Comodo Help
Find the desired product help
Comodo Endpoint Security Manager

Comodo Endpoint Security Manager

Administrator Guide v 2.1

English

Print Help Download Help
The Administrative Console > The Policies Area > Viewing Policies
  • Introduction To Endpoint Security Manager – SME
    • Software Components And System Requirements
    • Removing Incompatible Products
    • Installing And Configuring The Service
    • Key Concepts
    • Best Practices
    • Quick Start Guide
  • The Administrative Console
    • Logging-in To The Administrative Console
    • The Dashboard Area
      • Adding And Re-configuring Tiles
      • Quick Actions Tiles
      • Policy Status Tile
      • Endpoint Updates Tile
      • Endpoint Infections Tile
      • Connectivity Tile
      • Getting Started Tile
      • System Status Tile
      • License Status Tile
      • Software Tile
    • The Computers Area
      • Adding Endpoint Computers To ESM
        • Importing Computers By Automatic Installation Of Agent
        • Adding Computers By Manual Installation Of Agent And CIS
        • Updating Comodo Software On Managed Computers
      • Creating Endpoint Groups
      • Viewing Endpoints
      • Updating Endpoints
    • The Policies Area
      • Viewing Policies
      • Creating A New Policy
    • The Reports Area
      • Reports Gallery
        • Computer Details Report
        • CIS Configuration Report
        • Computer Infections Report
        • Quarantined Items Report
        • Antivirus Updates Report
        • CIS Log Report
        • Policy Compliance Report
        • Policy Delta Report
        • Malware Statistics Report
        • Top Ten Malware Report
      • Report Explorer
      • Report Settings
    • About
    • Logging Out Of ESM Console
  • How To... Tutorials
    • How To Connect CIS To CESM At The Local Endpoint
    • How To Configure CIS Policies - An Introduction
    • How To Set Up External Access From The Internet
    • How To Install CIS
  • Appendix 1 - The Service Configuration Tool
    • Start And Stop The ESM Service
    • Main Settings
    • Server Certificate
    • Internet And Mail Settings
    • Caching Proxy Settings
    • Viewing Database Event Log
  • About Comodo

Viewing Policies

 

The 'View All Policies' interface enables the administrator to:

  • View a list of all policies along with their descriptions and the CIS component covered by the policy

  • View and modify the details of any policy – including name, description, CIS components, target computers and whether the policy should allow local configuration

  • Configure various settings such as Antivirus settings, Firewall settings, Defense+ settings, General CIS settings and Agent settings of any policy

  • Add or remove policies as per requirements

  • Export any policy to .xml file

To open the interface, click the 'view' tile from the 'policies' interface:

 



The 'View All Policies' interface will open with the default view being a list of all policies:



 

 

  • Click the filter icon in any of the respective column header to search for a particular policy or component, enter or select and click 'Apply'

  • Click 'Reset' to display all the items

View All Policies Interface – Table of Column Descriptions

 

 

Column Heading

 

Description

 

Policy

 

Displays the name of the Policy.

 

Components

 

Indicates the components of CIS for which the policy applies the configuration settings.


The 'View All Policies' interface also allows the administrator to:

  • Create a new policy

  • Export a policy into an xml file for importing to ESM at a later time

  • View details, edit and apply policies to groups or selected endpoints individually

  • Remove policies

 

Creating a Policy

  • Click the Add Policy icon  from the bottom of the interface. The 'Create Policy' Wizard will be started. Refer to the section Creating a New Policy for a detailed description on the wizard.

Exporting a Policy

 

Any policy added to ESM can be saved as a .xml file to the computer running the administration console. The .xml file can be imported into ESM and a new policy can be created from it at a later time.

 

To export an existing policy

  • Select the policy by clicking or touching the desired policy from 'View All Policies' interface to highlight it. Click the Export icon . The Windows 'Save As' dialog will appear.

  • Select the destination in the computer from which you are accessing ESM, provide a file name and click 'save'. 

The policy will be saved as an xml file. The file can be imported into ESM at any time.

 

 

Viewing Details, Editing and Applying a Policy to Endpoints


Selecting a policy and clicking the Details icon  opens the 'Policy Properties' interface. The interface allows administrators to configure Antivirus settings, Firewall settings, Defense+ settings, General CIS settings and Agent settings for the selected policy.


  • General View – Displays the general system details like name and description of the policy. The administrator can can edit these details directly.

  • Policy Targets – Enables the administrator to select target endpoint group(s) on which the selected policy has to be applied.

  • Antivirus Settings - Enables the administrator to configure Antivirus settings for the policy.

  • Firewall Settings - Enables the administrator to configure Firewall settings for the policy.

  • Defense+ Settings - Enables the administrator to configure Defense+ settings for the policy.

  • General CIS Settings - Enables the administrator to configure General CIS settings for the policy.

  • Agent Settings – Enables the administrator to configure the ESM agent deployed onto the endpoints as per the policy.

 

The administrator can switch between these areas by swiping through the interface or by using the left and right arrows on both sides of the interface.

 


 'General' Screen

 

The General screen shows the name and description of the policy as well as the CIS components for that policy.

 




To change these details, the administrator can directly edit the respective text boxes in the upper pane and click the 'save' icon at the bottom of the page. The lower pane displays the details of the security settings. You can change the security settings in this screen or in the 'antivirus settings', 'firewall settings' and 'defense+ settings' screens.

 

 Policy Targets Screen

 

The 'policy targets' screen displays the computer groups to which the policy is applied for local network connection and Internet connection. It also enables the administrator to:

  • Apply the policy to other groups

  • Remove the policy from already applied groups

See Step 5 – Selecting Targets in the section Creating a New Policy for a detailed description of this interface.

  • Click the 'save' icon for the settings to take effect

 

 Antivirus Settings


The Antivirus Settings configuration screen allows an administrator to customize various options related to Real Time Scanning (On-Access Scanning), Manual Scanning, Scheduled Scanning and Exclusions (a list containing the files you considered safe and ignored the alert during a virus scan).

 

The options that can be configured in the Antivirus settings screen are:

  • Real Time Scanning - To set the parameters for on-access scanning

  • Manual Scanning- To set the parameters for manual Scanning (Run a Scan)

  • Scheduled Scanning - To set the parameters for scheduled scanning

  • Exclusions - To add trusted files and applications for excluding from a virus scan



Real Time Scanning


The Real time Scanning (aka 'On-Access Scanning') is always ON and checks files in real time when they are created, opened or copied. (as soon as a user interacts with a file, Comodo Antivirus checks it). This instant detection of viruses assures the user, that the system is perpetually monitored for malware and enjoys the highest level of protection.

 

The Real Time Scanner also scans the system memory on start. If a program or file which creates destructive anomalies is launched, then the scanner blocks it and alerts the user immediately - giving you real time protection against threats.

 

You also have options to automatically remove the threats found during scanning and to update virus database before scanning. It is highly recommended that you enable the Real Time Scanner to ensure the endpoints remains continually free of infection.

 

The Real Time Scanning setting allows you to switch the On Access scanning between Disabled, Stateful and On Access and allows you to specify detection settings and other parameters that are deployed during on-access scans.

  • Drag the real time Scanning slider to the required level. The choices available are Disabled (not recommended), Stateful (default) and On Access. The setting you choose here are also displayed in the Summary screen.

    • On Access - Provides the highest level of On Access Scanning and protection. Any file opened is scanned before it is run and the threats are detected before they get a chance to be executed.

    • Stateful  - Not only is Comodo Internet Security one of the most thorough and effective AV solutions available, it is also very fast. CIS employs a feature called Stateful File Inspection for real time virus scanning to minimize the effects of on-access scanning on the system performance. Selecting the 'Stateful' option means CIS scans only files that have not been scanned since the last virus update - greatly improving the speed, relevancy and effectiveness of the scanning.

    • Disabled - The Real time scanning is disabled. Antivirus does not perform any scanning and the threats cannot be detected before they impart any harm to the system.

Detection Settings

  • Do not show antivirus alerts - This option allows to configure whether or not to show antivirus alerts when malware is encountered. Choosing 'Do not show antivirus alerts' will minimize disturbances but at some loss of user awareness. If you choose not to show alerts then you have a choice of default responses that CIS should automatically take – either 'Block Threats' or 'Quarantine Threats'. 

  • Automatically update virus database - When this check box is selected, Comodo Internet Security checks for latest virus database updates from Comodo website and downloads the updates automatically, on system start-up and subsequently at regular intervals.

  • Show notification messages - Alerts are the pop-up notifications that appear in the lower right hand of the screen whenever the on-access scanner discovers a virus on your system. These alerts are a valuable source of real-time information that helps the user to immediately identify which particular files are infected or are causing problems. Disabling alerts does not affect the scanning process itself and Comodo Antivirus still continues to identify and deals with threats in the background.

  • Heuristics Scanning Level - Comodo AntiVirus employs various heuristic techniques to identify previously unknown viruses and Trojans. 'Heuristics' describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. If it is found to do so then the application deletes the file or recommends it for quarantine. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist.

This is a quantum leap in the battle against malicious scripts and programs as it allows the engine to 'predict' the existence of new viruses - even if it is not contained in the current virus database.

    The drop-down menu allows you to select the level of Heuristic scanning from the four levels:

    • Off - Selecting this option disables heuristic scanning. This means that virus scans only uses the 'traditional' virus signature database to determine whether a file is malicious or not.

    • Low - 'Lowest' sensitivity to detecting unknown threats but will also generate the fewest false positives. This setting combines an extremely high level of security and protection with a low rate of false positives. Comodo recommends this setting for most users.

    • Medium - Detects unknown threats with greater sensitivity than the 'Low' setting but with a corresponding rise in the possibility of false positives.

    • High - Highest sensitivity to detecting unknown threats but this also raises the possibility of more false positives too.

  • Do not scan files larger than - This box allows to set a maximum size (in MB) for the individual files to be scanned during on-access scanning. Files larger than the size specified here, are not scanned.

  • Do not scan script files larger than - This box allows to set a maximum size (in MB) for the script files to be scanned during on-access scanning. Files larger than the size specified here, are not scanned.

Click the 'save' icon for the changes to the settings to take effect.

 

Manual Scanning


The Manual Scanning setting allows an administrator to set the properties and parameters for Run a Scan (On Demand Scan).




  • Scan archive files - When this check box is selected, the Antivirus scans archive files such as .ZIP and .RAR files. You are alerted to the presence of viruses in compressed files before you even open them. These include RAR, WinRAR, ZIP, WinZIP, ARJ, WinARJ and CAB archives.

  • Automatically update virus database before scanning - Instructs Comodo Internet Security to check for latest virus database updates from Comodo website and download the updates automatically before starting an on-demand scanning.

  • Heuristics Scanning Level - Comodo Internet Security employs various heuristic techniques to identify previously unknown viruses and Trojans. 'Heuristics' describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. If it is found to do so then the application deletes the file or recommend it for quarantine. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist.

This is a quantum leap in the battle against malicious scripts and programs as it allows the engine to 'predict' the existence of new viruses - even if it is not contained in the current virus database.

The drop-down menu allows you to select the level of Heuristic scanning from the four levels:

    • Off - Selecting this option disables heuristic scanning. This means that virus scans only uses the 'traditional' virus signature database to determine whether a file is malicious or not.

    • Low- 'Lowest' sensitivity to detecting unknown threats but will also generate the fewest false positives. This setting combines an extremely high level of security and protection with a low rate of false positives. Comodo recommends this setting for most users.

    • Medium - Detects unknown threats with greater sensitivity than the 'Low' setting but with a corresponding rise in the possibility of false positives.

    • High - Highest sensitivity to detecting unknown threats but this also raises the possibility of more false positives too.

  • Do not scan files larger than - This box allows to set a maximum size (in MB) for the individual files to be scanned during manual scanning. Files larger than the size specified here, are not scanned.


Click the 'save' icon for any changes to the settings to take effect.


Scheduled Scanning


The Scheduled Scanning setting screen allows an administrator to customize the scheduler that lets you timetable scans according to your preferences.

 



  • Scan archive files - When this check box is selected, the Antivirus scans archive files such as .ZIP and .RAR files during any scheduled scan. You are alerted to the presence of viruses in compressed files before you even open them. These include RAR, WinRAR, ZIP, WinZIP, ARJ, WinARJ and CAB archives.

  • Automatically clean threats found during scanning - When this check box is selected, the Antivirus removes malware files found during scanning.

  • Automatically update virus database before scanning - When this check box is selected, Comodo Internet Security checks for latest virus database updates from Comodo website and downloads the updates automatically, before the start of every scheduled scan.

Click the 'save' icon for any changes to the settings to take effect.

 

 

 Exclusions


In the Exclusions area, you can specify files and folders that you trust and want to exclude them from all future scans of all types.

 



You can add files and folders in Exclusions list by selecting the folder from the drop-down and entering the path in the text field or enter the entire path in the field after selecting 'None' in the drop-down.

 



  • Click the 'add' button.

If you want to remove an item from the list, select it and click the 'remove' button.


Click the 'save' icon for any changes to the settings to take effect.


For more details on the Antivirus Settings, see http://help.comodo.com for Comodo Internet Security.


Firewall Settings


Firewall Behavior Settings allows an administrator to quickly configure the security of an endpoint and the frequency of alerts that are generated.

 

These settings can be done using the tabs listed below.

  • General Settings

  • Alert Settings


General Settings


In the General Settings tab, an administrator can customize firewall security by using the Firewall Security Level slider to change preset security levels.

 

The choices available are:

  • Block All

  • Custom Policy

  • Safe Mode

  • Training Mode

  • Disabled



  • Block All Mode: The firewall blocks all traffic in and out of a computer regardless of any user-defined configuration and rules. The firewall does not attempt to learn the behavior of any applications and does not automatically create traffic rules for any applications. Choosing this option effectively prevents a computer from accessing any networks, including the Internet.

  • Custom Policy Mode: The firewall applies ONLY the custom security configurations and network traffic policies specified by the administrator. New users may want to think of this as the 'Do Not Learn' setting because the firewall does not attempt to learn the behavior of any applications. Nor does it automatically create network traffic rules for those applications. The user will receive alerts every time there is a connection attempt by an application - even for applications on the Comodo Safe list (unless, of course, the administrator has specified rules and policies that instruct the firewall to trust the application's connection attempt).

    If any application tries to make a connection to the outside, the firewall audits all the loaded components and checks each against the list of components already allowed or blocked. If a component is found to be blocked, the entire application is denied Internet access and an alert is generated. This setting is advised for experienced firewall users that wish to maximize the visibility and control over traffic in and out of their computer.

  • Safe Mode: While filtering network traffic, the firewall automatically creates rules that allow all traffic for the components of applications certified as 'Safe' by Comodo, if the checkbox Create rules for safe applications is selected. For non-certified new applications, the user will receive an alert whenever that application attempts to access the network. The administrator can choose to grant that application Internet access by selecting 'Treat this application as a Trusted Application' at the alert. This deploys the predefined firewall policy 'Trusted Application' onto the application.

    'Safe Mode' is the recommended setting for most users - combining the highest levels of security with an easy-to-manage number of connection alerts.

  • Training Mode : The firewall monitors network traffic and create automatic allow rules for all new applications until the security level is adjusted. The user will not receive any alerts in 'Training Mode' mode. If you choose the 'Training Mode' setting, we advise that you are 100% sure that all applications installed on endpoints are assigned the correct network access rights.

 

Tip: Use this setting temporarily while playing an online game for the first time. This suppresses all alerts while the firewall learns the components of the game that need Internet access and automatically create 'allow' rules for them. You can switch back to your previous mode later.

 

  • Disabled: Disables the firewall and makes it inactive. All incoming and outgoing connections are allowed irrespective of the restrictions set by the user. Comodo strongly advise against this setting unless you are sure that you are not currently connected to any local or wireless networks.

Check box option

 

Create rules for safe applications


Comodo Firewall trusts the applications if:

  • The application/file is included in the Trusted Files list under Defense+ Tasks;

  • The application is from a vendor included in the Trusted Software Vendors list under Defense+ Tasks;

  • The application is included in the extensive and constantly updated Comodo safelist.

By default, CIS does not automatically create 'allow' rules for safe applications. This helps saving the resource usage, simplifies the rules interface by reducing the number of 'Allowed' rules in it, reduces the number of pop-up alerts and is beneficial to beginners who find difficulties in setting up the rules.

 

Enabling this checkbox instructs CIS to begin learning the behavior of safe applications so that it can automatically generate the 'Allow' rules. These rules are listed in the Network Security Policy > Application Rules interface of CIS. The Advanced users can edit/modify the rules as they wish.

 

 

Background Note: Prior to version 4.x , CIS would automatically add an allow rule for 'safe' files to the rules interface. This allowed advanced users to have granular control over rules but could also lead to a cluttered rules interface. The constant addition of these 'allow' rules and the corresponding requirement to learn the behavior of applications that are already considered 'safe' also took a toll on system resources. In version 4.x and above, 'allow' rules for applications considered 'safe' are not automatically created - simplifying the rules interface and cutting resource overhead with no loss in security. Advanced users can re-enable this setting if they require the ability to edit rules for safe applications (or, informally, if they preferred the way rules were created in CIS version 3.x).



Alert Settings


Administrators can configure the amount of alerts that Comodo Firewall generates, using the slider on this tab. Raising or lowering the slider changes the amount of alerts accordingly. It should be noted that this does not affect your security, which is determined by the rules you have configured (for example, in 'Network Security Policy'). For the majority of users, the default setting of 'Low' is the perfect level - ensuring you are kept informed of connection attempts and suspicious behaviors whilst not overwhelming you with alert messages.

 

The Alert settings refer only to connection attempts by applications or from IP addresses that you have not (yet) decided to trust. For example, you could specify a very high alert frequency level, but not receive any alerts at all if you have chosen to trust the application that is making the connection attempt.







  • Very High: The firewall shows separate alerts for outgoing and incoming connection requests for both TCP and UDP protocols on specific ports and for specific IP addresses, for an application. This setting provides the highest degree of visibility to inbound and outbound connection attempts but leads to a proliferation of firewall alerts. For example, using a browser to connect to your Internet home-page may generate as many as 5 separate alerts for an outgoing TCP connection alone.

  • High: The firewall shows separate alerts for outgoing and incoming connection requests for both TCP and UDP protocols on specific ports for an application.

  • Medium: The firewall shows alerts for outgoing and incoming connection requests for both TCP and UDP protocols for an application.

  • Low: The firewall shows alerts for outgoing and incoming connection requests for an application. This is the setting recommended by Comodo and is suitable for the majority of users.

  • Very Low: The firewall shows only one alert for an application.

Check box option

 

This computer is an internet connection gateway (i.e. an ICS server) - An Internet Connection Sharing Server (ICS) is a computer that shares its connection to the Internet with other computers that are connected to it by LAN. i.e. the other computers access the Internet through this computer.

 

Designating a computer as an ICS server can be useful in some corporate and home environments that have more than one computer but which have only one connection to the Internet. For example, you might have two computers in your home but only one connection. Setting one as an ICS server allows both of them to access the Internet.

  • Leave this box unchecked if no other computers connect to your computer via Local Area Network to share your connection. This is the situation for the vast majority of home and business users.

  • Check this option if this computer has been configured as an Internet Connection Sharing server through which other computers connect to the Internet.

 

Note: If your computer is indeed an ICS server but you leave this box unchecked then you are likely to see an increase in Firewall alerts. Selecting this checkbox does not decrease the security but tells the firewall to handle ICS requests too. So it just activates some additional functionality and helps reduce the number of alerts.



Enable alerts for TCP requests / Enable alerts for UDP requests / Enable alerts for ICMP requests/ Enable alerts for loopback requests - In conjunction with the slider, these checkboxes allow you to fine-tune the number of alerts you see according to protocol.

 

Click the 'save' icon for any changes to the settings to take effect.


For more details on the Firewall Settings, see http://help.comodo.com for Comodo Internet Security.

 

Defense+ Settings


The Defense+ component of Comodo Internet Security is a host intrusion prevention system that constantly monitors the activities of all executable files on your PC. With Defense+ activated, the user is warned EVERY time an unknown application executable (.exe, .dll, .sys, .bat etc) attempts to run. The only executables that are allowed to run are the ones you give permission to. An application can be given such permission to run in a variety of ways including; manually granting them execution rights in Computer Security Policy; by deciding to treat the executable as trusted at a Defense+ alertor simply because the application is on the Comodo safe list. Defense+ also automatically protects system-critical files and folders such as registry entries to prevent unauthorized modification. Such protection adds another layer of defense to Comodo Internet Security by preventing malware from ever running and by preventing any processes from making changes to vital system files.

 

The Defense+ Settings area allows you to quickly configure the security level and behavior of Defense+ during operation.

 

These settings can be done using the tabs listed below.

  • General Settings

  • Execution Control Settings

  • Sandbox Settings

  • Trusted Files

  • Trusted Vendors


General Settings


Slider Options

 

Administrators can customize the behavior of Defense+ by adjusting a Security Level slider to switch between preset security levels.

 

The choices available are: Paranoid Mode, Safe Mode, Clean PC Mode, Training Mode and Disabled.







  • Paranoid Mode: This is the highest security level setting and means that Defense+ monitors and controls all executable files apart from those that you have deemed safe. Comodo Internet Security does not attempt to learn the behavior of any applications - even those applications on the Comodo safe list and only uses your configuration settings to filter critical system activity. Similarly, the Comodo Internet Security does automatically create 'Allow' rules for any executables - although you still have the option to treat an application as 'Trusted' at the Defense+ alert. Choosing this option generates the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.

  • Safe Mode: While monitoring critical system activity, Defense+ automatically learns the activity of executables and applications certified as 'Safe' by Comodo. It also automatically creates 'Allow' rules these activities, if the checkbox 'Create rules for safe applications' is selected. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing 'Treat this application as a Trusted Application' at the alert. This instructs the Defense+ not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in 'Clean PC Mode' then 'Safe Mode' is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

  • Clean PC Mode: From the time you set the slider to 'Clean PC Mode', Defense+ learns the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ alerts the user whenever a new, unrecognized application is being installed. In this mode, the files in 'My Pending Files' are excluded from being considered as clean and are monitored and controlled.

  • Training Mode: Defense+ monitors and learn the activity of any and all executables and create automatic 'Allow' rules until the security level is adjusted. You do not receive any Defense+ alerts in 'Training Mode'. If you choose the 'Training Mode' setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.

 

Tip: This mode can be used as the 'Gaming Mode'. It is handy to use this setting temporarily when you are running an (unknown but trusted) application or Games for the first time. This suppresses all Defense+ alerts while Comodo Internet Security learns the components of the application that need to run on your machine and automatically create 'Allow' rules for them. Afterward, you can switch back to 'Train with Safe Mode' mode).

 

  • Disabled: Disables Defense+ protection. All executables and applications are allowed to run irrespective of your configuration settings. Comodo strongly advise against this setting unless you are confident that you have an alternative intrusion defense system installed on your computer.

Checkbox Options

  • Block all unknown requests if the application is closed - Selecting this option blocks all unknown execution requests if Comodo Internet Security is not running/has been shut down. This is option is very strict indeed and in most cases should only be enabled on seriously infested or compromised machines while the user is working to resolve these issues. If you know your machine is already ‘clean’ and are looking just to enable the highest CIS security settings then it is OK to leave this box unchecked.

  • Create rules for safe applications - Automatically creates rules for safe applications in Computer Security Policy.

 

Note: Defense+ trusts the applications if:

  • The application/file is included in the Trusted Files list

  • The application is from a vendor included in the Trusted Software Vendors list

  • The application is included in the extensive and constantly updated Comodo safelist.


By default, CIS does not automatically create 'allow' rules for safe applications. This helps saving the resource usage, simplifies the rules interface by reducing the number of 'Allowed' rules in it, reduces the number of pop-up alerts and is beneficial to beginners who find difficulties in setting up the rules.

 

Enabling this checkbox instructs CIS to begin learning the behavior of safe applications so that it can automatically generate the 'Allow' rules. These rules are listed in the Computer Security Policy interface. Administrators can edit / modify the rules as they wish.

 

Execution Control Settings


Image Execution Control is an integral part of the Defense+ engine. If the Defense+ Security Level is set to 'Training Mode' or 'Clean PC Mode', then it is responsible for authenticating every executable image that is loaded into the memory.

 

Comodo Internet Security calculates the hash of an executable at the point it attempts to load into memory. It then compares this hash with the list of known / recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is 'unrecognized' and you receive an alert.

 

This area allows you to quickly determine how proactive the monitor should be and which types of files it should check.

 

 

Background note: In this context, an 'image' means an 'Executable Image'. An executable image is a variation on file compression, such as ZIP or RAR files. For example, most program installers are contained in executable images.


Image Execution Control Level Slider


The control slider in the settings screen allows you to switch the Image Execution settings between Enabled and Disabled states. The Image Execution Control is disabled irrespective of the settings in this slider, if Defense+ is permanently deactivated in the General Settings from the Defense+ Settings interface of CIS in the endpoints.

  • Enabled - This setting instructs Defense+ to intercept all the files before they are loaded into memory and also Intercepts prefetching/caching attempts for the executable files.

  • Disabled - No execution control is applied to the executable files.



Check Box Option


Treat unrecognized files as - This has five options and the unrecognized files will be run as per the option selected.



  • Partially Limited -The application is allowed to access all the Operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.

  • Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run with out Administrator account privileges.

  • Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

 

Note: Some of the applications like computer games may not work properly under this setting. 


  • Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

 

Note: Some of the applications that require user interaction may not work properly under this setting.


  • Blocked - The application is not allowed to run at all.

Sandbox Settings


Comodo Internet Security's new sandbox is an isolated operating environment for unknown and untrusted applications. Running an application in the sandbox means that it cannot make permanent changes to other processes, programs or data on your 'real' system. Comodo have integrated sandboxing technology directly into the security architecture of Comodo Internet Security to complement and strengthen the Firewall, Defense+ and Antivirus modules.

 

The Sandbox Settings area allows administrators to configure the security level and the overall behavior of the sandbox.





Sandbox Security Level Slider


The Security Level slider in the settings screen allow administrators to switch the Sandbox between Enabled and Disabled states. The programs included in the Sandbox is executed with the set restrictions only if the Sandbox is in Enabled state. If disabled, the programs is run normally without any restrictions. The Sandbox is disabled irrespective of the settings in this slider, if Defense+ is permanently deactivated in the General Settings from the Defense+ Settings interface of CIS in endpoints.

 

Click the 'save' icon for any changes to the settings to take effect.

 

 Trusted Files


Defense+ allows you to define a personal safe list of files to complement the default Comodo safe list. Files added to the Trusted Files area are automatically given Defense+ trusted status. If an executable is unknown to the Defense+ safe list then, ordinarily, it and all its active components generate Defense+ alerts when they run. By adding executables to this list (including sub folders containing many components) you can reduce the amount of alerts that Defense+ generates whilst maintaining a higher level of Defense+ security.

 


To add new file(s) to Trusted Files list


  • Click the 'add' button

In the 'Open' dialog, select the file that you want add to the list and click 'Open'.

 



The selected file will be added to the list.


If you want remove a file from the list, select it and click the 'remove' button.

 


  • Click 'yes' to confirm removal of the selected file from the list.

Click the 'save' icon for any changes to the settings to take effect.


Trusted Vendors


In Comodo Internet Security, there are two basic methods in which an application can be treated as safe. Either it has to be part of the ‘Safe List’ (of executables/software that is known to be safe) OR that application has to be signed by one of the vendors in the 'Trusted Vendor List'.

 

A software application can be treated as a 'Trusted' one if it is published by a Trusted Software publisher/vendor. To ensure the authenticity, the publisher/vendor digitally sign their software using a code signing certificate obtained from a Trusted Certificate Authority (CA). Ensuring whether a software/application is signed by a vendor ensures that the software is trusted. Refer to the Background details given below for more information.

 

Background


Many software vendors digitally sign their software with a code signing certificate. This practice helps end-users to verify:

  • Content Source: The software they are downloading and are about to install really comes from the publisher that signed it.

  • Content Integrity: That the software they are downloading and are about to install has not be modified or corrupted since it was signed.

In short, users benefit if software is digitally signed because they know who published the software and that the code hasn't been tampered with - that are are downloading and installing the genuine software.

 

The 'Vendors' that digitally sign the software to attest to it's probity are the software publishers. These are the company names you see listed in the first column in the graphic above.

 

However, companies can't just 'sign' their own software and expect it to be trusted. This is why each code signing certificate is counter-signed by an organization called a 'Trusted Certificate Authority'. 'Comodo CA Limited' and 'Verisign' are two examples of a Trusted CA's and are authorized to counter-sign 3rd party software. This counter-signature is critical to the trust process and a Trusted CA only counter-signs a vendor's certificate after it has conducted detailed checks that the vendor is a legitimate company.

 

If a file is signed by a Trusted Software Vendor and the user has enabled 'Trust Applications that are digitally signed by Trusted Software Vendors' then it will be automatically trusted by Comodo Internet Security (if you would like to read more about code signing certificates, see http://www.instantssl.com/code-signing/).

 

One way of telling whether an executable file has been digitally signed is checking the properties of the .exe file in question.

  • Browse to the folder containing the .exe file.

  • Right click on the .exe file.

  • Select 'Properties' from the menu.

  • Click the tab 'Digital Signatures (if there is no such tab then the software has not been signed).

This displays the name of the CA that signed the software.

 

Select the certificate and click the 'Details' button to view digital signature information. Click 'View Certificate' to inspect the actual code signing certificate.

 

To add trusted vendors


  • Enter the name of the vendor as given in the code signing certificate in the text field.



  • Click the 'add' button.

The vendor will be added to the list.

 

If you want to remove a vendor from the list, select it and click the 'remove' button.

 

Click the 'save' icon for any changes to the settings to take effect.


For more details on the Defense+ Settings, see http://help.comodo.com for Comodo Internet Security.


General CIS Settings


In the General CIS Settings screen, administrators can configure various options related to the operation of Comodo Internet Security.

 

These settings can be done using the tabs listed below.

  • General

  • Connection

  • Update

General Settings


The 'General Settings' tab allows administrators to configure the general behavior of Comodo Internet Security.

 


  • Automatically check for the program updates - This option determines whether or not Comodo Internet Security should automatically contact Comodo servers for updates. With this option selected, Comodo Internet Security automatically checks for updates every 24 hours AND every time you start your computer. If updates are found, they are automatically downloaded and installed. We recommend that users leave this setting enabled to maintain the highest levels of protection. Users who choose to disable automatic updates can download them manually by clicking 'Check for Updates' in the 'More...' section in CIS application.

  • Show balloon messages - These are the notifications that appear in the bottom right hand corner of your screen - just above the tray icons. Usually these messages like ' Comodo Firewall is learning ' or 'Defense+ is learning ' and are generated when these modules are learning the activity of previously unknown components of trusted applications. Clear this check box if you do not want to see these messages.

  • Enable Comodo Message Center -Comodo Internet Security displays Comodo Message Center window periodically if this option is selected.

Connection Settings


The Connection tab allows administrators to configure how Comodo Internet Security should connect to Comodo servers for receiving program updates etc. If you are using a Proxy server in your network and if you want CIS to use the Proxy Server, the Proxy settings can be configured through this settings interface.

 

 



  • Select 'Use http proxy' if you want Comodo Internet Security to use the Proxy Server. Enter the proxy server IP address or name in the 'Server' text box and enter the port number in the 'Port' text box.

  • If your Proxy Server needs authentication, Select 'Proxy server requires authorization'. Type your Login ID in the 'Login' text box and enter the password in the 'Password' text box.

Update Settings


The Update tab allows administrators to enable/disable the CIS program updates and to select the host from which the updates are to be downloaded. By default, the URL of the Comodo Server is entered as an available host.

 



  • If you want to download the updates always from the Comodo servers, you can leave the setting as it is.

  • If CIS program and antivirus updates are available at an HTTP Server or at any of the other computers in your network running Comodo Offline Updater, you can add the HTTP server or the computer as hosts in this area

 

Note: Comodo Offline Updater allows users to configure a local HTTP server to download and provision updates to networked machines. Administrators can download the utility from http://enterprise.comodo.com/security-solutions/endpoint-security/endpoint-security-manager/free-trial.php


  • To add a host click 'Add' and enter the url or IP address of the host in the next row that appears.

  • Repeat the process for adding multiple hosts.

  • CIS will automatically check the host specified here and download the updates from the host even when you are offline.


 

Note: CIS program updates can also be checked manually. Click More Options > Check For Updates if you wish to update manually.


Click the 'save' icon for any changes to the settings to take effect.


For more details on the General CIS Settings, see http://help.comodo.com for Comodo Internet Security.

 

Agent Settings

 

The agent settings interface allows the administrator to configure how these agents should behave on application of the policy. See Step 4 – Agent Settings in the section Creating a New Policy for a detailed description of this interface. 

  • Click the 'save' icon for any changes to the settings to take effect

Removing Policies

 

The administrator can remove one or more unwanted policies by simply selecting them by clicking or touching the desired policy to highlight it and clicking the 'remove' icon.

 

A confirmation dialog will be displayed.

 


  • Click 'yes' to remove the selected item(s)

 

Note: Policies which are currently applied and used by groups or endpoints cannot be deleted. Before removing an unwanted policy, the administrator has to apply a different policy to the groups/endpoints to which this policy is currently applied.


 

Tip: Hold Shift or CTRL to select multiple items.

Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2013. All rights reserved.