Comodo Endpoint Security Manager

• Introduction To Comodo Internet Security Configuration Editor
• Prerequisites To Deploying A CIS Configuration
• Deploy Preset Configuration
• The Custom Configuration Editor
  • Firewall Overview
    • Common Tasks
      • My Port Sets
      • My Network Zones
      • My Blocked Network Zones
    • Advanced Tasks
      • Network Security Policy
      • Predefined Firewall Policies
      • Attack Detection Settings
      • Firewall Behavior Settings
  • Defense+ Overview
    • Common Tasks
      • My Protected Files
      • My Blocked Files
      • My Protected Registry Keys
      • My Protected COM Interfaces
      • My Safe Files List
      • My Trusted Software Vendors
    • The Sandbox
      • The Sandboxing Process
      • Sandbox Settings
      • Applications Running Inside Sandbox
    • Advanced Tasks
      • Computer Security Policy
      • Predefined Security Policies
      • Image Execution And Control Settings
      • Defense+ Settings
  • Antivirus Overview
    • Virus Scanner
    • Exclusions
  • Common
    • File Groups
    • Registry Keys
    • COM Groups
  • Miscellaneous Overview
    • Settings
• About Comodo

 

Computer Security Policy

 

---

 

The Computer Security Policy area allows the administrator to view manage and edit the Defense+ security policies that apply to applications.

• Click on Computer Security Policy in Defense+ > Advanced Task to open the 'Computer Security Policy' interface.

The first column, Application Name, displays a list of the applications on a system for which a security policy has been deployed. If the application belongs to a file group, then all member applications assume the security policy of the file group. The second column, Treat as, displays the name of the security policy assigned to the application or group of applications in column one.

 

General Navigation controls for Computer Security Policy interface:

 

Window Specific Navigation Controls – Computer Security Policy
Menu Element	Element Icon	Description
Add New Group		Allows the administrator to Add a new Application to the list then create it's policy. See the section 'Creating or Modifying a Defense+ Security Policy'.
Edit		Allows the administrator to modify the Defense+ security policy of the selected application. See the section 'Creating or Modifying a Defense+ Security Policy'.
Remove		Deletes the current policy.   Note: Individual applications cannot be removed from a file group using this interface - use the 'My File Groups'interface to do this.

Administrators can re-order the priority of policies by simply dragging and dropping the application name or file group name in question. To alter the priority of applications that belong to a file group, use the 'My File Groups' interface.

 

Creating or Modifying a Defense+ Security Policy

 

To begin defining a application's Defense+ policy,

 

(1) Select the application or file group that needs to be applied to the policy.

 

(2) Configure the security policy for this application.

 

(1) Select the application or file group that needs to be applied to the policy

• Click the  icon in the main Computer Security Policy interface. This opens the Security Policy dialog box shown below:

Note: As this is a new application, the 'Application Path' field is blank. While modifying an existing policy, this interface shows the individual rules for that application's policy.

• Click File Groups button. 

• Select the required Application Path from the dropdown.

The File Groups option allows to create a Defense+ security policy for a category of preset files or folders. For example, selecting 'Executables' would enable the administrator to create a Defense+ policy for all files with the extensions .exe .dll .sys .ocx .bat .pif .scr .cpl . Other such categories available include 'Windows System Applications' , 'Windows Updater Applications' , 'Start Up Folders' etc - each of which provide a fast and convenient way to apply a generic policy to important files and folders.

 

To view the file types and folders that are affected by choosing one of these options, visit the 'My File Groups' interface. 

 

The 'My File Groups interface can be accessed either of the following methods:

 

Navigate to Defense+ > Common Tasks > My Protected Files then click the 'My Groups' button.

 

(2)Configure the Security Policy for this application

 

There are two broad options available for selecting a policy that apply to an application - Use a Pre-defined Policy or Use a Custom Policy

 

(i) Use a Predefined Policy -

• Select this option to quickly deploy an existing policy on to the target application. 

• Choose the policy from the drop-down menu. The name of the predefined policy is displayed in the Treat As column for the selected application in the Computer Security Policy interface.

Note: It is not possible to modify Predefined Policies directly from this interface - they can only be modified and defined using the Predefined Security Policies interface. To add or modify rules for an application means creating a new custom policy and should be done using the more flexible Use Custom Policy option.

 

(ii) Use a Custom Policy: Designed for more experienced administrators. The Custom Policy option has two main configuration areas - Access Rights and Protection Settings. In simplistic terms 'Access Rights' determine what the application can do to other processes and objects whereas 'Protection Settings' determine what the application can have done to it by other processes.

• Select this option to enable full control over the configuration of specific security policy and the parameters of each rule within that policy. 

Note: Selecting the Use a Custom Policy option enables the Access Rights tab and Protection Settings tab.

 

 Access Rights - The Process Access Rights interface allows to determine what activities the applications in the custom policy are allowed to execute. These activities are called 'Access Names'. 

 

Tip: Click here to view a list of definitions of the Action Names listed above and the implications of choosing to Ask, Allow or Block for each setting.

• Select 'Ask', 'Allow' or 'Block' option for the respective Action name.

• Click  the Modify button to specify the policy exceptions for 'Ask', 'Allow' or 'Block' option. This opens the Run an executable dialog box.

• Select the Allowed Applications or Blocked Applications tab depending on the type of exception that needs to be created.

• Click  to choose and apply this exception to the selected applications or file groups.

Tip: Click here for an explanation of available options.

 

• Select the required File Group from the list. The selected File Group is displayed in the 'My Protected Files' main list. 

To add a File to a file group

• Select the required file group and click the  icon. The 'Type Name of File Path' dialog box is displayed.

• Type the name of the file path in the format specified in the dialog box.

• Click OK to confirm. The name of the added file path is displayed in the main list under the selected file group.

Protection Settings - Protection Settings determine how protected the application or file group in the policy is against activities by other processes. These protections are called 'Protection Types'. 

 

Tip: Click here to view a list of definitions of the Protection Types listed above and the implications of activating each setting.

• Select Yes to enable monitoring and protect the application or file group against the process listed in the Protection Type column. Select No to disable such protection.

• Click  the Modify button to specify the policy exceptions. This opens the Interprocess Memory Accesses dialog box. 

• Click here for the step by step process of adding file groups and files.

 

 

 

---

Comodo Endpoint Security Manager | © 2010 Comodo Security Solutions Inc. | All Rights Reserved.