CIS settings: is safer use only HIPS without the sandbox ?

Discussion in 'other anti-malware software' started by blacknight, Nov 30, 2014.

  1. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Question for CIS advanced users. I never used the sandbox: in the early versions sandbox was buggy, or bypassable. I don't know if now the issues are all solved, but my question is another: isn't safer to disable the sandbox and to configure the HIPS at the higher level - in Paranoid Mode - to monitor directly all happens in the system and to decide personally what do for every alert ?
     
  2. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,125
    If you disable the sandbox and enable the HIPS you'll have the old hard core CIS.
    If you also chose paranoid mode it'll give you the best possible protection (at the expense of the occasional deluge of pop-ups).
     
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    BlackKnight- The HIPS in Paranoid Mode is going to alert you to just about EVERYTHING. In addition to being very annoying, the decision to what should be allowed or not is going to be left up to you; after so many alerts in all probability you will be lulled to sleep and just allow things just to be done with the popups. But to answer your questions, Paranoid HIPS mode is in no way safer than enabling the sandbox; indeed it may have significant risks.

    Secondly, please be advised that Comodo's AV module,which is the only thing that differentiated CIS from CF (Comodo Firewall), isn't that good (and I'm being kind here) against true zero day malware. Also note that CF still has a Cloud AV, so the real difference is a resident AV. So if you feel any need for a real time AV (personally I don't see a point for doing so) please just install CF and add something like Qihoo.

    Third, the Comodo automatic sandbox is superb against both malware as well as PUP's. With the Sandbox enabled there is really no need for the HIPS (which is dated technology) to be active at all- there is no point for a HIPS to inform you of what things are doing in the Sandbox as no system changes will be possible.

    So- download and install Comodo Firewall 8:

    1). Disable the HIPS.
    2). Enable sandbox
    3). go into sandbox settings and edit the top "Run Virtually" listing- change from "Internet" to "Any".
    4). In the Firewall Settings page, uncheck the "Do Not show popup alerts" listing. It is curious that in this version with this setting checked you don't get outbound alerts even if Custom Mode is being used.

    Final note- if Comodo sandboxes an application, DO NOT override unless your Mother wrote the program so you know it is safe (of course first make sure that your Mother actually likes you).
     
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Sure, but with the HIPS I have the control on my system, I know what happens and I can decide what do. If some malware bypass the sandbox what happens ? Which defense line I have ?


    I know it. The problem is that not all the av that I trust work with CIS.
     
  5. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    So I believe, but I wish some opinions and experiences about.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I use only defence plus and firewall in safe mode. Paranoid mode is impractical and causes some of my systems to freeze randomly.

    No Sandbox. No AV.

    Plus EMET. I was also using SBIE but dropped it due to performance reasons esp slow browser launch and some other issues.
     
  7. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I use the D+ in Paranoid Mode and rarely hear a peep out of it. Some people obviously have no concept of whitelisting. Once you take the time to do it HIPS becomes basically set it & forget it hardening. It might be a nuisance for a couple weeks after a fresh install, but then after you've used about everything on your setup and set the rules accordingly, you forget it's even there. Much ado about nothing here.

    I don't use the sandbox component, as I'm a (very) happy Sandboxie user. And no AV either (i.e. not the full CIS suite). I use the FW & D+ only, v 5.10 which IMO is the best ever made.
     
  8. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    438
    Location:
    The Outer Limits
    You could always use both, the HIPS(set to clean pc mode) and the sandbox (set to auto-sandbox unknown programs) ? I know the AV part isn`t the best in the world but it`s not the worst in the world either and considering how light CIS is why not use the full suite ?

    I also use Sandboxie for it`s ease of use and lightness alongside CISv5.5(I like the graphics, layout and configuration options).

    The sandbox in the more recent comodo versions has been fully tested so much so that the HIPS are turned off now by default.

    The rock solid D+ HIPS have been the proven backbone of Comodo for years and are more than capable of protecting your machine on their own.

    Plenty of options to consider.

    Regards Eck:)
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think it depends upon one's preference. Most of users and even myself simply don,t have to time and patience to make rules until Defence Plus becomes pretty silent. It's too much of work IMO. Also every now and then I install new programs or run a new utility and Defence Plus sure will never become silent. Pop ups after automatic windows updates are another issue.

    In fact in addition to safe mode I even use trusted vendors as I have found that it gives me a lot of freedom and pop up free system with some sacrifice of security.

    In addition, unfortunately on my old XP SP2 system( I use CIS 5 on XP), the paranoid mode freezes my system after few minutes and I could not figure out the cause.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think one should use either Defence PLus or Sandbox. I really see no difference in using both as both have the same level of security with different levels of usability( multiple pop up alerts versus no pop up).

    If I am going to add a sandbox I will like to add another software as I think if some thing bypasses Defence Plus it will probably bypass its sandbox as well because protection is provided by same core( CIS) in both cases.

    On my old XP SP laptop, I use GesWall with Defence Plus as it is much more lighter than SBIE and almost as strong as SBIE. I wish we had GesWall on windows 8 as well.:(
     
  11. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    125
    Location:
    Spain
    Blacknight, I would seriously consider following cruelsister's advice. I've found that, for a skilled user, auto-sandboxing plus firewall is more than enough for about anything you can throw at it. Anything else, like EMET and MBAE, is a plus.
     
    Last edited: Dec 2, 2014
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    For Cyrano2 and CruelSister:


    Agree ! So I experienced.
     
  13. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    125
    Location:
    Spain
    As a matter of fact, some time ago I exclusively used D+ but nowadays I just prefer sandboxing :isay:. So if you really prefer the HIPS component then go ahead :). What I've found in Wilders is that there's no better way, just the best that works for you ;).
     
  14. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,125
    Last edited by a moderator: Dec 3, 2014
  15. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,125
  16. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    438
    Location:
    The Outer Limits
    Okay I like pop-ups the more the merrier but they always die down after a while the only pop-ups coming from the toaster.:'(

    How would you know if for whatever reason your sandbox stopped working ? You`d want a pop-up then alright I would bet ?( i.e. D+ kicking in).

    You are quite correct in wanting your layered security from different apps incase one gets bypassed as I can`t get a free standing HIPS for 64 bit Comodo will do fine.

    Don`t think I remember Geswall being much lighter than Sandboxie ? Is that possible ? Anyway Geswall is a brilliant program justifies having an xp machine in itself I just wonder if there would be any advantage to running both(Geswall and Sandboxie) or would there be conflicts ?

    Regards Eck:)
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not a good idea to run both. It will not give any better protection. GesWall sure is lighter than SBIE.
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Is GesWall still actively developed and does it support Win 7 64bit? What are the system requirements? (can't find them on the site).
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It's dead. No 64 bit. Win XP and Win 7 32 bit.
     
Loading...