advertisement
Comodo Device Manager - Administrator Guide
•
To edit or delete the component, click More Actions and choose the option.
The saved 'Viruscope' settings screen will be displayed with options to edit the settings or delete the section. Refer to the section
' Editing Configuration Profiles ' for more details.
6.1.3.1.6. HIPS Settings
The Host Intrusion Prevention System (HIPS) constantly monitors system activity and only allows executables and processes to run if they comply with security rules that have been enforced by the Windows profile applied to the managed computer.
Comodo Endpoint Security ships with a default HIPS ruleset that works 'out of the box' - providing extremely high levels of protection without any user intervention. For example, HIPS automatically protects system-critical files, folders and registry keys to prevent unauthorized modifications by malicious programs. Administrators looking to take a firmer grip on their security posture can quickly create custom policies and rulesets using the powerful rules interface and roll it out through the Windows profile.
To configure HIPS Settings and Rules
•
Click 'HIPS' from the 'Add' drop-down
The HIPS settings screen will be displayed. It contains six tabs:
•
•
computer have to be protected
•
managed computer.
•
as to add them to Protected Objects.
HIPS Settings
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 303
Comodo Device Manager - Administrator Guide
The HIPS settings panel under the HIPS tab allows you to enable/disable HIPS, set HIPS security level and configure HIPS' general behavior.
Form Element
Enable HIPS
Hips Security Level
HIPS Settings - Table of Parameters
Description
Allows you to enable or disable HIPS protection for the managed computers to which the profile is applied. ( Default=Enabled)
If enabled, you can configure the HIPS security level and monitoring settings.
If HIPS is enbled, you can choose the security level for the HIPS to provide at the managed computer from the drop-down below 'Enable HIPS'.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 304
Comodo Device Manager - Administrator Guide
HIPS Settings - Table of Parameters
Monitoring Settings
The available options are:
•
Paranoid Mode: This is the highest security level setting and means that HIPS monitors and controls all executable files apart from those that you have deemed safe.
Comodo Endpoint Security does not attempt to learn the behavior of any applications even those applications on the Comodo safe list and only uses your configuration settings to filter critical system activity. Similarly, the Comodo Endpoint Security does automatically create 'Allow' rules for any executables - although the end user still has the option to treat an application as 'Trusted' at the HIPS alert. Choosing this option generates the most amount of HIPS alerts and is recommended for advanced users that require complete awareness of activity on their system.
•
Safe Mode: While monitoring critical system activity, HIPS automatically learns the activity of executables and applications certified as 'Safe' by Comodo. It also
receive an alert whenever that application attempts to run. Should you choose, the end-user can add that new application to the safe list by choosing 'Treat this application as a Trusted Application' at the alert. This instructs the HIPS not to generate an alert the next time it runs. If the endpoint is not new or known to be free of malware and other threats as in 'Clean PC Mode' then 'Safe Mode' is recommended setting for most users - combining the highest levels of security with an easy-tomanage number of HIPS alerts.
•
Clean PC Mode: From the time you set the setting to 'Clean PC Mode', HIPS learns the activities of the applications currently installed on the server while all new executables introduced to the server are monitored and controlled. This patentpending mode of operation is the recommended option on a new server or one that the user knows to be clean of malware and other threats. From this point onwards
HIPS alerts the user whenever a new, unrecognized application is being installed. In
this mode, the files with 'Unrecognized' rating in the 'File List ' are excluded from being
considered as clean and are monitored and controlled.
•
Training Mode: HIPS monitors and learn the activity of any and all executables and create automatic 'Allow' rules until the security level is adjusted. The end-user will not receive any HIPS alerts in 'Training Mode'. If you choose the 'Training Mode' setting, we advise that you are 100% sure that all applications and executables installed on teh endpoints are safe to run.
If HIPS is enbled, you can configure the activities, entities and objects that should monitored by it at the managed endpoint by clicking the 'Monitoring Settings' link.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 305
Comodo Device Manager - Administrator Guide
HIPS Settings - Table of Parameters
Activities To Monitor:
•
Interprocess Memory Access - Malware programs use memory space modification to inject malicious code for numerous types of attacks. These include recording your keyboard strokes; modifying the behavior of applications and stealing data by sending confidential information from one process to another. One of the most serious aspects of memory-space breaches is the ability of the offending malware to take the identity of a compromised process to 'impersonate' the application under attack. This makes life harder for traditional virus scanning software and intrusion-detection systems.
Leave this option selected, and HIPS generates alerts when an application attempts to modify the memory space allocated to another application
(Default = Enabled).
•
Windows/WinEvent Hooks - In the Microsoft Windows® operating system, a hook is a mechanism by which a function can intercept events before they reach an application.
Example intercepted events include messages, mouse actions and keystrokes. Hooks can react to these events and, in some cases, modify or discard them. Originally developed to allow legitimate software developers to develop more powerful and useful applications, hooks have also been exploited by hackers to create more powerful malware. Examples include malware that can record every stroke on your keyboard; record your mouse movements; monitor and modify all messages on your computer and take remote control of your computer. Leaving this option selected means that an alert is generated every time a hook is executed by an untrusted application
(Default = Enabled).
•
Device Driver Installations - Device drivers are small programs that allow applications and/or operating systems to interact with hardware devices on the managed computer. Hardware devices include your disk drives, graphics card, wireless and
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 306
Comodo Device Manager - Administrator Guide
HIPS Settings - Table of Parameters
LAN network cards, CPU, mouse, USB devices, monitor, DVD player etc.. Even the installation of a perfectly well-intentioned device driver can lead to system instability if it conflicts with other drivers on the system. The installation of a malicious driver could, obviously, cause irreparable damage to the computer or even pass control of that device to a hacker. Leaving this option selected means HIPS generates alerts every time a device driver is installed on the computer by an untrusted application (Default =
Enabled).
•
Processes' Terminations - A process is a running instance of a program. Terminating a process, obviously, terminates the program. Viruses and Trojan horses often try to shut down the processes of any security software you have been running in order to bypass it. With this setting enabled, HIPS monitors and generates alerts for all attempts by an untrusted application to close down another application (Default =
Enabled).
•
Process Execution - Malware such as rootkits and key-loggers often execute as background processes. With this setting enabled, HIPS monitors and generates alerts whenever a process is invoked by an untrusted application. (Default = Enabled).
•
Windows Messages - This setting means Comodo Endpoint Security monitors and detects if one application attempts to send special Windows Messages to modify the behavior of another application (e.g. by using the WM_PASTE command)
(Default =
Enabled).
•
DNS/RPC Client Service - This setting generates alerts if an application attempts to access the 'Windows DNS service' - possibly in order to launch a DNS recursion attack. A DNS recursion attack is a type of Distributed Denial of Service attack whereby a malicious entity sends several thousand spoofed requests to a DNS server.
The requests are spoofed in that they appear to come from the target or 'victim' server but in fact come from different sources - often a network of 'zombie' computers which send out the requests without the owners knowledge. The DNS servers are tricked into sending all their replies to the victim server - overwhelming it with requests and causing it to crash. Leaving this setting enabled prevents malware from using the DNS
Client Service to launch such an attack
(Default = Enabled).
Objects To Monitor Against Modifications:
•
Protected COM Interfaces enables monitoring of COM interfaces you specified
(Default = Enabled)
•
Protected Registry Keys enables monitoring of Registry keys you specified from
(Default = Enabled).
•
Protected Files/Folders enables monitoring of files and folders you specified from
(Default = Enabled).
Objects To Monitor Against Direct Access:
Determines whether or not Comodo Endpoint Security should monitor access to system critical objects on the managed computer. Using direct access methods, malicious applications can obtain data from a storage devices, modify or infect other executable software, record keystrokes and more. Comodo advises the average user to leave these settings enabled:
•
Physical Memory: Monitors your computer's memory for direct access by an applications and processes. Malicious programs attempt to access physical memory to run a wide range of exploits - the most famous being the 'Buffer Overflow' exploit.
Buffer overruns occur when an interface designed to store a certain amount of data at a specific address in memory allows a malicious process to supply too much data to that address. This overwrites its internal structures and can be used by malware to force the system to execute its code (Default = Enabled).
•
Computer Monitor: Comodo Endpoint Security raises an alert every time a process tries to directly access the computer monitor. Although legitimate applications sometimes require this access, spyware can also use such access to take screen shots of the current desktop, record browsing activities of the user and more (Default
= Enabled).
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 307
Comodo Device Manager - Administrator Guide
HIPS Settings - Table of Parameters
•
Disks: Monitors the local disk drives at the managed computer, for direct access by running processes. This helps guard against malicious software that need this access to, for example, obtain data stored on the drives, destroy files on a hard disk, format the drive or corrupt the file system by writing junk data (Default = Enabled).
•
Keyboard: Monitors the keyboard for access attempts. Malicious software, known as
'key loggers', can record every stroke made on keyboard and can be used to steal passwords, credit card numbers and other personal data typed through the keyboard.
With this setting is enabled, Comodo Endpoint Security generates alerts every time an application attempts to establish direct access to the keyboard
(Default = Enabled).
Note: The settings you choose here are universally applied. If you disable monitoring of an activity, entity or object using this interface it completely switches off monitoring of that activity on a global basis - effectively creating a universal 'Allow' rule for that activity . This 'Allow' setting over-rules any Ruleset specific 'Block' or 'Ask' setting for that activity that you may have selected using the 'Access Rights' and 'Protection Settings' interface.
Do NOT show popup alerts Configure whether or not the HIPS alerts are to be displayed at the managed computer for the end-user to respond. Choosing 'Do NOT show popup alerts' will minimize disturbances but at some loss of user awareness ( Default = Enabled).
If you choose not to show alerts then you have a choice of default responses that CES should automatically take - either 'Block Requests' or 'Allow Requests'.
Set popup alerts to verbose mode
Enabling this option instructs CES to display HIPS alerts in verbose mode, providing more more informative alerts and more options for the user to allow or block the requests (Default =
Enabled).
Create rules for safe applications
Automatically creates rules for safe applications in HIPS Ruleset (Default = Enabled)
Note: HIPS trusts the applications if:
•
The application/file is rated as 'Trusted' in the File List
•
The application is from a vendor included in the Trusted Software Vendors list
•
The application is included in the extensive and constantly updated Comodo safelist.
Set new on-screen alert timeout to
Determines how long the HIPS shows an alert for without any user intervention. By default, the timeout is set at 60 seconds. You may adjust this setting to your own preference.
Advanced Settings
Enable adaptive mode under low system resources
Very rarely (and only in a heavily loaded system), low memory conditions might cause certain
CES functions to fail. With this option enabled, CES will attempt to locate and utilize memory using adaptive techniques so that it can complete its pending tasks. However, the cost of enabling this option may be reduced performance in even lightly loaded systems (Default =
Enabled).
Block unknown requests when the application is not running
Selecting this option blocks all unknown execution requests if Comodo Endpoint Security is not running/has been shut down. This is option is very strict indeed and in most cases should only be enabled on seriously infested or compromised machines while the user is working to resolve these issues. If you know the managed computer machine is already 'clean' and are looking just to enable the highest CES security settings then it is OK to leave this option disabled. (Default =
Disabled)
Enable enhanced protection mode (Requires a system restart)
On 64 bit systems, enabling this mode will activate additional host intrusion prevention techniques to counteract extremely sophisticated malware that tries to bypass regular HIPS protection. Because of limitations in Windows 7/8 x64 systems, some HIPS functions in previous
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 308
Comodo Device Manager - Administrator Guide
HIPS Settings - Table of Parameters versions of CES could theoretically be bypassed by malware. Enhanced Protection Mode implements several patent-pending ways to improve HIPS. CIS requires a system restart for enabling enhanced protection mode. (
Default = Disabled)
Do heuristic command-line analysis for certain applications
Selecting this option instructs Comodo Endpoint Security to perform heuristic analysis of programs that are capable of executing code such as visual basic scripts and java applications.
Example programs that are affected by enabling this option are wscript.exe, cmd.exe, java.exe and javaw.exe. For example, the program wscipt.exe can be made to execute visual basic scripts (.vbs file extension) via a command similar to 'wscript.exe c:\tests\test.vbs'. If this option is selected, CES detects c:\tests\test.vbs from the command-line and applies all security checks based on this file. If test.vbs attempts to connect to the Internet, for example, the alert will state
'test.vbs' is attempting to connect to the Internet (
Default = Enabled).
•
If this option is disabled, the alert would only state 'wscript.exe' is trying to connect to the Internet'.
Background note: 'Heuristics' describes the method of analyzing a file to ascertain whether it contains codes typical of a virus. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist.
This helps to identify previously unknown (new) viruses.
Detect shellcode injections Enabling this setting turns-on the Buffer over flow protection.
Background : A buffer overflow is an anomalous condition where a process/executable attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits.
Turning-on buffer overflow protection instructs the Comodo Endpoint Security to raise pop-up alerts in every event of a possible buffer overflow attack. The end-user can allow or deny the requested activity raised by the process under execution depending on the reliability of the software and its vendor.
Comodo recommends this setting is left enabled
(Default = Enabled).
You can also add files/folders and/or file groups to be excluded from Shellcode injections. To add exclusions, click the 'Exclusions' link after enabling this option.
The process of adding exclusions is similar to adding exclusions for virtualization in Sandbox
Settings. Refer to the explanation of adding files / folders to be excluded in the previous section
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 309
Comodo Device Manager - Administrator Guide
HIPS Settings - Table of Parameters
HIPS Rules
The 'HIPS Rules' screen allows you to view the list of active HIPS rulesets applied to different groups of or individual applications and to create and manage rules for the profile. You can change the ruleset applied to a selected application or application group.
Note : HIPS Rulesets are to be created before applying them to an individual application or an application group. Refer to the
next section Rulesets for details on creating new rulesets.
Application
Treat As
Actions
Column Header
HIPS Rules - Column Descriptions
Description
Name of the individual application or the application to which the ruleset is applied
The ruleset applied. For more details on the rulesets, refer to the next section Rulesets .
Contains control buttons to edit or remove the rule
Creating and Modifying Hips Rules
To begin defining an application's HIPS rule, you need take two basic steps.
•
Step 1 - Select the application that you wish the ruleset is to be applied
•
Step2 - Configure the rules for this application's ruleset
Step 1 - Select the application that you wish the ruleset is to be applied
•
To define a ruleset for a new application ( i.e. one that is not already listed), click the 'Add Rule' button at the top of the list in the 'HIPS Rules' interface.
The 'HIPS Rule' interface will open as shown below:
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 310
Comodo Device Manager - Administrator Guide
Because this is a new application, the 'Name' field is blank. (If you are modifying an existing rule, then this interface shows the individual rules for that application's ruleset).
•
To create a rule for a single application enter the file name of it in the 'Name' field
•
To create a rule for an application group, select 'Use Group' and choose the file group from the drop-down
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 311
Comodo Device Manager - Administrator Guide
Note : CDM ships with a set of predefined file groups containing collections of files under respective categories. Administrators can also create custom file groups with required applications. All the pre-defined and the custom file groups will be available in the drop-down. The custom file groups can be created under Settings > Global variables interface. Refer to the section
Step 2 - Configure the rules for this application's ruleset
•
Use a Predefined Ruleset - Allows you to quickly deploy an existing HIPS ruleset on to the target application.
Choose the ruleset you wish to use from the drop-down menu. The name of the predefined ruleset you choose is displayed in the 'Treat As ' column for that application in the 'HIPS Rules' interface.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 312
Comodo Device Manager - Administrator Guide
Note : Predefined Rulesets, once chosen, cannot be modified directly from this interface - they can only be modified and
•
Use a Custom Ruleset - Designed for more experienced administrators, the 'Custom Ruleset' option grants full control over the configuration of each rule within that ruleset. The custom ruleset has two main configuration areas - Access
Rights and Protection Settings (Default = Enabled).
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 313
Comodo Device Manager - Administrator Guide
In simplistic terms 'Access Rights' determine what the application can do to other processes and objects whereas 'Protection
Settings' determine what the application can have done to it by other processes.
i. Access Rights - The 'Process Access Rights' area allows you to determine what activities can be performed by the applications in your custom ruleset.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 314
Comodo Device Manager - Administrator Guide
and the implications of choosing the action from 'Ask', 'Allow' or 'Block' for each setting as shown below:
•
Exceptions to your choice of 'Ask', 'Allow' or 'Block' can be specified for the ruleset by clicking the 'Modify' link on the right.
•
Select the 'Allowed Files/Folders' or 'Blocked Files/Folders' tab depending on the type of exception you wish to create.
•
Clicking the 'Add' button at the top allows you to choose which applications or file groups you wish this
exception to apply to. ( click here for an explanation of available options).
ii. Protection Settings - Protection Settings determine how protected the application or file group in your ruleset is against activities by other processes. These protections are called 'Protection Types'.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 315
Comodo Device Manager - Administrator Guide
•
Select 'Active' to enable monitoring and protect the application or file group against the process listed in the 'Protection
State' column. Select 'Inactive' to disable such protection.
Exceptions to your choice of 'Active' or 'Inactive' can be specified in the application's Ruleset by clicking the ' Modify' link on the right.
7. Click 'OK' to confirm your settings.
Rulesets
multiple applications or groups. Each ruleset is comprised of a number of rules and each of these rules is defined by a set of conditions/settings/parameters. Rulesets concern an application's access rights to memory, other programs, the registry etc.
The Rulesets screen under the the 'HIPS' tab displays the list of rulesets and allows you to add and manage new rulesets.
To add a new ruleset
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 316
Comodo Device Manager - Administrator Guide
•
Click the 'Add Ruleset' button
The 'HIPS Ruleset' dialog will appear.
above the list of rulesets.
•
Enter a name for the ruleset
•
changes you make here are automatically rolled out to all applications that are covered by the ruleset. The new ruleset will be available for deployment to HIPS rule for applications/application groups from the HIPS Rules interface.
•
To edit a ruleset, click the Edit button under the Actions in the Rulesets interface. The Editing process is similar to the
Ruleset creation process explained above.
Protected Objects
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 317
Comodo Device Manager - Administrator Guide
The 'Protected Objects' panel under 'HIPS' tab allows you to protect specific files and folders, system critical registry keys and
COM interfaces at the managed computers, against access or modification by unauthorized processes and services. You can also add files in 'Protected Data Folders', so that 'Sandboxed' programs will be blocked from accessing them.
The 'Show' drop-down allows you to choose the category of protected objects to be displayed in the list and add and manage the protected objects of that category. You can add following categories of protected objects:
•
from changes
•
Registry Keys - Allows you to view and specify registry keys that are to be protected from changes
•
COM Interfaces - Allows you to view and specify COM interfaces that are to be protected from changes
•
changes by Sandboxed programs
Protected Files
The 'Protected Files' list under 'Protected Objects' interface allows you to view and manage list of files and file groups that are to be protected from access by other programs, especially malicious programs such as virus, Trojans and spyware at the managed computer. It is also useful for safeguarding very valuable files (spreadsheets, databases, documents) by denying anyone and any program the ability to modify the file - avoiding the possibility of accidental or deliberate sabotage. If a file is 'Protected' it can still be accessed and read by users, but not altered. A good example of a file that ought to be protected is your 'hosts' file
(c:\windows\system32\drivers\etc\hosts). Placing this in the 'Protected Files and Folders' area would allow web browsers to access and read from the file as per normal. However, should any process attempt to modify it then Comodo Endpoint Security blocks this attempt and produces a 'Protected File Access' pop-up alert.
If you add a file to 'Protected Files', but want to allow trusted application to access it, then rules can be defined in HIPS Rulesets.
placed in Protected Files.
•
To view the list of Protected Files, choose 'Protected Files' from the 'Show' drop-down in the 'Protected Objects'
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 318
Comodo Device Manager - Administrator Guide interface
The Protected File list is displayed under two categories, which can be selected from the drop-down at the right.
•
To view the list of individual files, programs, applications added to the
Protected Files list and manage them, choose 'File List'
•
To view the File Groups added to the Protected File list, choose 'Group
List'
You can add individual files, programs, applications or file/groups to 'Protected Files'.
To add an individual file, program or an application
•
Choose 'File List' from the drop-down at the right and click the 'Add File Path' button.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 319
Comodo Device Manager - Administrator Guide
•
Enter the installation/storage path with file name of the file to be protected, in the managed computers, in the 'Add
Protected File Path' dialog and click 'OK'.
•
Repeat the process to add more files.
•
To edit the path of an item in the list, click the Edit icon under the 'Actions' in the list.
•
To remove an item from the list, click the thrash can icon under 'Actions' in the list
To add an application/file group to the Protected Files list
•
Choose 'Group List' from the drop-down at the right and click the 'Add Protected Group' button
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 320
Comodo Device Manager - Administrator Guide
•
Choose the file group from the drop-down and click 'OK'.
Note : CDM ships with a set of predefined file groups containing collections of files under respective categories. Administrators can also create custom file groups with required applications. All the pre-defined and the custom file groups will be available in the drop-down. The custom file groups can be created under 'Settings' > 'Global variables' interface. Refer to the section
•
Repeat the process to add more file groups.
•
To edit the path of an item in the list, click the Edit icon under the 'Actions' in the list.
•
To remove an item from the list, click the thrash can icon under 'Actions' in the list
Exceptions
You can choose to selectively allow another application (or file group) to modify a protected file by affording the appropriate
'Open Office Calc' program to be able to modify this file as you are working on it, but you would not want it to be accessed by a
•
First add Accounts.ods to 'Protected Files' area as explained above .
•
Then go to 'HIPS Rules' interface and add it to the list of applications.
•
In the 'HIPS Rule' interface, enter the file name as account.ods, choose 'Use a Custom Ruleset' and select a ruleset from the 'Copy From' drop-down.
•
Under 'Access Rights' tab, set all the rules to 'Ask'
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 321
Comodo Device Manager - Administrator Guide
•
Click the 'Modify' beside 'Protected File/Folders'
•
Under the 'Access Rights' section, click the link 'Modify' beside the entry 'Protected Files/Folders'.
The 'Protected Files/Folders' interface will appear.
•
Under the 'Allowed Files/Folders' section, click 'Add' > 'Files' and add scalc.exe as exceptions to the 'Ask' or
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 322
Comodo Device Manager - Administrator Guide
'Block' rule in the 'Access Rights'.
Another example of where protected files should be given selective access is the Windows system directory at
'c:\windows\system32'. Files in this folder should be off-limits to modification by anything except certain, Trusted, applications like Windows Updater Applications. In this case, you would add the directory c:\windows\system32\* to the 'Protected Files area
the same process outlined above to create an exception for that group of executables.
Registry Keys
The 'Registry Keys' list under 'Protected Objects' interface allows you to view and manage list of critical registry keys and registry groups to be protected against modification. Irreversible damage can be caused to the managed endpoint if important registry keys are corrupted or modified in any way. It is essential that the registry keys are protected against any type of attack.
To view the list of Protected Registry Keys, choose 'Registry Keys' from the 'Show' drop-down in the 'Protected Objects' interface
The Protected Registry Keys list is displayed under two categories, which can be selected from the drop-down at the right.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 323
Comodo Device Manager - Administrator Guide
•
To view the list of individual keys and values, and manage them, choose 'Key List'
•
To view the Registry Groups, choose 'Group List'
You can add individual registry keys and Registry groups to Protected Registry Keys list.
To add an individual key
•
Choose 'Key List' from the drop-down at the right and click the 'Add Registry Key' button.
•
Enter the key name to be protected in the 'Add Registry Key' dialog and click 'OK'.
•
Repeat the process to add more keys.
•
To edit an item in the list, click the 'Edit' icon under the 'Actions' in the list.
•
To remove an item from the list, click the thrash can icon under 'Actions' in the list
To add an Registry group to the Protected Registry Keys list
•
Choose 'Group List' from the drop-down at the right and click the 'Add Protected Files' button
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 324
Comodo Device Manager - Administrator Guide
•
Choose the Registry group from the drop-down and click 'OK'.
Note : CDM ships with a set of predefined Registry groups containing collections of registry keys under respective categories.
Administrators can also create custom Registry groups with required key values. All the pre-defined and the custom Registry groups will be available in the drop-down. The custom Registry groups can be created under 'Settings' > 'Global variables'
interface. Refer to the section Registry Groups for more details.
•
Repeat the process to add more Registry groups.
•
To edit the an item in the list, click the Edit icon under the 'Actions' in the list.
•
To remove an item from the list, click the thrash can icon under 'Actions' in the list
COM Interfaces
Component Object Model (COM) is Microsoft's object-oriented programming model that defines how objects interact within a single application or between applications - specifying how components work together and inter-operate. COM is used as the basis for Active X and OLE - two favorite targets of hackers and malicious programs to launch attacks on a computer. It is a critical part of any security system to restrict processes from accessing the Component Object Model - in other words, to protect the COM interfaces.
The 'COM Interfaces' list under 'Protected Objects' interface allows you to view and manage list of individual COM classes and
COM groups that are to be protected by the Comodo Endpoint Security at the managed computer against modification, corruption and manipulation by malicious processes.
•
To view the list of Protected COM interfaces, choose 'COM Interfaces' from the 'Show' drop-down in the 'Protected
Objects' interface
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 325
Comodo Device Manager - Administrator Guide
The Protected COM Interfaces list is displayed under two categories, which can be selected from the drop-down at the right.
•
To view the list of individual COM Interfaces/Classes and manage them, choose 'Classes List'
•
To view the COM Groups and manage them, choose 'Group List'
You can add individual COM Interfaces/Classes and/or pre-defined COM groups to 'Protected COM Objects' list.
To add an individual COM object
•
Choose 'Classes List' from the drop-down at the right and click the 'Add COM Class' button
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 326
Comodo Device Manager - Administrator Guide
•
Enter the name of the COM object to be protected at the managed computer, in the 'Add COM Class Name' dialog and click 'OK'.
•
Repeat the process to add more COM objects.
•
To edit an item in the list, click the Edit icon under the 'Actions' in the list.
•
To remove an item from the list, click the thrash can icon under 'Actions' in the list
To add a predefine COM Group to the Protected COM objects list
•
Choose 'Group List' from the drop-down at the right and click the 'Add COM Group' button
•
Choose the file group from the drop-down and click 'OK'.
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 327
Comodo Device Manager - Administrator Guide
Note : CDM ships with a set of predefined COM groups containing collections of COM interfaces under respective categories.
Administrators can also create custom COM groups with required COM objects. All the pre-defined and the custom file groups will be available in the drop-down. The custom COM groups can be created under 'Settings' > 'Global variables' interface.
Refer to the section COM Groups for more details.
•
Repeat the process to add more COM groups.
•
To edit the an item in the list, click the Edit icon under the 'Actions' in the list.
•
To remove an item from the list, click the thrash can icon under 'Actions' in the list
Protected Data Folders
The data files in the folders listed under the 'Protected Data Folders' area cannot be seen, accessed or modified by any known or unknown application that is running inside the sandbox.
Tip
modified, whereas the files/folders in 'Protected Data folders' are totally hidden to sandboxed programs. If you want a file to be read by other programs but protected from modifications, then add it to 'Protected Files' list. If you want to totally conceal a data file from all the sandboxed programs but allow read/write access by other known/trusted programs, then add it to
Protected Data Folders.
The Protected Data Folders list under Protected Objects allows you define protected data folders at the managed computers and to manage them.
•
To open the Protected Data Folders list, choose 'Protected Data Folders' from the Show drop-down in the Protected
Objects interface.
You can add standard folders at the managed computers as Protected Data Folders. Data files to be protected from sandboxed programs, can be saved inside the folders at the managed computers.
To add the path of protected data folder
•
Click the 'Add Folder' button at the top of the list
Comodo Device Manager - Administrator Guide | © 2016 Comodo Security Solutions Inc. | All rights reserved 328
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 5 1.Introduction to Comodo Device Manager
- 8 1.1.Key Concepts
- 9 1.2.Best Practices
- 10 1.3.Quick Start
- 31 1.4.Logging into your Administration Console
- 33 2.The Administrative Console
- 34 3.The Dashboard
- 46 4.Users and User Groups
- 46 4.1.Managing Users
- 49 4.1.1.Creating New User Accounts
- 51 4.1.2.Enrolling User Devices for Management
- 54 4.1.2.1.Enrolling Android Devices
- 61 4.1.2.2.Enrolling iOS Devices
- 64 4.1.2.2.1.Downloading and Installing CDM Client for iOS Devices
- 67 4.1.2.3.Enrolling Windows Endpoints
- 69 4.1.3.Viewing the Details of a User
- 70 4.1.3.1.Updating the Details of a User
- 74 4.1.4.Assigning Configuration Profile(s) to a Users' Devices
- 76 4.1.5.Removing a User
- 78 4.2.Managing User Groups
- 80 4.2.1.Creating a New User Group
- 81 4.2.2.Editing a User Group
- 85 4.2.3.Assigning Configuration Profiles to a User Group
- 88 4.2.4.Removing a User Group
- 89 5.Devices
- 90 5.1.Device List
- 92 5.1.1.Managing Windows Devices
- 94 5.1.1.1.Viewing and Editing Device Name
- 95 5.1.1.2.Viewing Summary Information
- 97 5.1.1.3.Viewing Network Information
- 97 5.1.1.4.Viewing and Managing Profiles Associated with the Device
- 98 5.1.1.5.Viewing list of Files in the Device
- 105 5.1.1.6.Viewing CES configurations exported from the Device
- 108 5.1.1.7.Viewing MSI files installed on the device through CDM
- 109 5.1.1.8.Viewing and Installing Windows Patches
- 112 5.1.2.Managing Android/iOS Devices
- 114 5.1.2.1.Viewing and Editing Device Name
- 115 5.1.2.2.Viewing Summary Information
- 117 5.1.2.3.Managing Installed Applications
- 119 5.1.2.4.Viewing and Managing Profiles Associated with the Device
- 120 5.1.2.5.Viewing Sneak Peak Pictures to Locate Lost Devices
- 122 5.1.2.6.Viewing the Location of the Device
- 123 5.1.3.Viewing the User Information
- 124 5.1.4.Removing a Device
- 127 5.1.5.Remote Management of Windows Devices
- 128 5.1.6.Remotely Installing Packages onto Windows Devices
- 130 5.1.7.Installing Apps on Android/iOS Devices
- 131 5.1.8.Generating Alarm on Devices
- 134 5.1.9.Locking/Unlocking Selected Devices
- 135 5.1.10.Wiping Selected Devices
- 137 5.1.11.Assigning Configuration Profile to Selected Devices
- 139 5.1.12.Setting / Resetting Screen Lock Password for Selected Devices
- 141 5.1.13.Updating Device Information
- 142 5.1.14.Sending Text Message to Devices
- 144 5.2.Managing Device Groups
- 147 5.2.1.Creating Device Groups
- 149 5.2.2.Editing a Device Group
- 152 5.2.3.Assigning Configuration Profiles to a Device Group
- 154 5.2.4.Removing a Device Group
- 155 6.Configuration Profiles
- 156 6.1.Creating Configuration Profiles
- 157 6.1.1.Profiles for Android Devices
- 185 6.1.2.Profiles for iOS Devices
- 232 6.1.3.Profiles for Windows Devices
- 233 6.1.3.1.Creating Windows Profile
- 238 6.1.3.1.1.Antivirus Settings
- 251 6.1.3.1.2.File Rating Settings
- 253 6.1.3.1.3.Firewall Settings
- 287 6.1.3.1.4.Sandbox Settings
- 301 6.1.3.1.5.Viruscope Settings
- 303 6.1.3.1.6.HIPS Settings
- 329 6.1.3.1.7.Valkyrie Settings
- 331 6.1.3.1.8.CES Update Rule Settings
- 332 6.1.3.2.Importing Windows Profiles
- 337 6.2.Viewing and Managing Profiles
- 339 6.2.1.Exporting and Importing Configuration Profiles
- 341 6.2.2.Cloning a Profile
- 341 6.3.Editing Configuration Profiles
- 343 6.4.Managing Default Profiles
- 350 7.Applications
- 351 7.1.Viewing Applications Installed on Android and iOS Devices
- 353 7.1.1.Blacklisting and Whitelisting Applications
- 355 7.2.Viewing Applications Installed on Windows Devices
- 356 7.2.1.Viewing and Managing Unrecognized Files
- 364 7.2.2.Viewing and Managing Trusted Files
- 370 7.2.3.Viewing and Managing Malicious Files
- 375 7.2.4.Viewing list of Valkyrie Analyzed Files
- 376 7.3.Viewing and Managing Sandboxed Applications on Windows Devices
- 381 7.4.Viewing and Managing Software Vendors List
- 384 7.5.Installing OS Patches on Windows Endpoints
- 387 8.App Store
- 388 8.1.iOS Apps
- 391 8.1.1.Adding iOS Apps and Installing them on Devices
- 397 8.1.2.Managing iOS Apps
- 399 8.2.Android Apps
- 402 8.2.1.Adding Android Apps and Installing them on Devices
- 407 8.2.2.Managing Android Apps
- 409 9.Antivirus
- 410 9.1.Antivirus Scans
- 413 9.1.1.Running On-Demand Antivirus Scans on Devices
- 415 9.1.2.Handling Malware on Scanned devices
- 417 9.1.3.Updating Virus Signature Database at Windows Devices
- 417 9.2.Viewing and Managing Identified Malware
- 421 9.3.Viewing Threats History
- 424 9.4.Viewing and Managing Quarantined Items
- 425 10.Configuring Comodo Device Manager
- 427 10.1.Viewing and Managing Licenses
- 429 10.1.1.Upgrading or Adding the License
- 430 10.2.Configuring Variables and Groups
- 431 10.2.1.Creating and Managing Custom Variables
- 435 10.2.2.Creating and Managing Registry Groups
- 439 10.2.3.Creating and Managing COM Groups
- 443 10.2.4.Creating and Managing File Groups
- 449 10.3.Configuring Role Based Access Control for Users
- 452 10.3.1.Creating a New Role
- 454 10.3.2.Managing Permissions and Assigned Users of a Role
- 459 10.3.3.Removing a Role
- 460 10.3.4.Managing Roles Assigned to a User
- 461 10.4.Downloading CDM Installation Packages for Windows Devices
- 462 10.4.1.Downloading Package for installation through AD server
- 463 10.4.2.Downloading Offline Installation Package
- 465 10.5.Adding Apple Push Notification Certificate
- 470 10.6.Configuring the CDM Android Agent
- 471 10.6.1.Configuring General Settings
- 474 10.6.2.Configuring Android Client Antivirus Settings
- 475 10.6.3.Adding Google Cloud Messaging (GCM) Token
- 483 10.7.Configuring CDM Windows Client
- 485 10.8.Managing CDM Extensions
- 486 10.9.Configuring Email Templates
- 489 10.10.Configuring Email Notifications
- 492 10.11.Configuring CDM Reports
- 493 10.12.Importing User Groups from LDAP
- 499 10.13.Viewing Version and Support Information
- 501 About Comodo