Comodo Help
Find the desired product help
Comodo Endpoint Security Manager

Comodo Endpoint Security Manager

CIS Configuration Guide v 1.6

English

Print Help Download Help
The Custom Configuration Editor > Defense+ Overview > Advanced Tasks > Defense+ Settings
  • Introduction To Comodo Internet Security Configuration Editor
  • Prerequisites To Deploying A CIS Configuration
  • Deploy Preset Configuration
  • The Custom Configuration Editor
    • Firewall Overview
      • Common Tasks
        • My Port Sets
        • My Network Zones
        • My Blocked Network Zones
      • Advanced Tasks
        • Network Security Policy
        • Predefined Firewall Policies
        • Attack Detection Settings
        • Firewall Behavior Settings
    • Defense+ Overview
      • Common Tasks
        • My Protected Files
        • My Blocked Files
        • My Protected Registry Keys
        • My Protected COM Interfaces
        • My Safe Files List
        • My Trusted Software Vendors
      • The Sandbox
        • The Sandboxing Process
        • Sandbox Settings
        • Applications Running Inside Sandbox
      • Advanced Tasks
        • Computer Security Policy
        • Predefined Security Policies
        • Image Execution And Control Settings
        • Defense+ Settings
    • Antivirus Overview
      • Virus Scanner
      • Exclusions
    • Common
      • File Groups
      • Registry Keys
      • COM Groups
    • Miscellaneous Overview
      • Settings
  • About Comodo

Defense+ Settings


The Defense+ component of Comodo Internet Security is a host intrusion prevention system that constantly monitors the activities of all executable files on a PC. With Defense+ activated, the administrator is warned EVERY time an unknown application executable (.exe, .dll, .sys, .bat, etc) attempts to run. The only executables that are allowed to run are the ones that the administrator gives permission to. An application can be given such permission to run in a variety of ways including; manually granting them execution rights in Computer Security Policy; by deciding to treat the executable as trusted at Defense+ alert or simply because the application is on the Comodo safe list. Defense+ also automatically protects system-critical files and folders such as registry entries to prevent unauthorized modification. Such protection adds another layer of defense to Comodo Internet Security by preventing malware from ever running and by preventing any processes from making changes to vital system files.

 

 Note: This page is often referred to 'executables', the most recognizable of which is the .exe file. Other types of executable files include those with extensions .cpl .dll, .drv, .inf, .ocx, .pf, .scr, .sys.


The Defense+ Settings area allows to quickly configure the security level and behavior of Defense+ during operation. 

  • Click on Defense+ Settings in Defense+ > Advanced Tasks to open the Defense+ Settings interface.

This settings is divided into two sections:

  • General Settings section

  • Monitor Settings section

General Settings

 

The General Settings section allows to customize the behavior of Defense+ by adjusting the slider to switch between preset security levels.

 

Slider Options

 

Slider Options – General section

Option

Description

Paranoid

This is the highest security level setting and means that Defense+ monitors and controls all executable files apart from those that have been deemed safe. Comodo Internet Security Configuration editor does not attempt to learn the behavior of any applications - even those applications on the Comodo safe list, and only uses the configuration settings to filter critical system activity. Similarly, the Comodo Internet Security Configuration editor does not automatically create 'Allow' rules for any executables - although there is still an option to treat an application as 'Trusted' at the Defense+ alert. Choosing this option generates the most amount of Defense+ alerts and is recommended for advanced administrators who require complete awareness of activity on their system.

Safe Mode

While monitoring critical system activity, Defense+ automatically learns the activity of executables and applications certified as 'Safe' by Comodo. It also automatically creates 'Allow' rules these activities. For non-certified, unknown, applications, an alert is received whenever that application attempts to run. If the application is chosen, it can be added to the safe list by choosing 'Treat this application as a Trusted Application' at the alert. This instructs Defense+ not to generate an alert the next time it runs. If the machine is not new or known to be free of malware and other threats as in 'Clean PC Mode' then Train with Safe Mode' is recommended setting - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Clean PC Mode

From the time the slider is set to 'Clean PC Mode', Defense+ learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the administrator knows to be clean of malware and other threats. From this point onwardsDefense+ alerts the administrator whenever a new, unrecognized application is being installed. In this mode, the files in 'My Pending Files' are excluded from being considered as clean and are monitored and controlled.

Training Mode

Defense+ monitors and learns the activity of any and all executables and creates automatic 'Allow' rules until the security level is adjusted. No Defense+ alerts are received in 'Training Mode'. 'Training Mode' setting should be chosen only if there is 100% surety  that all applications and executables installed in the computer are safe to run.

Tip:This mode can be used as the “Gaming Mode”. It is handy to use this setting temporarily while running an (unknown but trusted) application or Games for the first time. This suppresses all Defense+ alerts while Comodo Internet Security learns the components of the application that need to run on the machine and automatically create 'Allow' rules for them. (Later, the system can be switched back to 'Train with Safe Mode' mode).

Disabled

Disables Defense+ protection. All executables and applications are allowed to run irrespective of the configuration settings. Comodo strongly advise against this setting unless the administrator is confident that there is an alternative intrusion defense system installed on the computer.

 



  1. Adjust the slider to the preferred protection level. The description corresponding to the selected option is displayed in the right hand side of the options.

  1. Enter the duration or select the duration using the  up / down button in the 'Wait for a response to request for maximum' filed to determine how long Comodo Internet Security shows a Defense+ alert without any administrator intervention. By default, it is set to 120 seconds.

  1. Select the 'Trust the applications digitally signed by Trusted Software Vendors' checkbox to add softwares that are signed by a Trusted Certificate Authority to the safe list. Comodo recommend leaving this option enabled. 

  1. Select the 'Block all the unknown requests if the application is closed' checkbox to block all unknown requests (those not included in Computer Security Policy) if Comodo Internet Security is not running / has been shut down.

  1. Select the 'Deactivate Defense+ permanently(Requires a system restart)' to shutdown the Defense+ Host Intrusion element of Comodo Internet Security PERMANENTLY. The firewall and antivirus are not affected and continues to protect the computer even if Defense+ is deactivated. Comodo does not recommend administrators to close Defense+ unless they are sure they have alternative Intrusion Prevention Systems installed.

Monitor Settings

 

The 'Monitor Settings' section allows configuration of activities, entities and objects that should be monitored by Defense+. 

 

 Note: The settings chosen here are universally applied. If monitoring of an activity, entity or object using this interface is disabled, then it completely switch off monitoring of that activity on a global basis - effectively creating a universal 'Allow' rule for that activity. This 'Allow' setting over-rules any policy specific 'Block' or 'Ask' setting for that activity that has been selected using the 'Access Rights' and 'Protection Settings' interface.

 



 Activities To Monitor

 

Checkbox options

 

Checkbox Options – Monitor Settings section - Activities to Monitor

Option

Description

Interprocess Memory Access

Malware programs use memory space modification to inject malicious code for numerous types of attacks, including recording the keyboard strokes; modifying the behavior of the invaded application; stealing confidential data by sending confidential information from one process to another process etc. One of the most serious aspects of memory-space breaches is the ability of the offending malware to take the identity of the invaded process, or 'impersonate' the application under attack. This makes it harder for traditional virus scanning software and intrusion-detection systems. 

Windows / WinEvent Hooks

In Microsoft Windows® operating system, a hook is a mechanism by which a function can intercept events (messages, mouse actions, keystrokes) before they reach an application. The function can act on events and, in some cases, modify or discard them. Originally developed to allow legitimate software developers to develop more powerful and useful applications, hooks have also been exploited by hackers to create more powerful malware. Examples include malware that can record every stroke on a keyboard; record mouse movements; monitor and modify all messages in a computer; take over control of the mouse and keyboard to remotely administer the computer.

Device Driver Installations

Device drivers are small programs that allow applications and / or operating systems to interact with a hardware device on the computer. Hardware devices include disk drives, graphics card,wireless and LAN network cards, CPU, mouse, USB devices, monitor, DVD player etc. Even the installation of a perfectly well-intentioned device driver can lead to system instability if it conflicts with other drivers on the system. The installation of a malicious driver could, obviously, cause irreparable damage to the computer or even pass control of that device to a hacker. 

Loopback Networking

Loopback connections refer to the internal communications within a PC. Any data transmitted by a computer through a loopback connection is immediately also received by it. This involves no connection outside the computer to the internet or a local network. Loopback channel attacks can be used to flood a computer with TCP and/or UDP requests which can smash the IP stack or crash the computer.

Process Terminations

A process is a running instance of a program. (For example, the Comodo Internet Security process is called 'cfp.exe'. Press 'Ctrl+Alt+Delete' and click on 'Processes' to see the full list that are running on a system). Terminating a process, obviously, terminate the program. Viruses and Trojan horses often try to shut down the processes of any security software has been running in order to bypass it. 

Windows Messages

This setting means Comodo Internet Security monitors and detects if one application attempts to send special Windows Messages to modify the behavior of another application (e.g. by using the WM_PASTE command). 

DNS Client Service

This setting gives an alert if an application attempts to access the 'Windows DNS service' - possibly in order to launch a DNS recursion attack.A DNS recursion attack is a type of Distributed Denial of Service attack whereby an malicious entity sends several thousand spoofed requests to a DNS server. The requests are spoofed in such a way that they appear to come from the target or 'victim' server but in fact can come from different sources - often a network of 'zombie' PC's which are sending out these requests without the owners knowledge. The DNS servers are tricked into sending all their replies to the victim server - overwhelming it with requests and causing it to crash.

Note for beginners: DNS stands for Domain Name System. It is the part of the Internet infrastructure that translates a familiar domain name, such as 'example.com' to an IP address like 123.456.789.04. This is essential because the Internet routes messages to their destinations on the basis of this destination IP address, not the domain name. Whenever a domain name is typed, the Internet browser contacts a DNS server and makes a 'DNS Query'. In simplistic terms, this query is 'What is the IP address of example.com?'. Once the IP address has been located, the DNS server replies to the computer, telling it to connect to the IP in question.


  1. Select the 'Interprocess Memory Access' checkbox to enable Defense+ to give alert when an application attempts to modify the memory space allocated to another application.

  1. Select the 'Windows / WinEvent Hooks' checkbox to give a warning every time a hook is executed by an untrusted application. 

  1. Select the 'Device Driver Installations' checkbox to enable Defense+ to give alertevery time a device driver is installed on the machine by an untrusted application.

  1. Select 'Loopback Networking' checkbox to enable Defense+ to give alerts every time a process attempts to communicate using the loopback channel.

  1. Select the 'Process Terminations' checkbox to enable Defense+ to monitor and alert for all attempts by an untrusted application to close down another application.

  1. Select the 'Windows Messages' checkbox to monitor and detect if one application attempts to send special Windows Messages to modify the behavior of another application.

  1. Select the 'DNS Client Service' checkbox to prevent malware from using the DNS Client Service to launch an attack. 

Objects To Monitor Against Modifications

  1. Select the 'Protected COM Interfaces' checkbox to enable the monitoring of COM interfaces specified here.

  1. Select the 'Protected Registry Keys' checkbox to enable the monitoring of Registry keys specified here.

  1. Select the 'Protected Files/Folders' checkbox to enable the monitoring of files and folders specified here.

Objects To Monitor Against Direct Access

 

 Note: The options in this region determines whether or not Comodo Internet Security should monitor access to system critical objects in the computer. Using direct access methods, malicious applications can obtain data from a storage devices, modify or infect other executable software, record keystrokes and more. Comodo advises the administrator to leave these settings enabled.


Checkbox Options – Monitor Settings section - Objects to Monitor Against Direct Access

Option

Description

Physical Memory

Monitors the computer's memory for direct access by applications and processes. Malicious programs attempt to access physical memory to run a wide range of exploits - the most famous being the 'Buffer Overflow' exploit. Buffer overruns occur when an interface designed to store a certain amount of data at a specific address in memory allows a malicious process to supply too much data to that address. This overwrites its internal structures and can be used by malware to force the system to execute its code.

Computer Monitor

Comodo Internet Security raises an alert every time a process tries to directly access the computer monitor. Although legitimate applications sometimes require this access, there is also an emerging category of spyware-programs that use such access to monitor the activities. (For example, to take screen shots of the current desktop; to record browsing activities etc.)

Disks

Monitors the local disk drives for direct access by running processes. This helps guard against malicious software that need this access to, for example, obtain data stored on the drives, destroy files on a hard disk, format the drive or corrupt the file system by writing junk data.

Keyboard

Monitors the keyboard for access attempts. Malicious software, known as 'key loggers', can record every stroke made on the keyboard and can be used to steal passwords, credit card numbers and other personal data.


  1. Select the 'Physical Memory' checkbox to monitor the computer's memory and to raise an alert every time an application attempts to establish direct access to the memory. 

  1. Select the 'Computer Monitor' checkbox to monitor and to raise an alert every time an application attempts to establish direct access to the computer monitor.

  1. Select the 'Disks' checkbox to monitor the local disk drives and to raise an alert  every time an application attempts to establish direct access to the drives.

  1. Select the 'Keyboard' checkbox to monitor the keyboard and to raise an alert every time an application attempts to establish direct access to the keyboard.

 

 

 

Comodo Endpoint Security Manager | © 2010 Comodo Security Solutions Inc. | All Rights Reserved.

 

Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2013. All rights reserved.