled under Behavior Blocker settings.
In each case, the alert may contain very important security warnings or may simply occur because you are running a certain application for the first time. Your reaction should depend on the information that is presented at the alert.
Note: This section is concerned only with the security alerts generated by the Antivirus, Firewall, HIPS and Behavior Blocker components of CIS. For other types of alert, see Comodo Message Center notifications, Notification Messages and Information Messages. |
The shield icons at the upper left of each alert are color coded according to the risk level presented by the activity or request. However, it cannot be stressed enough that you should read the entire alert before reaching a decision on whether to allow or block the alert.
-
Yellow Icons - Low Severity - In most cases, you can safely approve these requests. The 'Remember my answer' option is automatically pre-selected for safe requests.
-
Orange Icons - Medium Severity - Carefully read the information in the alert description area before making a decision. These alerts could be the result of a harmless process by a trusted program or indicative of a malware attack. If you do not recognize the application performing the activity or connection request then you should block it.
-
Red Icons - High Severity - These alerts indicate highly suspicious behavior that is consistent with the activity of a Trojan horse, virus or other malware program. Carefully read the information provided when deciding whether to allow it to proceed.
Note: Antivirus alerts are not ranked in this way. They always appear with a red icon. |
The description is a summary of the nature of the alert and can be revealed by clicking the handle as shown:
The description tells you the name of the software/executable that caused the alert; the action that it is attempting to perform and how that action could potentially affect your system. You can also find helpful advice about how you should respond.
Now that we've outlined the basic construction of an alert, let's look at how you should react to them.
Comodo Internet Security generates an Antivirus alert whenever a virus or virus-like activity is detected on your computer.The alert contains the name of the virus detected and the location of the file or application infected by it. Within the alert, you are also presented with response-options such as 'Clean' or 'Ignore'.
Note: Antivirus alerts will be displayed only if the option 'Do not show antivirus alerts' is disabled. If this setting is enabled, antivirus notifications will be displayed. This option is found under 'Security Settings > Antivirus > Realtime Scan'. See Real-time Scanner Settings for more details. |
Tip:Clicking the Show Activities link at the bottom right will open the Process Activities List dialog. The Process Activities dialog will display the list activities of the processes run by the application.
The Show Activities link is available only if Viruscope is enabled under Advanced Settings > Defense+ > Behavior Blocker Settings. If none of the processes associated with the infected application has started before the alert is generated, the 'Show Activities' link is disabled and will not open the Process Activities List dialog. |
The following response-options are available:
-
Clean - Disinfects the file if a disinfection routine exists. If no routine exists for the file then it will be moved to Quarantine. If desired, you can submit the file/application to Comodo for analysis from the Quarantine interface. See Manage Quarantined Items for more details on quarantined files.
The Viruscope subsytem integrated with the Antivirus, also monitors the changes made to your computer by the virus or virus-like activities automatically reverts them, if you choose to clean the infected file or application, when Viruscope is enabled under Behavior Blocker settings.
Note: Though Viruscope has power to reverse majority of types of changes effected by the process(es) evoked by blocked applications, it has some limitations. Very few of the file activities that make permanent changes could be reverted. Examples include:
|
-
Ignore - Allows the process to run and does not attempt to clean the file or move it to quarantine. Only click 'Ignore' if you are absolutely sure the file is safe. Clicking 'Ignore' will open three further options:
-
Ignore Once -The file is allowed to run this time only. If the file attempts to execute on future occasions, another antivirus alert is displayed.
-
Ignore and Add to Exclusions - The file is allowed to run and is moved to the Exclusions list – effectively making this the 'Ignore Permanently' choice. No alert is generated if the same application runs again.
-
Ignore and Report as a False Alert. If you are sure that the file is safe, select 'Ignore and Report as a False Alert'. CIS will then submit this file to Comodo for analysis. If the false-positive is verified (and the file is trustworthy), it will be added to the Comodo safe list.
If you have chosen to not to show Antivirus Alerts through Advanced Settings > Security Settings > Antivirus Settings > Realtime Scanner Settings by leaving the option 'Do not show antivirus alerts' enabled (default=enabled) and If CIS identifies a virus or other malware in real time, it will immediately block malware and provide you with instant on-screen notification:
Please note that these antivirus notifications will be displayed only when 'Do not show antivirus alerts' check box in Antivirus > Real-time Scan settings screen is selected and 'Show notification messages' check box is enabled in Advanced Settings > User Interface screen.
CIS generates a firewall alert when it detects unauthorized network connection attempts or when traffic runs contrary to one of your application or global rules. Each firewall alert allows you to set a default response that CIS should automatically implement if the same activity is detected in future. The followings steps will help you answer a Firewall alert:
Tip: Clicking the Show Activities link at the bottom right will open the Process Activities List dialog. The Process Activities dialog will display the list activities of the processes run by the application.
The Show Activities link is available only if Viruscope is enabled under Advanced Settings > Defense+ > Behavior Blocker Settings. If none of the processes associated with the application that makes the connection attempt has started before the alert is generated, the 'Show Activities' link is disabled and will not open the Process Activities List dialog. |
-
Carefully read the information displayed in clicking the down arrow in the alert description area. The Firewall can recognize thousands of safe applications. (For example, Internet Explorer and Outlook are safe applications). If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized you are informed of this.
If it is one of your everyday applications and you want to allow it Internet access to then you should select Allow.
In all cases, clicking on the name of the application opens a properties window that can help you determine whether or not to proceed:
If you don't recognize the application then we recommend you Block the application.By clicking the handle to expand the alert, you can choose to block the connection (connection is not allowed to proceed) or block & terminate (connection is not allowed to proceed and the process/application that made the request is shut down).
-
If you are sure that it is one of your everyday application, try to use the 'Treat As' option as much as possible. This allows you to deploy a predefined firewall ruleset on the target application. For example, you may choose to apply the policy Web Browser to the known and trusted applications 'Internet Explorer', 'Firefox' and 'Opera'. Each predefined ruleset has been specifically designed by Comodo to optimize the security level of a certain type of application.
Remember to check the box Remember My Answer for the ruleset to be applied in future.
-
If the Firewall alert reports a behavior, consistent with that of a malware in the security considerations section, then you should block the request AND select Remember My Answer to make the setting permanent.
Comodo Internet Security generates a HIPS alert based on the behavior of applications and processes running on your system. Please read the following advice before answering a HIPS alert:
Tip: Clicking the Show Activities link at the bottom right will open the Process Activities List dialog. The Process Activities dialog will display the list activities of the processes run by the application.
The Show Activities link is available only if Viruscope is enabled under Advanced Settings > Defense+ > Behavior Blocker Settings. If none of the processes associated with the application has started before the alert is generated, the 'Show Activities' link is disabled and will not open the Process Activities List dialog. |
- Carefully read the information displayed after clicking the handle under the alert description. Comodo Internet Security can recognize thousands of safe applications. If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized, you are informed of this.
If it is one of your everyday applications and you simply want it to be allowed to continue then you should select Allow.
If you don't recognize the application then we recommend you select Block the application. You can choose to just block the connection or to block & terminate.
-
If you are sure that it is one of your everyday applications and want to enforce a security policy (ruleset) to it, please use the 'Treat As' option. This applies a predefined HIPS ruleset to the target application.
Avoid using the Installer or Updater ruleset if you are not installing an application. This is because treating an application as an 'Installer or Updater' grants maximum possible privileges onto to an application - something that is not required by most 'already installed' applications. If you select 'Installer or Updater', you may consider using it temporarily with Remember My Answer left unchecked.
-
Pay special attention to Device Driver Installation and Physical Memory Access alerts. Again, not many legitimate applications would cause such an alert and this is usually a good indicator of malware / rootkit like behavior. Unless you know for a fact that the application performing the activity is legitimate, then Comodo recommends blocking these requests.
-
Protected Registry Key Alerts usually occur when you install a new application. If you haven't been installing a new program and do not recognize the application requesting the access , then a 'Protected Registry Key Alert' should be a cause for concern.
-
Protected File Alerts usually occur when you try to download or copy files or when you update an already installed application.
Were you installing new software or trying to download an application from the Internet? If you are downloading a file from the 'net, select Allow, without selecting Remember my answer option to cut down on the creation of unnecessary rules within the firewall.
If an application is trying to create an executable file in the Windows directory (or any of its subdirectories) then pay special attention. The Windows directory is a favorite target of malware applications. If you are not installing any new applications or updating Windows then make sure you recognize the application in question. If you don't, then click Block and choose Block Only from the options, without selecting Remember My answer option.
If an application is trying to create a new file with a random file name e.g. "hughbasd.dll" then it is probably a virus and you should block it permanently by clicking Treat As and choosing 'Isolated Application' from the options.
-
If a HIPS alert reports a malware behavior in the security considerations area then you should Block the request permanently by selecting Remember My Answer option. As this is probably a virus, you should also submit the application in question, to Comodo for analysis.
-
Unrecognized applications are not always bad. Your best loved applications may very well be safe but not yet included in the Comodo certified application database. If the security considerations section says “If xxx is one of your everyday applications, you can allow this request”, you may allow the request permanently if you are sure it is not a virus. You may report it to Comodo for further analysis and inclusion in the certified application database.
-
If HIPS is in Clean PC Mode, you probably are seeing the alerts for any new applications introduced to the system - but not for the ones you have already installed. You may review the 'Unrecognized Files' section for your newly installed applications and remove them from the list for them to be considered as clean.
-
Avoid using Trusted Application or Windows System Application policies for you email clients, web browsers, IM or P2P applications. These applications do not need such powerful access rights.
Answering a Behavior Blocker / Auto-Sandbox Alert
Comodo Internet Security generates a Behavior Blocker alert if an application or a process tries to perform certain modifications to the operating system, its related files or critical areas like Windows Registry and when it automatically sandboxes an unknown application.
Please read the following advice before answering a Behavior Blocker alert:
-
Carefully read the information displayed after clicking the handle under the alert description. Comodo Internet Security can recognize thousands of safe applications. If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized, you are informed of this.
-
If you are sure that the application is authentic and safe and you simply want it to be allowed to continue then you should select Run Unlimited. If you want the application not to be monitored in future, select 'Trust this application' checkbox. The application will be added to Trusted Files list.
-
If you are unsure of the safety of the software, then Comodo recommends that you run it with limited privileges and access to your system resources by clicking the 'Run Isolated' button. Refer to the section Unknown Files: The Auto-Sandboxing and Scanning process for more explanations on applications run with limited privileges.
-
If you don't recognize the application then we recommend you select Block the application.
Run with Elevated Privileges Alert
The Behavior Blocker will display this kind of alert when the installer of an unknown application requires administrator, or elevated, privileges to run. An installer that is allowed to run with elevated privileges is permitted to make changes to important areas of your computer such as the registry.
-
If you have good reason to trust the publisher of the software then you can click the 'Run Unlimited' button. This will grant the elevated privilege request and allow the installer to run.
-
If you are unsure of the safety of the software, then Comodo recommends that you run it with restricted access to your system resources by clicking the 'Run Isolated' button.
-
If this alert is unexpected then you should abort the installation by clicking the 'Block' button (for example, you have not proactively started to install an application and the executable does not belong to an updater program that you recognize).
-
If you select 'Trust this application' then CIS will include this to Trusted Files list and no future alerts will be generated when you run the same application.
Note: You will see this type of alert only if 'Detect installers and show privilege elevation alerts' is enabled. This can be found in 'Advanced Settings > Security Settings > Defense+ > Behavior Blocker' |
There are two versions of this alert - one for unknown installers that are not digitally signed and the second for unknown installers that are digitally signed but the publisher of the software has not yet been white-listed (they are not yet a 'Trusted Software Vendor').
-
Unknown and unsigned installers should be either isolated or blocked.
-
Unknown but signed installers can be allowed to run if you trust the publisher, or may be isolated if you would like to evaluate the behavior of the application.
Also see:
-
'Unknown Files: The Auto-Sandboxing and Scanning Processes' - to understand the decision making process behind why CIS chooses to sandbox certain applications.
-
'Trusted Software Vendors' - for an explanation of digitally signed files and 'Trusted Software Vendors'.
Behavior Blocker will display an alert whenever it auto-sandboxes an unknown application:
The alert will show the name of the executable that has been auto-sandboxed. The application will be automatically added to Unrecognized Files list.
-
Clicking the name of the application will open the Unrecognized Files interface, that displays a list of the unrecognized files including the currently auto-sandboxed application.
-
Clicking Don't isolate it again removes the application from the Unrecognized Files list and adds it to the Trusted Files list, so that the application will not be auto-sandboxed in future. Choose this option if you are absolutely sure that the executable is safe.
Users are also reminded that they should submit such unknown applications to Comodo via the 'Unrecognized Files' interface. This will allow Comodo to analyze the executable and, if it is found to be safe, to add it to the global safe list. This will ensure that unknown but ultimately safe applications are quickly white-listed for all users.
Also see:
-
'Unknown Files: The Auto-Sandboxing and Scanning Processes' - to understand the decision making process behind why CIS chooses to auto-sandbox certain applications.
Comodo Internet Security generates a Viruscope alert if a running process performs an action that might represent a threat to your privacy and/or security. Please note that Viruscope alerts are not always definitive proof that malicious activity has taken place. Rather, they are an indication that a process has taken actions that you ought to review and confirm because they have the potential to be malicious. You can review all actions taken by clicking the 'Show Activities' link.
Please read the following advice before answering a Viruscope alert:
-
Carefully read the information displayed in the alert. The 'More Information' section provides you the nature of the suspicious action.
- If you are not sure on the authenticity of the parent application indicated in the 'Application' field, you can safely reverse the changes effected by the process and move the parent application to quarantine by clicking 'Clean'.
- If it is a trusted application, you can allow the process to run, by clicking Ignore and selecting the option from the drop-down.
- Ignore Once -The process is allowed to run this time only. If the process attempts to execute on future occasions, another Viruscope alert is displayed.
- Ignore and Add to Trusted Files - The process is allowed to run and the parent application is moved to the Trusted Files list - effectively making this the 'Ignore Permanently' choice. No alert is generated if the same application runs again.
- To view the activities of the processes, click the Show Activities link at the bottom right. The Process Activities List dialog will open with a list of activities exhibited by the process.
Column Descriptions
- Application Activities - Displays the activities of each of the processes run by the parent application.
- - File actions: The process performed a file-system operation (createmodifyrenamedelete file) which you might not be aware of.
- - Registry: The process performed a registry operation (created/modified a registry key) which might not be authorized.
- - Process: The process created a child process which you may not have authorized or have been aware of.
- - Network: The process attempted to establish a network connection that you may not have been aware of.
- If the process has been terminated, the activities will be indicated with gray text and will appear in the list until you view the 'Process Activities List' interface. If you close the interface and reopen the list within five minutes, the activities will appear in the list. Else, the terminated activities will not be displayed in the list.
- PID – Process Identification Number.
- Data – Displays the file affected by the action.