Comodo Firewall: Enable "Sandbox" or Not?

Whenever I read the various threads here on Comodo's firewall w/ D+ and Proactive Security one issue that always seems to stand out in my mind is the divergence of opinion on the use of the "sandbox".

Was wondering if some folks would be kind enough to present their views about the use the sandbox and what the pros/cons of so doing might be?

My thanks in advance for your time and effort.

 

I don't use CIS sandbox and I say not:

- it's not a full, complete sandbox
- it had/has some issues and bugs that Comodo has to fix when they are discovered.
- for the multilayer defense philosophy, also if the CIS sandbox was fully sure,it's anyway better to use a sandboxing program by another software house.
- to use CID Defense+ - or another HIPS - at the highest level is more sure that use his sandbox.

 

One thing to note is that the CIS sandbox has only about 3 more months of life left in its present form. The private beta of CIS 6 should start percolating around in August, and from all indications the Sandbox will be hardened (not that it is in any way poor currently).

 

I guess the divergence of opinion I had observed in the past doesn't generate particularly strong feelings either way...

...I personally have never observed any conflicts with the Comodo sandbox enabled at the same time as employing Sandboxie (for browsers and other internet facing apps) but I'd have liked to hear from those who prefer not to use the Comodo sandbox to learn more about what their reasons are.

To me it would seem that the Comodo sandbox could be a good second line of defense (for example) in the case where one inadvertently recovers an app or process out of a protected Sandboxie folder on to their real system and it turns out to be malware ...

...and also during those instances where Sandboxie would be disabled in order to update software that ordinarily runs under its protection.

Thoughts?

 

The auto sandbox is like "Run Safer" in Online Armor so approach it as such.

Manually instigated sandboxing has file and registry virtualization and is more like a traditional sandbox, although I don't know how it compares to Sandboxie.

 

if you comparing Comodo FW Sandbox with other discrete sandbox it will fail
not alone temprorally all of the IS sandboxes fail
Avast /Kaspersky

it doesn't mean they are not secure but they have their known back exit

BTW comodo is aware of this problem and that's why it's disabled by default

 

That is pretty much the way I was thinking of it (albeit with the ability to enforce stronger restrictions than OA imposes in that regard).

In my mind nothing quite compares to Sandboxie but it's always nice to have a backup plan or second line of defense.

 

This is what I thought also, there being a difference between the Auto-Sandbox and manual sandboxing.
The Comodo site states however;
-Features; Auto Sandbox Technology™. The sandbox is a virtual operating environment for untrusted programs – ensuring viruses and other malicious software are completely isolated from the rest of your computer.
-Frequent questions; The sandbox is a virtual operating environment created within your computer for unknown and untrusted programs.
...Applications in the sandbox are run under a carefully selected set of privileges and will write to a virtual file system and registry instead of the real system. link

A post from a Comodo forum mod reads;
'Comodo is currently working on CIS v6 which will bring virtualisation to the automatic sandbox process.´ link
Anyone know what is the truth? Comodo site info or the forum mod info?

 

The Comodo sandbox is like a form of Defense+. It limits what unrecognized programs can access. It's a very effective security tool, especially when you set it to limited. It is NOT like Sandboxie though in that it can still write to the drive, it is only restricted in where it can write. (DEPENDING ON SANDBOX SETTINGS; I'm referring to the default settings or at least anything above the most restrictive setting)

The two concepts are similar in principle. The way Comodo sandbox works is less intrusive in that the vast majority of good programs can still operate while in a limited mode while Sandboxie will restrict programs to where special rules are needed.

I'll give you an example. Let's say you run a word processing program and it gets sandboxed by Comodo. The sandboxing will prevent the program from, say, writing to system files, but it won't prevent it from writing to your My Documents folder. On the other hand, Sandboxie is a more complete solution that will only allow it to write to the sandbox with an option for file recovery later.

This is not to say Comodo sandbox is bad, only that it's different.

I personally run Comodo sandbox and Sandboxie with no conflicts. The logic is that not every program I run is sandboxed with Sandboxie because I don't want to deal with the possible headaches that causes. I sandbox my web browsers, chat clients, and anything that faces the internet except for games. In terms of most other programs, Comodo limits what they can access. Very few programs have access (just the security software.)

 

Comodo Sandbox is like semi-virtualization or policy restricted.

Version 6 is going to be with full virtualization then there will be no probs running apps in sandbox & it will be much more comfortable & secure.

Version 6 first Beta is due in August.

I am running the latest CIS Free/Premium Suite on one of the system here but have diasbled sandbox. With version 6 having full virtualization I am difinitely going to keep sandbox enabled & also install it on other systems here & recommend to freinds & others too, offcoz if it will be easy & work fine, especially for average users.

 

This point of view makes a lot of sense to me as I also use Sandboxie and have used and am familiar with the "run safer" / "limited" settings in Online Armor and PrivateFirewall.

Sandboxie prevents most direct threats from the web/internet by auto-deleting the sandbox after a browser session (except for anything I choose to recover to a sandboxed download folder where it can be further evaluated as necessary).

If Comodo's sandbox/execution control is set more restrictively than the "limited" setting I run the risk that the app I want to install/run won't be able to do so and my only option will be to "trust" that app. (Please correct me if I'm wrong.)

On the other hand, if the sandbox is set to "limited", there is quite a large universe of apps that will run with that restriction in my experience.

It seems more productive (at least in this case) to allow the Comodo sandbox to actually be utilized for the purpose of isolating and running a program versus just being used as a "screening tool" giving you the option of either "trusting" the app or having it not run at all.

Please feel free to present arguments for or against this point of view as I very much want to learn how to use Comodo's tools most effectively.

 

I believe that D+ rules override Sandbox rules. So if D+ pops up and you select "Installer", it will use that rule instead of the Sandbox rules.

Either way, the Comodo sandbox recognizes installers and trusted vendors and runs them outside of the sandbox.

The way I use it is like this:

- The most dangerous programs (web browsers) or programs that continually face the internet (chat clients) are run in Sandboxie.

- As a rule, all other programs are run as Untrusted in D+. My logic is that (1) most programs work with an Untrusted setting and (2) if they don't, I'll move them up to a higher setting using D+.

- Only truly trusted programs get full access, like Comodo and AVG.

for reference: (from the Comodo manual)

Partially Limited (Default) - The application is allowed to access all the Operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.

Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run with out Administrator account privileges.

Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

Note: Some of the applications like computer games may not work properly under this setting.

Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

Note: Some of the applications that require user interaction may not work properly under this setting.

Blocked – The application is not allowed to run at all.

 

@Fox Mulder:

Okay, so as a procedural matter, let's say that you are installing "unknown" program x in Comodo and have everything set to run "untrusted".

When you go to install, the Comodo program alerts that it's going to be run in the sandbox as it's unknown to Comodo etc.

Now, the let's say the program won't install/run due to the "untrusted" setting.

What is the next step you take at this point (assuming that you've checked out the app on VirusTotal etc and it came up with a clean bill of health)?

Where do you go within Comodo to apply the necessary changes to allow the app to install/load?

I appreciate the assistance as this will help with the process the next time I install an app in this situation.

 

You run the program again and when you see the sand box alert again you simply check the box 'do not sandbox again'. Or go to defense+ settings, click on trusted files, then click add, then browse files, then browse to your exe file and click add.

 

Okay, I understand that...but then isn't this limiting your choices to either trying to run/install the app at the "untrusted" level (which didn't work) or now "trusting" it to get it to work? That's a big jump in permission.

What if say you wanted to only bump up the level one notch to "restricted", or two settings to "limited", the minimum required to get it to run/install?
How would you go about putting that into effect?

 

I guess my question is...to accomplish this (when installing), if the app won't install as "untrusted"...do you just go to the "Execution Control Settings" and temporarily bump it up one level (to "restricted") and then repeat the attempt to install?

Assuming it works and the app is now loaded and running (at whatever setting you were forced to use..."restricted", "limited", etc.), do you now return to "Execution Control Settings" and reset "treat unrecognized files" to "untrusted'?

Thanks in advance.

 

Oh, what I do is I go into Defense+ and add a rule for the file. I set it to whatever it requires.

In practice, I never have this problem because the system is good at recognizing installers and files from trusted vendors.