COMODO Internet Security 5.x Thread

That's my logic and why I set it to Blocked. No point in having it run anyway.

 

I wish we could pick and choose which features are applied to our default sandbox. I'd love to have some of the restrictions from Limited but then to remove the limit on process number.

Hopefully with version 6 we'll see full virtualization and some better customization of the sandboxing levels.

 

Nothing wrong with that.

 

No its not an actual sandbox. Its not virtualized. Its policy restriction. It's sandbox-like.
Why is it silly? Its restricting an unknown program from the system. If you don't want something restricited you hit the "don't sandbox" when the alert pops up. It's restricted so the cloud scanner can determine what it is. It works similar to defensewall and geswall. Both policy restriction and defensewall being light virtualization. Geswall doens't trust something until you tell it to.

 

I think it's silly because all it does is break the program when you can simply just block it.

Doesn't the cloud scanner work when you block applications just as it works when you run them in restricted?

And sandboxing does not equate virtualization.
http://en.wikipedia.org/wiki/Sandbox_(computer_security)

A jail is a sandboxing method that imposes restrictions.

When something is not "fully virtualized" it does not mean that it isn't "fully sandboxed."

 

Then what would be the point of having varing degrees of restriction on the sandbox? I guess comodo dev's are silly for doing it then.
Sandboxing has always been associated with virtualization. That's why you geswall is a policy restriction and sandboxie is a sandboxing application. So by your logic appguard is a sandboxing software as well.

 

I think what you mean to say is that YOU have always associated it with virtualization.

I think that they're in there so that you can run specific files/ programs as restricted so naturally they allow you to automatically do so.

I'm unfamiliar with appguard, but I've already shown you that sandboxing is a term that can be broken down into many many methods.

 

So far a busy morning here. I was going to post about testing CIS beta against 50 malware links which it breezed through. I was going to obsess about finding 11 exe's no more than 8 hours old, all of which either had 0 detections (3), 3 detections (4), and 7 detections (4) according to virustotal. I was going to opine about how (with the settings: Proactive Security, D+ Execution Control on Limited) CIS beta Cloud detected and deleted 8/11 and successfully sandboxed 2 others without a peep going out to the internet by any of them when I came to the last one.

I downloaded it, ran it. Nothing from CIS. Yikes! It looked like a real installer working- even got a warning from the Firewall that 2 components were trying to get out (I blocked them of course). After a reboot I ran the usual 2 suspects to check to see if malware was on the system; one of them showed the system was clean, but the other showed 17 files and registry entries for a trojan. 17 ENTRIES!!!!!! HOW COULD THIS BE? HOW COULD CIS HAVE FAILED ME?? HAVEN'T I BEEN FAITHFUL??

I just wouldn't accept it. After restoring a clean image (no VM here!), I ran it again. Same result. Unreal- I must have done something wrong. So another clean image loaded, the program run again but this time for laughs I let the program get out to the Internet which it was eager to do. Yes indeed, the nasty did download files. When it was finished I checked the Network Traffic as I was sure either my computer was now part of a GLOBAL BOTNET or at least a million random trojans were being downloaded into my poor little (but cute) machiner. Surprisingly enough, no network traffic.

At a loss I decided to actually run the program. Surely now the computer would at a minimum become totally trashed if not completed melt down and explode. Another surprise- all I had was a perky little photo viewer application. Now thoroughly disgusted that this nasty, nasty malware could present itself as an innocuous Photo app I was about to re-image and hit the bottle when a thought struck- let's try the Program's Uninstall Function. That should be TOTALLY HORRIBLE.

Well, another surprise. All it did was uninstall the program. After a reboot I ran the above mentioned 2 usual suspects and to my amazement no infection was now found. No files, no shortcuts, no registry entries. Nothing.

Welcome to the land of False Positives.

(sorry for the rant, but I'm sooo tired. Mods please feel free to delete)

 

BETA NOTICE: This is a BETA software and may have serious bugs which can cause permanent damage to your computer and data. It is intended for qualified beta testers only and must not be used in production systems.

Have you reported any bug?
http://forums.comodo.com/beta-corne...y-581995812037-beta-bug-reports-t74815.0.html

 

"The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization."

Straight from the same link as your wikipedia. Using scratch space on a disk, sure sounds like virtulization to me.

 

By making a reference to Wikipedia, you have too. The term sandbox implies more than just policy restriction; it also implies isolation. Note the use of the terms separation and virtualization in the following quote from the Wikipedia article:

http://en.wikipedia.org/wiki/Sandbox_(computer_security)

AppGuard is policy restriction software, similar to GeSWall and DefenseWall. Here's what the developers of GeSWall have to say about why GeSWall shouldn't be classified as a sandbox:

http://www.gentlesecurity.com/docs/geswallfaq01.html#q4

 

Apologies, you got there before me.

Regards

 

I sense you like Comodo! And the Bruins won...you're having a good year!

 

Yikes. Thanks for educating me. That's why I'm here. I was under the impression that sandboxing was only a method of isolation and that virtualization was a further method in sandboxing and not vica versa.

Anyways, I still find that running in restricted (automatically, on demand makes sense to me) doesn't make sense. It would, I suppose, if cloud scans weren't done on "blocked" files but I think that they are.

 

That's ok you don't have to like running things in restricted. I would rather have something restricted and unblock it if I do actual need it. It would suck if you let something run and it was missed by the scanners and D+ and let it drop something. Just my 2 cents.

 

That's correct. The key feature of a sandbox is isolation, not virtualization. It is the act of separation that defines sandboxing, not how it is implemented.

For example, an isolation unit within a medical facility separates patients suspected of having an infectious disease by placing them in a physically separate area from other patients. Patients who are in a ward together with other patients may have specfic restrictions placed on them based on their medical conditions but we wouldn't say those patients are isolated from the other patients on the ward.

On a host computer system, the creation of separate environments is usually accomplished through the use of virtualization. Virtualization is an implementation technique but it is not the defining attribute of a sandbox. What defines a sandbox is the dual environment: the world inside the sandbox and the world outside.

The core feature of any HIPS such as Comodo Defense+ is the use of behavioural restriction as a security mechanism but it is only relatively recently (starting with v4) that a sandboxing feature, using file system and registry virtualization, has been added to Defense+.

Regards

 

Thank you very much for the informative post. I appreciate that.

Gotcha. Well, I guess I was correct in my original view of sandboxing.

 

You're welcome.

Regards

 

Update for the Beta.

EDIT: Or... it told me there was... not sure it updated.

 

I'm lovin' the beta so far. GUI is slick. The "Do not show pop ups" option seems kinda interesting. Don't think I'll be using it anytime soon but it might come in handy.

 

I decided to test userability, and try installing a few programs to see if CIS has improved their whitelist/pop-up issues. I am not impressed by the results:

Adobe Flash - D+ pop-up
Miro Player - ***No pop-ups***
Smart Defrag - D+ pop-up
Process Explorer - Sandboxed
SugarSync - D+ pop-up
Steam - D+ pop-up

So CIS was 1/6 in allowing clean programs to install. Pretty poor showing IMO.

I am 99% sure all of these have been submitted to be whitelisted at one time or other.

 

Strange that steam and Flash got pop ups... I don't get too many.

 

Very nice info there on "sandboxing" and "virtualization" guys!

Back then I remember Avast IS Build 1125 auto-sandboxing Adobe Flash and Process Explorer before...that was strange too. I also remember instances like that I saw in sevenforums and the avast forums but only a few..some did not have. I also remember CIS v5.4.58750.1355 doing that and place Adobe Flash in the sandbox. Upon upload to cloud it was clean.

 

Ditto on the flash getting pop ups. I haven't had any issues with it yet. I tried installing joli OS and that got a pop up. Nothing that exclusions can't take care of.

 

When you get the pop up, isn't there a little checkbox you can check so that it remembers your choice not to sandbox or to move to trusted programs? That's not so bad. Not like you install those programs everyday and only requires 1 time answer. Just trying to help.