COMODO Internet Security 5.x Thread

To those that watched the review, you may have noted that the test computer was shut down by malware. This was the Ransomware that I've been seeing constantly lately. Although the malware was stopped from doing any damage it still was allowed in the review to access System32-shutdown.exe.

Although not a big deal, this could have been prevented by setting CIS in the Configuration menu to Proactive Security. Also the trojan found was an exe that was created by running the ransomware app. It is harmless by itself without the primary malware application to trigger it; but if run it would have been quarantined.

 

I have been testing this beta and the cloud behavior scanner is working well. Have seen it constantly pop up for malicious sandboxed items. Had a ransomware run sandboxed as restricted where it loaded up its lock screen and for like 1 min I couldnt close or do anything but then the cloud behavior popped up and killed the malicious process and machine was usable again.

 

Yes also changing unknown applications to run as untrusted. The malware won't even run that way.

 

good test
now i wonder if OA will blocked this attack?

 

I really don't like Untrusted choice. Although you are very correct that it won't run, this setting can be a real pain at other times and in some settings it can be really counterproductive. Limited fits the bill without preventing normal work flow.

 

Same here

 

Definitely. Hopefully when they implement full virtual mode that should solve the problem of partially limited or limited letting some things through. And still be able to properly run unknown good programs.

 

I've always run it at untrusted and the only problem I've had was to disable the sandbox while installing a trusted program. Limited allows too much access.

"Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run with out Administrator account privileges."

"Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights."

I would much rather have a minor inconvenience, then any access to the OS by some malware.

 

Hmm, thanks for letting me know about that. It's good that it is working well

 

I don't think there's any reason to run as untrusted. At that point why not simply put it to "block" the application entirely? The idea of sandboxing is that you can still run the program with no problems but it can't touch the system, malware or not. If you're on Untrusted you're likely going to just break anything either way and you'd see better results flat out blocking.

 

agreee with Hungry Man

 

The Cloud Scanner is starting to amaze me. It has been picking up things with a 3-5 detection rate on VT. On the low detection things, as has been pointed out by Syk, you can run them (sandboxed) but they will be shortly deleted.

I'm REALLY trying to trash this computer with malware, but so far to no avail.

 

I did my best to completely destroy my computer with malware on 5.5 to no avail. Things were either outright caught by cloud heuristics or sandboxed as partially limited and unable to function properly.

I've been too lazy to test 5.8 as thoroughly but I probably will later tonight.

 

thanks for testing

 

Testing now. I won't bother with any results topic or anything like that. I'll just give a quick summary.

 

thanks alot buddy

 

11 malicious files detected. 8 were detected and blocked. 2 weren't blocked but were sandboxed and unable to infect the machine. 1 managed to start a process from the downloads folder and Comodo didn't prevent it (Even though it did give a security alert.)

HitmanPro removed the 1 entry that managed to start a process.

Note that I'm using default Defense+ and Firewall settings and no antivirus. Windows 7 64bit VM fully updated with no other programs installed.

edit: I'm going to now test the one file that got through when it's not sandboxed to see hwo it acts.

 

That's part of the reason to run untrusted. Running limited has shown to drop files from trojans and other malware. It does have access to your system, just a limited amount. I'm sorry but I really don't want to take that chance.

 

But then why not simply block? It defeats the purpose of sandboxing ot break every single program that runs in the sandbox.

You should move to Limited if you're worried or simply just block everything.

 

That's why if you put it to something other than PL than it does not leave anything left over. Such as restricted for example.

 

Yes... but then why not simply block everything? Most things won't run at all with restricted... and that means you won't get to see if they're malicious or not. The idea of sandboxing is to let you run your programs whether they're malicious or not.

If you're running as restricted you're essentially blocking everything except not as effectively.

Pick what you want to do. Sandbox or block.

 

FYI guys, when not running Comodo and running that one particular piece of malware I'm finding many many more files on my system with MBAM. So Comodo definitely prevented the program from functioning completely.

 

Because the sandbox is not a actual sandbox. Its a restrictive anti-exe. Something will gain access to your system if its allowed by partly limited. Once the file is restricted from running the cloud scanner and cloud behavior scanner will run it through CIMAS. It will be checked against the whitelist. If its found to be malicous it will say so. If not it will be restricted from the level you've chosen.

 

So what you're doing is sandboxing in order to break programs long enough for them to be scanned by the cloud scanner?

That seems silly. It's not full virtualization but it is sandboxing. Moving between Partially Limited and Restricted only adds more restrictions it doesn't virtualize anything else. Anything above Limited ends up breaking things anyways so you may as well simply block a file and then allow the cloud scanning. Restricted has virtually none of the benefits of sandboxing and it's not going to protect you as much as blocking.

 

I agree and I set unrecognized files at Blocked. If I know its a good program I move it to trusted files and it runs fine after that. If I'm not sure I submit it to comodo and if it's good they whitelist it for me. Rather not have unknown malware run at all.