CFP3/Help Guide/Defense Task Center/Defense Settings

From ComodoWiki

Jump to: navigation, search

Contents

Defense+ Tasks > Advanced - Defense+ Settings

The Defense+ component of Comodo Firewall Pro is a host intrusion prevention system that constantly monitors the activities of all executable files on your PC. With Defense+ activated, the user is warned EVERY time an unknown application executable (.exe, .dll, .sys, .bat etc) attempts to run. The only executables that are allowed to run are the ones you give permission to. An application can be given such permission to run in a variety of ways including; manually granting them execution rights in Computer Security Policy; by deciding to treat the executable as trusted at a Defense+ alert or simply because the application is on the Comodo safe list. Defense+ also automatically protects system-critical files and folders such as registry entries to prevent unauthorized modification. Such protection adds another layer of defense to Comodo Firewall Pro by preventing malware from ever running and by preventing any processes from making changes to vital system files.

Note for beginners: This page will often refer to 'executables' (or 'executable files'). An 'executable' is a file that can instruct your computer to perform a task or function. Every program, application and device you run on your computer requires an executable file of some kind to start it. The most recognisable type of executable file is the '.exe' file. (e.g., when you start Microsoft Word, the executable file 'winword.exe' instructs your computer to start and run the Word application). Other types of executable files include those with extensions .cpl .dll, .drv, .inf, .ocx, .pf, .scr, .sys.

Unfortunately, not all executables can be trusted. Some executables, broadly categorised as malware, can instruct your computer to delete valuable data; steal your identity; corrupt system files; give control of your PC to a hacker and much more. You may also have heard these referred to as Trojans, scripts and worms. Worse still, these programs are explicitly designed to run without you knowing about them. Defense+ is designed to make sure you DO know about them by blocking all unknown executables and alerting you whenever they try to run.

The Defense+ Settings area allows you to quickly configure the security level and behaviour of Defense+ during operation. This settings area can be accessed in the 'Advanced' section of 'Defense+ Tasks' and, more immediately, by clicking on the blue text next to 'Defense+' on the Summary Screen (shown below).

Image:cf_sum_ds_gs_sel.gif

'General Settings' tab

Comodo Firewall Pro allows you to customize the behaviour of Defense+ by adjusting a Security Level slider to switch between preset security levels.

The choices available are: Paranoid, Train with Safe Mode, Clean PC Mode, Training Mode and Disabled. The setting you choose here will also be displayed on the firewall summary screen.

Image:cf_sum_ds_gs.gif

  • Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. The firewall will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity. Similarly, the firewall will not automatically create 'Allow' rules for any executables - although you still have the option to treat an application as 'Trusted' at the Defense+ alert. Choosing this option will generate the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.
  • Train with Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as 'Safe' by Comodo. It will also automatically create 'Allow' rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing 'Treat this application as a Trusted Application' at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in 'Clean PC Mode' then Train with Safe Mode' is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.
  • Clean PC Mode: From the time you set the slider to 'Clean PC Mode', Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in 'My Pending Files' are excluded from being considered as clean and are monitored and controlled.
  • Installation Mode: Installer applications and updaters may need to execute other processes in order to run effectively. These are called 'Child Processes'. In 'Paranoid', Train with Safe' and 'Clean PC modes', Defense+ would raise an alert every time these child processes attempted to execute because they have no access rights. Whilst in one of these 3 modes, Comodo Firewall Pro will make it easy to install new applications that you trust by offering you the opportunity to temporarily engage 'Installation Mode' - which will temporarily bestow these child processes with the same access rights as the parent process - so allowing the installation to proceed without the usual alerts.

If you are installing a new, unknown application. Defense+ will alert you with a pop-up notification and, as you want to allow this application to continue installing, you should select 'Treat this application as an Installer or Updater' at the Defense+ alert. You will subsequently see the following:

Image:switch_to_installation_mode.gif

Clicking 'Yes' will engage 'Installation Mode' and so grant child processes with the same access rights as the parent process.

This will be followed by the following reminder that you need to switch back to your previous mode:

Image:installation_mode_reminder.gif

  • Training Mode: The firewall will monitor and learn the activity of any and all executables and create automatic 'Allow' rules until the security level is adjusted. You will not receive any Defense+ alerts in 'Training Mode'. If you choose the 'Training Mode' setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.

Tip: This mode can be used as the “Gaming Mode”. It is handy to use this setting temporarily when you are running an (unknown but trusted) application or Games for the first time. This will suppress all Defense+ alerts while the firewall learns the components of the application that need to run on your machine and automatically create 'Allow' rules for them. Afterwards, you can switch back to 'Train with Safe Mode' mode).

  • Disabled: Disables Defense+ protection. All executables and applications are allowed to run irrespective of your configuration settings. Comodo strongly advise against this setting unless you are confident that you have an alternative intrusion defense system installed on your computer.

Keep an alert on screen for maximum (n) seconds - Determines how long the Firewall will show a Defense+ alert without any user intervention. By default, the timeout is set at 120 seconds. You may adjust this setting to your own preference.

Trust applications digitally signed by Trusted Software Vendors - Leaving this option checked means software which is signed by a Trusted Certificate Authority will be automatically added to the safe list. Comodo recommend leaving this option enabled. For more details, see My Trusted Software Vendors.

Block all unknown requests if the application is closed - Checking this box will block all unknown requests (those not included in your Computer Security Policy) if Comodo Firewall Pro is not running/has been shut down.

Deactivate Defense+ permanently (Requires a system restart) - Shuts down the Defense+ Host Intrusion element of Comodo Firewall Pro PERMANENTLY. The firewall is not affected and will continue to to protect your computer even if you deactivate Defense+. Comodo do not recommend users close Defense+ unless they are sure they have alternative Intrusion Prevention Systems installed.

'Monitor Settings' tab

The 'Monitor Settings' tab allows you configure which activities, entities and objects should monitored by Defense+.

Note: The settings you choose here are universally applied.

  • If you disable monitoring of an activity, entity or object using this interface it will completely switch off monitoring of that activity on a global basis - effectively creating a unversal 'Allow' rule for that activity . This 'Allow' setting will over-rule any policy specific 'Block' or 'Ask' setting for that activity that you may have selected using the 'Access Rights' and 'Protection Settings' interface.

Image:cf_def_adv_def_set2.gif

Activities To Monitor:

Interprocess Memory Access - Malware programs use memory space modification to inject malicious code for numerous types of attacks, including recording your keyboard strokes; modifying the behavior of the invaded application; stealing confidential data by sending confidential information from one process to another process etc. One of the most serious aspects of memory-space breaches is the ability of the offending malware to take the identity of the invaded process, or 'impersonate' the application under attack. This makes life harder for traditional virus scanning software and intrusion-detection systems. Leave this box checked and Defense+ will alert you when an application attempts to modify the memory space allocated to another application.

Windows/WinEvent Hooks - In the Microsoft Windows® operating system, a hook is a mechanism by which a function can intercept events (messages, mouse actions, keystrokes) before they reach an application. The function can act on events and, in some cases, modify or discard them. Originally developed to allow legitimate software developers to develop more powerful and useful applications, hooks have also been exploited by hackers to create more powerful malware. Examples include malware that can record every stroke on your keyboard; record your mouse movements; monitor and modify all messages on your computer; take over control of your mouse and keyboard to remotely administer your computer. Leaving this box checked means that you are warned every time a hook is executed by an untrusted application.

Device Driver Installations - Device drivers are small programs that allow applications and/or operating systems to interact with a hardware device on your computer. Hardware devices include your disk drives, graphics card, wireless and LAN network cards, CPU, mouse, USB devices, monitor, DVD player etc.. Even the installation of a perfectly well-intentioned device driver can lead to system instability if it conflicts with other drivers on your system. The installation of a malicious driver could, obviously, cause irreparable damage to your computer or even pass control of that device to a hacker. Leaving this box checked means Defense+ will alert you every time a device driver is installed on your machine by an untrusted application.

Loopback Networking - Loopback connections refer to the internal communications within your PC. Any data transmitted by your computer through a loopback connection is immediately also received by it. This involves no connection outside your computer to the internet or a local network. The IP address of the loopback network is 127.0.0.1, which you may have heard referred to under its domain name of 'http://localhost' i.e. the address of your computer. Loopback channel attacks can be used to flood your computer with TCP and/or UDP requests which can smash your IP stack or crash your computer. Leaving this box checked means Defense+ will alert you every time a process attempts to communicate using the loopback channel.

Process Terminations - A process is a running instance of a program. (for example, the Comodo Firewall Pro process is called 'cfp.exe'. Press 'Ctrl+Alt+Delete' and click on 'Processes' to see the full list that are running on your system). Terminating a process will, obviously, terminate the program. Viruses and Trojan horses often try to shut down the processes of any security software you have been running in order to bypass it. With this setting enabled, Defense+ will monitor and alert you to all attempts by an untrusted application to close down another application.

Window Messages - This setting means Comodo Firewall Pro will monitor and detect if one application attempts to send special Windows Messages to modify the behaviour of another application (e.g. by using the WM_PASTE command).

DNS Client Service - This setting alerts you if an application attempts to access the 'Windows DNS service' - possibly in order to launch a DNS recursion attack. A DNS recursion attack is a type of Distributed Denial of Service attack whereby an malicious entity sends several thousand spoofed requests to a DNS server. The requests are spoofed in that they appear to come from the target or 'victim' server but in fact come from different sources - often a network of 'zombie' pc's which are sending out these requests without the owners knowledge. The DNS servers are tricked into sending all their replies to the victim server - overwhelming it with requests and causing it to crash. Leaving this setting enabled will prevent malware from using the DNS Client Service to launch such an attack.

Note for beginners: DNS stands for Domain Name System. It is the part of the Internet infrastructure that translates a familiar domain name, such as 'example.com' to an IP address like 123.456.789.04. This is essential because the Internet routes messages to their destinations on the basis of this destination IP address, not the domain name. Whenever you type a domain name, your internet browser contacts a DNS server and makes a 'DNS Query'. In simplistic terms, this query is 'What is the IP address of example.com?'. Once the IP address has been located, the DNS server replies to your computer, telling it to connect to the IP in question.

Entities To Monitor Against Modifications:

- Protected COM Interfaces enables monitoring of COM interfaces you specified here.

- Protected Registry Keys enables monitoring of Registry keys you specified here.

- Protected Files/Folders enables monitoring of files and folders you specified here.

Objects To Monitor Against Direct Access:

Determines whether or not Comodo Firewall Pro should monitor access to system critical objects on your computer.. Using direct access methods, malicious applications can obtain data from a storage devices, modify or infect other executable software, record keystrokes and more. Comodo advise the average user to leave these settings enabled:

- Physical Memory Monitors your computer's memory for direct access by an applications and processes. Malicious programs will attempt to access physical memory to run a wide range of exploits - the most famous being the 'Buffer Overflow' exploit. Buffer overruns occur when an interface designed to store a certain amount of data at a specific address in memory allows a malicious process to supply too much data to that address., This overwrites its internal structures and can be used by malware to force the system to execute its code.

- Computer Monitor Comodo Firewall Pro will raise an alert every time a process tries to directly access your computer monitor. Although legitimate applications will sometimes require this access, there is also an emerging category of spyware-programs that use such access to monitor users' activities. (for example, to take screenshots of your current desktop; to record your browsing activities etc)

- Disks Monitors your local disk drives for direct access by running processes. This helps guard against malicious software that need this access to, for example, obtain data stored on the drives, destroy files on a hard disk, format the drive or corrupt the file system by writing junk data.

- Keyboard Monitors your keyboard for access attempts. Malicious software, known as 'keyloggers', can record every stroke you make on your keyboard and can be used to steal your passwords, credit card numbers and other personal data. With this setting checked, Comodo Firewall Pro will alert you every time an application attempts to establish direct access to your keyboard.

Retrieved from "http://wiki.comodo.com/CFP3/Help_Guide/Defense_Task_Center/Defense_Settings"
Personal tools