Comodo Auto-Containment - comparable to Sandboxie ?

Discussion in 'other anti-malware software' started by lunarlander, Jan 19, 2020.

  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Hi,

    I have switched to Comodo Internet Security's Auto-Containment; because it works with my YubiKey. Whereas Sandboxie doesn't. Are the 2 products comparable, is Comodo worse than Sandboxie?
     
  2. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    160
    Hi Champ comparing apps on this forum i think is illegal
     
  3. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Whatever happened to consumers' rights ? So it is like the old mainframe days when you have to sign a non-disclosure agreement when you buy a product agreeing not to review the product ( like when you buy an Oracle database ). That my friend, would also include not being able write a book on the product. (like "How to use Oracle guide" )..I wasn't born yesterday.
     
    Last edited: Jan 19, 2020
  4. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    160
    I could be wrong just ask an admin.
     
  5. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,565
    I think that's for antiviruses though.
     
  6. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    25,904
    Location:
    UK
  7. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
  8. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,565
  9. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    post it on mt. :ninja:
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,928
    Location:
    The Netherlands
    To me Sandboxie is easier to understand. But I would have liked an "auto-sandboxing" feature. And, it's not clear to me if Comodo uses the integrity mechanims and virtualization like Sandboxie does. I wouldn't be surprised if Sandboxie is more secure under the hood.
     
  11. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    I've played with Sandboxie and have used Comodo's firewall for years until the disaster a few months ago. Properly set up with, say Cruelsister's config, I would be more apt to say Comodo is more secure. Used out of the box with no configuration, like most people would use it, maybe not.

    You could say the same about Sandboxie, though. If you didn't know how it worked and just used it as downloaded, without Drop Rights, etc, it wasn't rock solid either.
     
  12. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    RIght now, I am inclined to say that Sandboxie is more secure because it can restrict what can run within a sandbox. Whereas Comodo's auto-containment cannot.

    The other day I had a fright when an attacker opened a .log file on my root directory with notepad. I thought the attacker might have escaped the virtual environment. Then I thought more on this and conclude that yes the attacker is indeed allowed to open the .log file from C:\, but is limited to saving the .log file inside Comodo's virtual dir VTRoot. Am I mistaken as to how 'run virtual' works?
     
  13. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    Set up Comodo FW like this, and you don't have to worry. I won't say it's bullet proof. Anything can be beaten with enough effort, but it's as close as you'll find. Just watch and follow the directions. I've used this setup for several years, and never had anything get in or out.
    https://www.youtube.com/watch?v=jfe1VdyP0S4
     
    Last edited by a moderator: May 27, 2020
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,928
    Location:
    The Netherlands
    Don't forgot that sandboxed apps can still get access to files on the real system. But sandboxed apps can't modify the real system, changes are kept inside the sandbox, that's also how Sandboxie works. So you need to restrict apps from getting access to important files. Sandboxie has got such a feature, but you can also use a third party data protection tool.
     
  15. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Thanks, I realize that now.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    What is "the disaster" you mention?

    I've been using it, sort of as an experiment, for a couple weeks now on latest Windows 10, set up similar to cruelsister's recommendations, and I'd say it's next to bulletproof at stopping attempted program or process activity. HIPS is in "Paranoid mode", Auto-Containment enabled, and firewall enabled, default-deny, with numerous customized rules I created over time. I've yet to notice any kind of obvious unstable or undesirable behavior with the program to date.

    EDIT:

    for example, even just installing NoScript extension in Edge resulted in a warning from the HIPS feature:

    Code:
    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe  -->Attempts to modify file--> C:\Users\user_name\AppData\Local\Microsoft\Edge\
    UserData\Default\Extensions\Temp\scoped_dir5308_514077901\CRX_INSTALL 
     
    Last edited: Aug 6, 2020
  17. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    The 'disaster' was Comodo releasing an upgrade that totally locked up and borked my computer, and a lot of other people's as well. Fortunately, I had a current backup only a day old.

    The current version of Comodo Firewall .7036 I think, is great. I left Comodo as a result of the abomination and have only recently returned using the latest firewall only. It, as you mentioned, with Cruelsister's configuration, is as bulletproof as you can get. I don't believe anything is 100%, and I'm sure somewhere out there something can beat Comodo. In the over a decade I've used Comodo, I haven't run into it yet.

    Until Meghan created her rules, I ran the firewall in proactive mode and nothing ever got through. Her rules add a bit more security to the mix and make it even better.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Okay I see, thanks! The first time I used it, it locked up my computer as well, at least preventing me from logging into either of my accounts (user and admin), but I blame myself for that because I had placed the HIPS into Paranoid mode before allowing it to learn enough O/S rules. My image backup saved my bacon.

    I'm thoroughly impressed with it so far. It's far more powerful than I expected it to be. It halts every unauthorized executable or script action I attempt to launch, giving me the opportunity to either Auto-contain or terminate it.
     
  19. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    Since switching to Cruelsister's config, I haven't used the HIPS. I let auto containment handle things, and have it set to 'block.' You'll see good and bad posts and reviews about Comodo, but I've used and sworn by since about 2007 or 2008, occasionally removing it to try something else. I always returned to Comodo. It just works.

    I am not an expert. I don't dig into to it to see how it works, or try to write or change rules, etc. I'm just a user.
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Yeah, I just like the HIPS enabled because if gives additional control and security. I have slightly more restrictive rules for my web browsers, email client, svchost, rundll32 and powershell, to name a few.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,928
    Location:
    The Netherlands
    Interesting stuff, that Comodo will even alert you about extensions being installed. Does this happen with every extension-install on any browser? I never liked Comodo, but I do know it's quite powerful. But to me it's overkill.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,483
    Location:
    U.S.A. (South)
    I only ever use Comodo Firewall (only) anymore when testing baddies configured per @cruelsister settings and nothing is ever escaped the darn thing from containment or complete elimination. It's quite formidable in that respect. Oh the HIPS for me was nice but overboard since the air tight trap of Containment does all expected when dealing with foulware. That said the HIPS can also serve as a tracing tracking feature to follow the projected path some of those buggies try to reach in advance and give a local researcher insight to it's purposed affect.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    The HIPS feature is only overkill if it's set up to be that way.

    As for extension restrictions I did the following for, as example, MS Edge browser:

    Code:
    HIPS->HIPS Settings->Protected Objects:
    
    C:\Users\user_name\AppData\Local\Microsoft\Edge\User Data\Default\Extensio*\*
    
    Then under HIPS Rules-> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe->Protected Files/Folders->Ask
    Then when launching Edge, it will be necessary to allow a number of Exclusions, eight in my case, in order to allow all currently allowed extensions to run. Anything else attempting to install either from the user or an unexpected nefarious action will be blocked. If you want to install more extensions, you simply allow and remember for the extension and exclusions will be added for the new extension.

    It doesn't have to be this granular at all, I just elected to make it this way. it's not just for added security, but also to gain a more in depth understanding of how the program and its features work.
     
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,676
    Location:
    Paris
    For any Comodo newbies that may read this post, please know that the heart of Comodo's protection mechanism is Auto-containment- and this at ANY other setting than default. I suggest Restricted. Also, personally I don't feel that the HIPS is needed (except as Easter has stated above to track what a malicious file is doing for amusement) with Containment set properly.

    The reason for the above statement is that both the default Containment setting and the HIPS module (even at Paranoid Mode) can result in system changes being made- which for me is unacceptable. Although the most common and most trivial can be the desktop background being changed (easy enough to rectify), a more serious (and greater pain to fix) is the inability of default Containment and Paranoid HIPS to prevent a malware file to utilize Windows Management Instrumentation (wmic.exe). This can lead to things like a System Reserved partition being created (a relatively current example of this sort of thingy is the Avaddon ransomware).

    WMIC can (and has) be used for other nasty things, but setting up CF with the configuration that I have suggested will just laugh at stuff like this, which needless to say is Optimal.

    M
     
    Last edited: Aug 8, 2020
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Thanks @cruelsister for responding! Maybe in the end I will simply fall back on only the Autocontainment feature, but I wanted to put the HIPS through its paces to see what it can do and how the different settings of it can be modified to monitor especially vulnerable directories in user space. It brings back memories of using system safety monitor, malware defender, and HIPS features in no-longer-developed firewalls like Jetico and Outpost.

    EDIT:

    something cool I discovered yesterday under: Advanced Protection -> Device Control was that I can block USB drives, and all kinds of other type devices for that matter, yet add my Corsair survivor USB drive as an exclusion. Very cool :thumb:
     
    Last edited: Aug 8, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.