Using Comodo Internet Security as an anti-executable

http://forums.comodo.com/defense-sa...t-security-as-an-antiexecutable-t60303.0.html

 

Cheers mate! I had actually been using something similar to this for a while, works great!

 

You can also use Comodo Time Machine as an anti-executable. It trashes your MBR and prevents everything from running.

 

That was cold..but true, lol.

 

At least they fixed it, took plenty long though

 

nice aproach

 

In the past Commodo created a default rule with all asks in steads of the deny's or allows you had changed in the default profiles (Limited, Trusted, etc) when you were not running Paranoid mode. This rules 'leak' existed until Comodo 3.x (the last one I tried). At that time they responded to me that would come with a complete different innovation (it was the sandbox), which would make this 'problem' small for average users running default settings (using the sandbox). I doubt whether they have solved the issue. So it is indeed best practise to Disable D+ when installing and run paranoid mode otherwise!.

Just two question what sandbox settings do you use?

 

How is your method different from mine? What issues have you encountered using it?

 

My method uses Paranoid mode. For other reasons though, I now specify that it's required to disable Defense+ when installing software.

My method doesn't use the CIS sandbox, so it's disabled.

Thank you .

 

your welcome

 

Thanks, you managed to evade design limitations of Comodo

Could you check whether the setting the sandbox on, overrides your setup. It makes no sense to keep the sandbox on, but when somebody less knowledgeable wants to copy your setting and forgets it, it could lead to unexpected results.

 

Great suggestion .

In brief testing with the sandbox on, the method seems to still work fine. I tested with setting 'Automatically run unrecognized programs inside the Sandbox' off and also on.

I think there might be value in using the sandbox with this method. For example, let's suppose a user opens a malicious PDF, which then causes a malicious .exe to be downloaded and attempted to execute. Upon execution attempt, Comodo Internet Security should either prompt or block the malicious .exe, depending on the 'Suppress Defense+ alerts' setting. Let's suppose that the 'Suppress Defense+ alerts' setting is unchecked. Let's suppose that the user unfortunately answers 'Allow' to the execution prompt. If the 'Automatically run unrecognized programs inside the Sandbox' setting is on, the malicious .exe should be sandboxed by CIS. Is this correct?

 

Well,

At least the file changes and registry changes are directed to a sandboxed location. SO Yes, but the deny on itself is strong enough IMO (no need for the sandbox overhead).

I allways changed the file check on all types of files to executables located in C root, Windows and Program Files. This to match the registry and file protection (not all Current User entries are denied either by D+ in the standard setting).

Regards Kees

 

Various changes have been made to the method since the initial post.

 

Does this work using the free version of Comodo Internet Security?

 

Yes .

 

Hello, MrBrian,

Congratulations on a well-thought out tutorial.

I noted your commens in Reply #7:

Some years ago, I discussed malware infections with a tech person in a local computer shop. He said that 99% of all problems he saw in the shop were "User Error" meaning your second paragraph above.

I've always remembered that!

So, with a good anti-execution procedure set up, the only missing link is to educate people on avoiding the "rubbish!"

----
rich

 

Thank you . The purposely-installed "rubbish" indeed is a big problem.

 

Windows really needs a central repo of trusted apps like linux
https://www.wilderssecurity.com/showthread.php?t=279835

 

I've figured out how to allow installations to take place without disabling Defense+ first. If I don't find any problems, I'll change the guide sometime over the weekend.

 

I don't think MrBrian was referring to applications when he mentioned "rubbish" -- my assumption, anyway. I think he was referring to things like this, which I've cited before, which I called "user error":

DNS changer Trojan for Mac (!) in the wild
http://isc.sans.org/diary.html?storyid=3595

----
rich

 

But isnt that an application? Somewhat?

On my debian linux box, NOTHING gets the admin privileges unless its from the debian repositories.
Not acroread
Not Adobe flash plugin
Not SpiderOak online backup service
Not Opera
etc etc

 

Is this also effective for 64 bit? AFAIK, there is some problem with 64 bit win and security apps (as pointed out by Tzuk of Sandboxie)

 

I intended "rubbish" to include socially engineered installations, phony anti-malware, software from dubious websites, cracked software, etc.