Comodo Internet Security 6.xx Thread

[Sordid]

Comodo 6.0.264710.2708
SandboxIE 3.76

Also running EMET; Virt reg tweak on Comodo. Win7x64.

What is odd is that when installing SB again, my icon in C: changed. I have a feeling SB is not installing properly because it only occurred now. Have you tried going the other way--installing SB then Comodo?

Good luck.

[kjdemuth]

Yeah I've tried both ways. I even went as far as take all my security software off and try everything over. Still doesn't work. That's ok though. I'm pretty happy with my current setup. I think adding CF would be overkill at this point.

[maymoons]

Quote:

This may help: When you use an isolated/restricted sandbox, it seems to apply prefab hips rules. So virt, restricted, partially... etc. Some of these prefab policies may include the ability to keylog eg keyboard access/memory access/file access; the info is at the Comodo help page what those restrictions do. To stop your problem, you must apply new rules to "restricted" or "isolated" sandboxes within rules. Isolated rules should be especially important if you virtualise unknown applications.

The virtualised sandbox can read all your files and upload them to WAN by default. You must kill this, IMO.

So create a "restricted"/"isolated" rule using BLOCK or may not work in "safemode." Now you are blocking everything and is effective as a BB Sandbox "block" option (read: OS policy -- "do not execute") but Comodo actually chimes in (why most do not BLOCK within the BB sanboxes)

Thanks, how can i change default rules? example untrusted rules?
i think there is no way for that in CIS

[Solarlynx]

You can do that in D+ -> HIPS -> Rulesets.

[maymoons]

Quote:

Originally Posted by Solarlynx

You can do that in D+ -> HIPS -> Rulesets.

This settings releated with HIPS module, it isnt releated with BB auto-sandbox.
I think, We are talking about change to BB auto-sandbox settings. Like, untrusted, partially limited.
All of them prefabric settings and i cant found how can i change them. probably i cant.


For example fully virtualized app can read all of my files. can i change this? i think not, just @Sordid suggest it but there is no way to do that in CIS.

Sandboxie has this ability but CIS hasnt. so it is not medicine for my problem

There are some information about sandbox restriction levels but we cant configure them. and there is not clear information, just basic words.
http://help.comodo.com/topic-72-1-45...-Blocker-.html

Quote:

Partially Limited - The application is allowed to access all operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)
Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.Some applications, like computer games, may not work properly under this setting.
Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.
Blocked - The application is not allowed to run at all.
Fully Virtualized - This option is not available by default but can be enabled by adding a registry key (advanced users only). To do this, open the registry editor and browse to HKLM >SYSTEM > software > Comodo > Firewall Pro. Add a DWORD key to this hive named EnableDefaultVirtualization and set the value to 1. 'Fully Virtualized' will now be listed in the auto-sandbox restriction level drop down.

[Solarlynx]

Now I see, you are talking about changing Restriction Levels for sandbox. I never heard them to be changed. SBIE is more configurable in this respect.

[maymoons]

Quote:

Now I see, you are talking about changing Restriction Levels for sandbox. I never heard them to be changed. SBIE is more configurable in this respect.

Yes, Sandboxie more configurable but it hasnt got keylogger, process termination etc /hips/ features.
There arent perfect tools of course.
And CIS BB's sandbox different concept not similar SBIE, it is not virtualization if i am not wrong. you need to add reg key for file level virtualization.
CIS BB and hips very similar. i think BB's "Untrusted"= Hips "limited Application", it will not virtualize but drop rights

Virtual kiosk and full virtualization different off course. But it is not configurable and it is not secure. i am not talking about malware can bypass virtualization, just malware can do what it want within virtualized session.

[andyman35]

Quote:

Originally Posted by maymoons

For example fully virtualized app can read all of my files. can i change this?

I've not tried this but if you were to set access restrictions to a particular process within D+,it should then retain these rules once auto-sandboxed.I'm not sure about this,just my thoughts on it.

[Sordid]

Exactly, you have to activate that preset rule in "Hips rules" from rule sets. You must also apply to an app because Comodo is SILLY, so we use virtkiosk.exe and cmdvirth.exe or the unknown app itself.

But the correction already seems in place. Even under full virt BB, the unknown process throws a HIPS alert on explorer launching an unknown app in the first place and then asks if I want to add internet once a request is made. So even if a keylogger spawned (doubtful without another exe alert), it can't upload--hell it can't spawn the lead gui unless you allow it from explorer. Manymoons seems to be missing all these alerts; more on that later.

It's all moot. Why play games? Just use "untrusted" for unknown apps and they are so crippled you won't even get a window frame. Lock down your protected folders--that is applied to all boxes.

Manymoons, turn "show escalation" off or hips doesn't show fully and why I see alerts you are not. Also, in general, make sure you have trust installers off in "file rating." For what it is worth, sandboxes do not defeat "in sandbox" non-persistent attacks like session keyloggers or XSS by design, not even sandboxie. Use a VM to test unknown software--and DENY unknown software via Comodo on the host (BB=untrusted).

edit: MAYmoons...sorry...

[maymoons]

@Sordid

Quote:

turn "show escalation" off or hips doesn't show fully and why I see alerts you are not.

i dont understand exactly.
Which settings i must change? i want to see hips alerts when i run the apps fully virtualized.



Also, on my system (win8x64) there is no way to stop zemana tests. i disabled bb and turn hips on, i block all popup but still zemana can capture keystrokes. it show keylogger alerts but doesnt stop it when i press block button. (block only not block and terminate)


Between i found this from @egemen, i think they already know zemana test's situation.

https://forums.comodo.com/news-annou...8537#msg658537

Quote:

Here is what is expected from CIS 6:

1 - If a keylogger is running inside Kiosk, it should not be able to log any keys while you use the computer outside the kiosk or vice versa.
2 - If a keylogger is running in sandbox in users' desktop, SOME background keylloggers will be blocked, SOME will not be. This depends on the technique used.
3 - Static HIPS should detect any keylogging attempt whether it is backgorund or foreground(i.e. if an appis not sandboxed and not safe and HIPS is enabled)

[JoeBlack40]

Installed the new CIS firewall and the problem with Sandboxie remains for me.The browsers in SBIE cannot connect to internet.

[Sordid]

Maymoons

Most of the previous is designed to lock up or even break virtualising in an effort to get nil unknown code loaded--not to act as some sort of forensic tool or even have the program be usable. IMO, unknown code on hosts should die and die fast until it can be vetted; the sandbox should be used on trusted but vulnerable programs.

I tried a Chromium unknown with Virt BB on. In BB the "detect installers..." page you have a picture of a few posts back--UNCHECK that. Then go to "file ratings" / "Settings" and UNCHECK "trust files installed by trusted installers." Go to configure and activate "proactive security." In "General settings" / "User Interface" select "show notifications."

Now when you click Chrome.exe. HIPS pops up: this is unknown and virtulised. It should then pop up any executions from even trusted apps and show internet resources (Explorer is trying to execute chrome/Chrome is trying to contact XX.XX.XX.XX). I did not try a malware or keylogging sim so am unsure what is said.

But your intention seems multifold from what I gather. You seem to want it acting as a default deny HIPS, Sandboxie, and a forensic malware analyser. The first should work by default and imagine in general it performs well for you. As sandboxie, you must lend it the same handicap and configure apps you like to protect. So add progs like browsers to the HIPS and you can simultaneously run under the virtualised sandbox. Both "rules" will be enforced--HIPS policy rules within the virtual sandbox. You can kill file access, keyboard access etc. If you want hyper granular "ask" always on apps--use PARANOID mode, but virualising seems to cripple some of this so I'd suggest a BLOCK.

The ability to "always ask" over Safe mode settings has been requested. The ability to directly apply HIPS policy to sandboxes via generic rules has been requested. This would be spot-on what you desire.

But even granted sandbox and hips improvements, using Comodo or even sbIE as a malware tester: I would highly suggest against it. Too many things can get borked up that way and you are best using a snapshot with proper mal-test gear like Wireshark, PExeplorer, Reg shot and debuggers like Olly. Now you can see what the code is doing and what it has done. Otherwise, send the unknown to the AV kids for malware analysis.

http://www.raymond.cc/blog/xray/

HTH

[maymoons]

i changed my settings and set BB to FV. i am getting popup when file execute.
There are only 3 preset, isolated, wsa and installer.

so i cant use my ownpreset with FV apps. and CIS doesnt show another alert, when i push allow. so SS leak test can record keystrokes. Actually CIS can stop it when BB untrusted-autosandboxed

All settings your recommend settings. And in this case, "detect installers...", K "trust files installed by trusted installers." and "show notifications." doesnt effective.

Actually zemana, SS leak test are in unknown category for CIS. isnt trusted files.

Anyway, i still believe, there is no way to this.
i believe BB auto-sandbox using HIPS module and answer alert for us automatic. (based selected virtualized level/ except Fully Virt.)
HIPS can alert for FVapps but only when aps execute. i am not getting any other alert. And it looks we cant use limited, own ruleset (i dont know why just it doesnt show)

Fully Virtualization (without any drop rights) doesnt give security. Malware cant harm computer but it can leak my data. and i cant find any way to use HIPS with FV.

@Sordid

if you get alert and i dont, and we are using same settings, there is a problem about CIS. The problem is i cant use "limited preset" so malware can record keylog in FV area. and HIPS doesnt show any alert about keylogger activity for FV apps.

The end of this month, CIS will release HIPS update. i hope it can help us.

[Sordid]

Create a new ruleset. It will add to the drop selection.

But to be like sandboxie the analog would be adding key_sim.exe to the HIPS rules and the in the sandbox. Sounds strange, I know, and why you shouldn't use full virt outside of forced trusted programs, not unknowns. Even Edgemen says it won't work by default.

The key here is that it the BB untrusted worked and it didn't per you post at Comodo forums.

[maymoons]

Quote:

Create a new ruleset. It will add to the drop selection.

Actually problem is here. it didnt add itself there.

[AMIGA500]

Quote:

Originally Posted by NormanF

OA has RunSafer and ZA has offered Forcefield. Every company allows you to run your browser in a secure mode - like for example - online banking. Comodo is no different here.

hmm actually you are very wrong here.Comodo offers a virtual area to run certain softwares etc.
Runsafer and forcefield are nothing like this.