Comodo Auto-Containment - comparable to Sandboxie ?

That's true I guess, but I remember that old versions of Comodo gave me dumb alerts about trusted system processes like explorer.exe and svchost.exe, that's what I meant with overkill. Perhaps newer versions are more smart.

 

It has a File Rating section and it can be set to trust files by trusted installers, so that enabled will eliminate many of those type alerts. I think in Safe Mode this will also reduce those alerts.

 

I see that i can block execution of wmic.exe with OSArmor under advanced. Would this cause me any problems if i do this.

 

No, it shouldn't be an issue. Actually Microsoft last year recommended that unless you know that you absolutely need it, wmic.exe should be blocked due to malware using it (along with mshta.exe which is one of my favorite LoLbins) for nefarious purposes.

 

I don't see mshta.exe listed in OSArmor in order to block it.

 

I don't have osarmor install so I can't personally check. But try to check in both normal settings and advance settings, it should be there

https://www.novirusthanks.org/products/osarmor/
"Filter System Processes
Block wscript.exe, mshta.exe, etc if they match our rules of bad behaviors."

 

I found mshta.exe and it was blocked by default in Main Protections.

 

This was a good read from Symantec in 2018 ....
Attackers Abuse WMIC to Download Malicious Files
Malware authors use WMIC and a host of other legitimate tools to deliver information-stealing malware, highlighting the continued use of living off the land tactics.

 

Block execution of Wmic.exe was not checked by default in Advanced i don't think, so i checked it. Block any process executed from Wmic.exe was checked by default in Main Protections.

 

Happen to have a ready link to this iron cage version @Chuck57?

In all the mayhem over the past year or so mine is likely well dated by now. Appreciate whatever you can.

That File Rating feature if I recall was another useful feature I think determined the level of users confidence or lack thereof of some of them.

 

I get most of my downloads from here. They're current. Remember, Comodo tries to install cleaning essentials and their browser. Don't forget to uncheck them.

https://www.majorgeeks.com/files/details/comodo_personal_firewall.html

 

Done. Thanks

That much is not changed. The part where we uncheck the cleaner add on(s) and their browser. Sheeez

 

My favorite part of Comodo firewall, besides its protection, is that you can run software contained to check it. Don't use any other sandbox software. I haven't used it except for minor things I wanted to try out, and haven't tried rebooting to see if they stay. Haven't had to so far. It's just a nice way to look at stuff I have a passing interest in, without cluttering up the drive with other security stuff I'll seldom use.

 

As far as this topic title goes, suppose one could compare the containment feature alone per usage expectations or results but in reality as far as i'm concerned they are 2 distinct separate entities/programs designed with containment as mostly priority in one and as a choice in the other. I used Sandboxie for ages and still do every single time to try a new program or one where confidence isn't clear on it's components it might disperse. In other words, On-Demand Only. Then examine how many parts/files/folders it takes to do what they claim it needs to perform whatever function advertised.

For the coup de gras foulware testing fun Comodo efficiently aligned with @cruelsister config, (gotta luv the Containment Settings) fits the bill for that. And really is the only time I turn to Comodo Firewall. With seasoned experience stretching back to Windows 98 my current version O/S is air tight with various third party gadgets/programs.

 

I'm sure you noticed the new firewall containment settings have changed a bit. No more Run Restricted in their list.

Now it's Run Inside the Container, Run Unlimited, Run Unlimited and Trust and the last is Block. That's why I set it to Block.

I'm guessing Run Inside the Container is probably their new name for Restricted. Maybe Restricted had too many syllables and they had to simplify.

 

I like how I can see and control any and all attempts to modify within vulnerable user-space directories such as, for example:

Code:

2020-08-11 17:15:01 --> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --> Modify File -->  C:\Users\my_username\AppData\Local\Microsoft\Edge\User Data\PepperFlash\32.0.0.414\manifest.json 

This is as a result of setting "Ask" on Protected Files/folders paths within the HIPS settings. So as not to get alerted to a ridiculous number of these attempts, it is a simple matter of modifying, for example, this particular Path rule as:

Code:

C:\Users\my_username\AppData\Local\Microsoft\Edge\User Data\PepperFlash\*\*.json 

Comodo allows the use of wildcards in Path rules. The version number will change occasionally over time, so the "*" will take care of this. This rule will also nicely address any file extension with *.json.

 

I forgot to reply, but I can remember that I ended up trying to whitelist/trust as much as possible to reduce alerts, which may introduce security risks, so I didn't like it. But perhaps this has been improved. In the last 10 years I have developed an "alert fatigue", that's why I have configured EXE Radar and SpyShelter in a way to reduce alerts as much as possible, while still having a good balance between security and usability.

 

As also asked here: https://www.wilderssecurity.com/threads/wisevector-stop-x.431502/page-6#post-2941322
and for the benefit of Comodo (Firewall) newbies, can someone post a definitive link to @cruelsister's settings / config here in this thread?

I think I had set it up 'correctly' before via a YouTube video, but an accurate step-by-step description would be 'nice'.

 

If you can achieve a balance between security and usability, then that's probably ideal. It looks like you've done that nicely with your setup. With CF, choosing either the built-in ruleset "Allowed Application" or "Windows System Application", will certainly reduce alerts, but at the expense of security, as they are both very permissive, other than you will be alerted to "Run an executable" alert for the application assigned to one of these rulesets.

What I did was:

1. Create my own ruleset which is slightly more restrictive than the two above I mentioned. For one example, on "Protected files/folders access rights, I have this set to 'Ask"
2. I added several vulnerable user space directories under: Protected Objects-> Protected Files, such as:

a. C:\Windows\Temp\*
b. C:\Users\user_name\AppData\Local\Temp\*
c. C:\Users\user_name\AppData\Local\Microsoft\Edge\User Data\PepperFlash\*\*
d. C:\Users\user_name\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\*

as well as a few others. This prevents unauthorized modification of data in these directories, but CF will alert to them, giving the user the option of allowing it or not, on both a temporary basis, or more typically on a permanent basis. Once these rules are created over time, the alerts will reduce significantly.

 

Yes, I have seen too many alerts between 2004 and 2010 LOL. It basically comes down to whitelisting certain folders so that EXE Radar won't alert about stuff. For example, I don't want to see alerts when installing software via Sandboxie. And SpyShelter can also auto-allow certain things for trusted publishers.

 

Salutations/Greetings,

I was just wondering if M, and/or cruelsister would do a new video with the latest Comodo Firewall?
To see if M, would change and/or do anything different ! Within Comodo Firewall....

Always the best,

 

Well I've done away with "Paranoid mode" and went with "Safe mode" instead, as the Hips Rules->Application-> name field doesn't handle wildcards. This is a problem, for example: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2010.7-0\MsMpEng.exe

I now just rely on Auto-Containment as others have, with a few additional rules I created to augment the defaults. Works like a charm.

 

Back to Paranoid mode, since the bug that didn't allow wildcard characters in the main Application name field has been fixed in the latest v12.2.2.7062 release.

I have made some of the rulesets less restrictive than before, only retaining the restrictions for web browsers, MS Office apps and anything else Internet-facing. I've also retained the Protected folders settings for all directories I could find that could be written to at the usermode level. Autocontainment rules retained as well.

EDIT

the problem with handling of wildcards in actual file path names has not been resolved as I thought, but now I understand what's going on:

When a new alert for an application that the user has assigned wildcards to occurs, the alert shows the actual path name, for example:

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2010.7-0\MsMpEng.exe

even though it's already in the Application rules as:

C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe

this latter rule previously modified by the user with the wildcard.

So what happens when the user answers the alert with, for example, an "Allow" selection, it creates a separate rule for the application with the actual path name, rather than applying it to the existing rule with the user-modified path name using wildcards.

So now there are two separate rules for the same application: a new one with the actual path name, and the other pre-existing one modified by the user with the wildcards.

This is a bit annoying to deal with, but I shouldn't (hope I don't) see too many new alerts for pre-existing rules using wildcards. I copy the new rule from the latest one created with actual path name, and paste it into the pre-existing one with wildcards. Once things quiet down, I can delete the newest rule with actual path name.