Comodo Help
Find the desired product help
Xcitium EDR

Xcitium EDR

Comodo EDR Admin Guide

English

Print Help Download Help
Appendix 1 - Default Comodo Security Policy Details
  • Introduction To Comodo EDR
    • Purchase Licenses
    • Login To The Admin Console
  • The Admin Console
  • The Dashboard
  • MSP Dashboard
  • Add Endpoints To EDR
  • View Enrolled Endpoints
  • Manage EDR Policies
  • View Event Details On Endpoints
  • Alerts
  • Investigation
    • Event Search
    • Computer Search
    • Hash Search
    • Process Timeline
  • Appendix 1 - Default Comodo Security Policy Details
  • About Comodo Security Solutions

Appendix 1 - Default Comodo Security Policy Details


An EDR policy determines which events will generate an alert for you. The table below contains details of the default rules in each event category.


The built-in event categories are:

  • Process Events - Rules to generate alerts if an application causes an event
  • Registry Events - Rules to alert you about changes to the Windows registry on your endpoints.
  • File Events - Rules that detect modifications to any system files and folders.
  • Download Events - Rules to create alerts when applications are downloaded via browsers.
  • Upload Events - Rules to alert you about file uploads to shared folders or external drives.
  • Defense+ Events - No default rules are set for this event category.
  • Network Events - No default rules are set for this event category.

Process Events


Event Category – Process Events

Event Type – Create Process

Event Name

Score

Description

Suspicious System Process Creation

6

Process verdict is not safe and file path matches %systemroot%*

Remote Powershell Execution

5

File path matches *wsmprovhost.exe

Suspicious Powershell Flag

5

 Command line matches any of the following:

*powershell*-NoP*

*powershell*-Win*

*powershell*-w*

*powershell*-Exec*

*powershell*-ex*

*powershell*-ep*

*powershell*-command*

*powershell*-NoL*

*powershell*-InputFormat*

*powershell*-Enc*

*powershell*-NonInteractive*

*powershell*-nonI*

*powershell*-file*

Stop Service

5

 Command line matches %systemroot%system32net*stop*.

Run Untrusted Executable

4

 Verdict is not safe.

Suspicious Process Hierarchy

3

 Process path does not match *explorer.exe AND path matches *powershell.exe OR patch matches *cmd.exe

Start Service

2

 Command line matches %systemroot%system32net*start*.


Registry Events

 

Event Category – Registry Events

Event Type – Set Registyry Value

Event Name

Score

Description

Disable User Account Control

9

Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

AND registry value name is equal to EnableLUA0

AND registry value data is equal to 0.

Disable Task Manager

9

Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

AND registry value name is equal to DisableTaskMgr

AND registry value data is equal to 1

Installation of Drivers

8

[Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to Type]

AND

[Registry value data is equal to 1

OR registry value data is equal to 2]

Add Service to svchost

7

[Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *svchost.exe*]

OR

[Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices*Parameters AND registry value name is equal to ServiceDll AND registry matches *.dll]

Add Active Setup Value In Registry

7

Registry key path matches HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components*

Modify Powershell Execution Policy

7

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell AND registry value name is equal to ExecutionPolicy

Modify Firewall Settings

6

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile*

Disable Registry Editing Tool

6

Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to DisableRegistryTools AND registry value data is equal to 1.

Modify AppInit_DLLs in Registry

6

Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows AND registry value name is equal to AppInit_DLLs

Add Service

6

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *.exe* AND registry value data doesn't match *svchost.exe*

Layered Service Provider installation

6

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9Catalog_Entries*

Add Autorun In Registry

5

Registry key path matches any of the following:

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsStartup*

HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindows*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsRun*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun*

HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogoff*

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsShutdown*

OR

Registry key path equals any of the following:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

Booting Time Execution

5

Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager AND registry value name is equal to BootExecute

Disable Auto Update

5

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU AND registry value name is equal to NoAutoUpdate AND registry value data is equal to 1

OR

Registry key path is equal to HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1]

OR

Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1

Disable Service

5

Registry key path matches HKEY_LOCAL_MACHINESystemCurrentControlSetServices* AND registry value name is equal to Start AND registry value data is equal to 4

Create Explorer Entry

5

Registry key path matches any of the following:

HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilter*

HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler*

HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerDesktopComponents*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad*

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks*

HKEY_CURRENT_USERSoftwareClasses*ShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClasses*ShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellexDragDropHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexDragDropHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellexPropertySheetHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexPropertySheetHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellexCopyHookHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexCopyHookHandlers*

HKEY_CURRENT_USERSoftwareClassesFolderShellexColumnHandlers*

HKEY_LOCAL_MACHINESoftwareClassesFolderShellexColumnHandlers*

HKEY_CURRENT_USERSoftwareClassesFolderShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesFolderShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryBackgroundShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers*

HKEY_CURRENT_USERSoftwareMicrosoftCtfLangBarAddin*

HKEY_LOCAL_MACHINESoftwareMicrosoftCtfLangBarAddin*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved*

OR

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler

Disable Windows Application

5

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun

Disable Command Prompt

5

Registry key path is equal to HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem AND registry value name is equal to DisableCMD AND registry value data is equal to 2

Disable Show Hidden Files

4

Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced AND registry value data is equal to 2

AND

Registry value name is equal to Hidden OR registry value name is equal to ShowSuperHidden

Share Folder

4

Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanserverShares

Addition of DNS Server

3

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces* AND registry value name is equal to NameServer

Modify Hosts File Registry

3

Registry key path is equal HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters AND registry value name equal to DataBasePath


File Events

 

Event Category – File Events

Event Type – Write File

Event Name

Score

Description

Add Scheduled Task

6

File path matches %systemroot%System32Tasks* OR %systemroot%Tasks*

Write Fake System File

6

File path matches *svch0st.exe OR *svhost.exe

Write to System Directory

5

File path matches %systemroot%*

Add Startup File or Folder

5

File path matches any of the following:

%appdata%MicrosoftWindowsStart MenuProgramsStartup*

%programdata%MicrosoftWindowsStart MenuProgramsStartup*

%systemroot%systemiosubsys*

%systemroot%systemvmm32*

%systemroot%Tasks*

OR

File path equals any of the following:

%systemdrive%autoexec.bat

%systemdrive%config.sys

%systemroot%wininit.ini

%systemroot%winstart.bat

%systemroot%win.ini

%systemroot%system.ini

%systemroot%dosstart.bat

Modify Host File

4

File path is equal to %systemroot%system32driversetchosts

Write to Executable

4

File type is equal to PORTABLE_EXECUTABLE

AND

Process path doesn't match *explorer.exe

Write to Infectible File

4

Process path doesn't match *explorer.exe


AND


File path matches any of the following:

*.lnk

*.wsf

*.hta

*.mhtml

*.html

*.doc

*.docm

*.xls

*.xlsm

*.ppt

*.pptm

*.chm

*.vbs

*.js

*.bat

*.pif

*.pdf

*.jar

*.sys

Modify Group Policy Settings

1

File path matches %systemroot%system32grouppolicy* OR %systemroot%Sysvolsysvol*Policies*

Write to Program Files Directory

1

File path matches %programfiles%*



Download Events


Event Category – Download Events

Event Type – Browser Download

Event Name

Score

Description

Download Infectible File

3

File path matches any of the following:

*.lnk

*.wsf

*.hta

*.mhtml

*.html

*.doc

*.docm

*.xls

*.xlsm

*.ppt

*.pptm

*.chm

*.vbs

*.js

*.bat

*.pif

*.pdf

*.jar

*.sys

Download Executable

2

File type is equal to PORTABLE_EXECUTABLE


Upload Events

 

Event Category – Upload Events

Event Type – File Copy to Shared Folder

Event Name

Score

Description

Write Executable to Shared Folder

5

File type is equal to PORTABLE_EXECUTABLE

Write Infectible to Shared Folder

5

File path matches any of the following:

*.lnk

*.wsf

*.hta

*.mhtml

*.html

*.doc

*.docm

*.xls

*.xlsm

*.ppt

*.pptm

*.chm

*.vbs

*.js

*.bat

*.pif

*.pdf

*.jar

*.sys


Defense+ Events


No default rules for this event category.


Network Events


No default rules for this event category.

Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2025. All rights reserved.