COMODO Internet Security 5.x Thread

That's strange. I've seen the Allow/Deny box before with sandboxing enabled. I'm not confident enough in my setup to turn autosandboxing off in an attempt to test what happens =p

If it gives an allow/deny that's one thing. But even still, how do you gauge whether it's legit or not without running it? Sandboxing allows you to run it and see.

If you go to your Execution Control settings you'll see each measure it takes against files as they're being loaded. I'm not sure that the Allow/Deny will happen every time.

 

I think you are right in all of the points you are making, and I'm not suggesting for a moment that the sandbox feature shouldn't be used. I'm just trying to understand how something can be caught if the sandbox is enabled but missed if sandboxing is disabled because this runs counter to my understanding of how Execution Control works (which may be incorrect of course).

My understanding is that a series of checks are carried out on an executable before it is fully loaded and run. These checks will result in the executable being classified as: known safe, known bad, or unknown. Known safe and known bad will automatically be allowed and blocked, respectively. It's what happens with executables where the status is unknown that will depend on whether the sandbox is enabled or not.

If it is true is that an executable can bypass EC so that it can carry on executing regardless of its status then I can't see how EC would be able to force execution to continue in a sandbox. EC has been bypassed and that's that. Unless I'm wrong about this (which is quite possible), sandboxing is step two in a dependent chain that starts with EC making a determination about the status of the application and exerting the proper control over its ability to run at step one.

I agree that for anyone who doesn't want to enforce a strict policy of deny the unknown, the sandbox gives the opportunity to see what will happen if execution continues within a safe environment. But even if the sandbox is disabled, there should always be that initial one-time chance to prevent execution of an unknown application. If that doesn't work in a specific instance, I can't see how the sandbox would come into play either.

 

Hmmm... I'm too lazy to search, so where was the EC bypass mentioned? Here?

 

I think you're correct in your understanding. I just have never run without the sandbox so I don't often see the "Allow, Deny, Sandbox" and usually just see the autosandbox.

 

Thanks, you're right multi layer defense today is indispensable. I didn't write previous, but I use another, different software to sandbox the system, and CIS as classical HIPS.

 

With all that's said in the current end of the topic, is CFW enough or is the AV actually something vital today?

 

It depends on who you ask.

 

Well I ask anyone with experience so just spit it out.

 

LOL Ok...Here I'm spitting it out for ya. Well I personally don't think you need an av if CFW settings are tweaked just a bit. While I use MSE in my layered setup, I depend less on it than any other part of my setup.

 

I agree. I've been using it for quite a while and the antivirus is unnecessary, especially since you have unknown files scanned with cloud-based heuristics.

 

I was just about to mention the cloud heuristics lol...

 

Just got my hands on gpCode and Black Day (Thanks to Jasonbourne and Aigle) and I'll be testing 5.8 against these to malicious files, which had previously bypasses CIS.

 

Alright then let us know the results, I know you will hehehe...

 

Mhm. I'll be posting in this topic with results from an XP 32bit VM.

If the VM is getting in the way I'll run the tests on my old laptop.

 

Alright then but no testing in 64-bit?

 

I only have access to two VM's.

1. XP 32bit.
2. Win7 64bit.

I can run it on both.

 

Ahh gotcha.

 

Installing to the VM now but I'm expecting an interruption soon. I'll have results tonight and if for some reason I don't you can expect them early tomorrow.

 

Alright sounds good. I'm just setting up my VM now..been too lazy to do it

 

My win7 got corrupted. Have to reinstall that VM. Not a big deal but it'll put a stall on testing the 64bit capabilities.

XP is all ready to go. Documenting with screenies as I go =p

 

I can tell you right now you aren't gonna like the results.

 

Hahaha spill the beans

 

GpCode isn't a problem with CIS (D+ on Limited). Is there an issue with BlackDay (I don't have a sample of that)?

 

good to know