I consider myself to be not an expert but close to being an expert on using and deploying I TSM, and the security that it provides.
To date, I have not been able to properly make I TSM ignore the programs and paths on my white list. I have issues with the documentation as documentation in the wiki sometimes disagree. I have found exclusion lists pictured in the instructions as default that are not in the profile that I cloned. I’ve had numerous discussions with engineers both abroad and in the United States and I’ve had too many tickets opened with email support.
No one has been able to show me the Holy Grail! So I have to ask the question, has anyone been able to successfully white list a clients application and all the directories that it uses so that when a client needs to update that application, Comodo doesn’t get in the way?
I have a client who has agreed to be my beta tester. It’s a doctor’s office with 14 endpoints and three servers. The entire office mainly uses two applications one application for the doctor to write notes and keep track of patient interaction and the other application to work the front office, the billing communication, anything to do with the patient. You might think it would be easy to white list and not have Comodo stop them from doing legitimate things.
Yesterday morning I updated their software on the server. I am not yet running I TSM security on the servers. I white listed the setup program that starts the entire chain of the update for the client, because when the client goes to access the application, the server will push out the updates that the client needs. I got contained in almost every step along the way. I’m getting tired of playing whack a mole. I had to go into the security and click checkboxes to say that the processes and files were trusted even though they came out of the directory that had been white listed in my exclusion list and I have followed the instructions perfectly in listing my file groups in the various places for exclusion.
I should have been able to update the server and when the workers came in in the morning, they should have been able to update their own software, which is done automatically. I tested on one workstation whether that was possible. As it turned out it was not. I have in all client folders a folder I call protected which has the clients profile attached to it. I do not attach profiles individually. Profiles are always attached depending upon where the endpoint sets in the clients folders. This way if I wanted change the profile to what I call wide open because it has no containment no anything, it’s really just a profile with nothing in it, I can do this easily by removing the endpoint from the protected folder.
In order to have this client function in the morning I had to remove all endpoints from the protected folder so that all security was removed. I then had individually start the update on each endpoint. When I was finished I moved all my endpoints back into the protected folder and Comodo did not stop the application from running on the endpoints.
I wasted two hours doing this when I should have been able to allow my client and his workers to do this automatically. What if this client had 50 endpoints?
We are happy to assist you with your concern regarding properly whitelisting. We have created a ticket for you in order to properly address your concern on how to properly do it.
Thanks for bringing this up. These instructions should have solved the issues however we can have a session with you to identify the case and to discuss possible solutions.
I have finally cracked the code. Along the way, I have had conflicting written instructions - wiki vs documentation - been told almost correct information by various engineers but never the piece i needed.
I’m angry that with all of you out there to help, not one of you were able to get me to the holy grail.
It makes me wonder What damage other people are doing, because along the way I’ve managed to shut down the dental clinic with people having to take x-rays twice because I was poorly trained in the very beginning. And I’ll tell you right now had I not seen the value of what Comodo does in white listing rather than do it everybody else’s way, I would’ve given up long ago. This journey if you want to call it that has been disgraceful, and a lot of my valuable time has been wasted because even though people looked at my set up they didn’t know bits and pieces along the way. There was no one who could definitively tell me how it’s done.
Now I know. And despite the fact that I think that support and education has been abysmal I will move forward with Comodo, but it does make me wonder what other people do who don’t fully understand how this product does what it does.
I would like to thoroughly go over my profile and exclusions. I looked at the two linked documents, from the WIKI and one of them references a location I have not used. I would like to get a better understanding of how things work.
I have asked for but never gotten a flowchart describing how ITSM works. What is the order in which security is layered?
Sorry for the late reply, forum did not let me know you replied.
In our system we have done the following :-
In RMM, go to bottom menu and chose system templates as in the provided guides
Add the required rules to identify the application you need. This has to be the path to any executable.
Now you have the identity of the app you need to work your way with a bit of trial and error adding these as exceptions to each component.
Containment
Firewall
HIPS
Virusscope
Etc
I would always added to containment, firewall and Hips as they are the main ones.
4. Now the rules are added, you need to make sure the client updates the rules via CCC.
Use RMM to send a rating scan to the device.
Clear the AV logs and now scan is finished try your app, if it still broken add to more sections, scan etc again.
I know this is rough, but done via mobile and hopefully I have not missed anything for you.
Now I know. And despite the fact that I think that support and education has been abysmal I will move forward with Comodo, but it does make me wonder what other people do who don’t fully understand how this product does what it does.
I understand your issue but we’ve been with Comodo for two years already and I wouldn’t call education and support abysmal. Double checked everything and white listing works properly.
Thank you for your kind words. In Addition, let’s put in additional info that can benefit other MSPs and alike.
Wildcards:
?:\ - this substitutes any disk drives
*\xxx.exe - This substitutes any folder path. It will be interpreted as all instances of xxx.exe regardless of the path.
*\ - This substitutes a portion in a file name path that may change depending on the username, for example, C:\Users*\Roaming\Microsoft\Windows
C:\random* - Will match any files in folders with names starting with “random”, for example, C:\random, C:\randomname, C\randomfolder, C:\randomsomething, etc. This is usually used as C:\Program Files*\ to exclude both Program Files\ and Program Files (x86) on 32 bit and 64-bit machines.
C:\folder*.* - Will match all files in the current directory, but none in sub-directories.
C:\folder* - Will match all files in the current directory and sub-directories.
*.exe - Will match any application with exe extension.