Comodo Internet Security 6.xx Thread

Comodo 6.0.264710.2708
SandboxIE 3.76

Also running EMET; Virt reg tweak on Comodo. Win7x64.

What is odd is that when installing SB again, my icon in C: changed. I have a feeling SB is not installing properly because it only occurred now. Have you tried going the other way--installing SB then Comodo?

Good luck.

 

Yeah I've tried both ways. I even went as far as take all my security software off and try everything over. Still doesn't work. That's ok though. I'm pretty happy with my current setup. I think adding CF would be overkill at this point.

 

Thanks, how can i change default rules? example untrusted rules?
i think there is no way for that in CIS

 

You can do that in D+ -> HIPS -> Rulesets.

 

This settings releated with HIPS module, it isnt releated with BB auto-sandbox.
I think, We are talking about change to BB auto-sandbox settings. Like, untrusted, partially limited.
All of them prefabric settings and i cant found how can i change them. probably i cant.


For example fully virtualized app can read all of my files. can i change this? i think not, just @Sordid suggest it but there is no way to do that in CIS.

Sandboxie has this ability but CIS hasnt. so it is not medicine for my problem

There are some information about sandbox restriction levels but we cant configure them. and there is not clear information, just basic words.
http://help.comodo.com/topic-72-1-451-4767-Behaviour-Blocker-.html

 

Now I see, you are talking about changing Restriction Levels for sandbox. I never heard them to be changed. SBIE is more configurable in this respect.

 

Yes, Sandboxie more configurable but it hasnt got keylogger, process termination etc /hips/ features.
There arent perfect tools of course.
And CIS BB's sandbox different concept not similar SBIE, it is not virtualization if i am not wrong. you need to add reg key for file level virtualization.
CIS BB and hips very similar. i think BB's "Untrusted"= Hips "limited Application", it will not virtualize but drop rights

Virtual kiosk and full virtualization different off course. But it is not configurable and it is not secure. i am not talking about malware can bypass virtualization, just malware can do what it want within virtualized session.

 

I've not tried this but if you were to set access restrictions to a particular process within D+,it should then retain these rules once auto-sandboxed.I'm not sure about this,just my thoughts on it.

 

Exactly, you have to activate that preset rule in "Hips rules" from rule sets. You must also apply to an app because Comodo is SILLY, so we use virtkiosk.exe and cmdvirth.exe or the unknown app itself.

But the correction already seems in place. Even under full virt BB, the unknown process throws a HIPS alert on explorer launching an unknown app in the first place and then asks if I want to add internet once a request is made. So even if a keylogger spawned (doubtful without another exe alert), it can't upload--hell it can't spawn the lead gui unless you allow it from explorer. Guest seems to be missing all these alerts; more on that later.

It's all moot. Why play games? Just use "untrusted" for unknown apps and they are so crippled you won't even get a window frame. Lock down your protected folders--that is applied to all boxes.

Guest, turn "show escalation" off or hips doesn't show fully and why I see alerts you are not. Also, in general, make sure you have trust installers off in "file rating." For what it is worth, sandboxes do not defeat "in sandbox" non-persistent attacks like session keyloggers or XSS by design, not even sandboxie. Use a VM to test unknown software--and DENY unknown software via Comodo on the host (BB=untrusted).

edit: Guest...sorry...

 

@Sordid

i dont understand exactly.
Which settings i must change? i want to see hips alerts when i run the apps fully virtualized.



Also, on my system (win8x64) there is no way to stop zemana tests. i disabled bb and turn hips on, i block all popup but still zemana can capture keystrokes. it show keylogger alerts but doesnt stop it when i press block button. (block only not block and terminate)


Between i found this from @egemen, i think they already know zemana test's situation.

https://forums.comodo.com/news-anno...rtual-kiosk-t91321.0.html;msg658537#msg658537

 

Installed the new CIS firewall and the problem with Sandboxie remains for me.The browsers in SBIE cannot connect to internet.

 

Guest

Most of the previous is designed to lock up or even break virtualising in an effort to get nil unknown code loaded--not to act as some sort of forensic tool or even have the program be usable. IMO, unknown code on hosts should die and die fast until it can be vetted; the sandbox should be used on trusted but vulnerable programs.

I tried a Chromium unknown with Virt BB on. In BB the "detect installers..." page you have a picture of a few posts back--UNCHECK that. Then go to "file ratings" / "Settings" and UNCHECK "trust files installed by trusted installers." Go to configure and activate "proactive security." In "General settings" / "User Interface" select "show notifications."

Now when you click Chrome.exe. HIPS pops up: this is unknown and virtulised. It should then pop up any executions from even trusted apps and show internet resources (Explorer is trying to execute chrome/Chrome is trying to contact XX.XX.XX.XX). I did not try a malware or keylogging sim so am unsure what is said.

But your intention seems multifold from what I gather. You seem to want it acting as a default deny HIPS, Sandboxie, and a forensic malware analyser. The first should work by default and imagine in general it performs well for you. As sandboxie, you must lend it the same handicap and configure apps you like to protect. So add progs like browsers to the HIPS and you can simultaneously run under the virtualised sandbox. Both "rules" will be enforced--HIPS policy rules within the virtual sandbox. You can kill file access, keyboard access etc. If you want hyper granular "ask" always on apps--use PARANOID mode, but virualising seems to cripple some of this so I'd suggest a BLOCK.

The ability to "always ask" over Safe mode settings has been requested. The ability to directly apply HIPS policy to sandboxes via generic rules has been requested. This would be spot-on what you desire.

But even granted sandbox and hips improvements, using Comodo or even sbIE as a malware tester: I would highly suggest against it. Too many things can get borked up that way and you are best using a snapshot with proper mal-test gear like Wireshark, PExeplorer, Reg shot and debuggers like Olly. Now you can see what the code is doing and what it has done. Otherwise, send the unknown to the AV kids for malware analysis.

http://www.raymond.cc/blog/xray/

HTH

 

i changed my settings and set BB to FV. i am getting popup when file execute.
There are only 3 preset, isolated, wsa and installer.

so i cant use my ownpreset with FV apps. and CIS doesnt show another alert, when i push allow. so SS leak test can record keystrokes. Actually CIS can stop it when BB untrusted-autosandboxed

All settings your recommend settings. And in this case, "detect installers...", K "trust files installed by trusted installers." and "show notifications." doesnt effective.

Actually zemana, SS leak test are in unknown category for CIS. isnt trusted files.

Anyway, i still believe, there is no way to this.
i believe BB auto-sandbox using HIPS module and answer alert for us automatic. (based selected virtualized level/ except Fully Virt.)
HIPS can alert for FVapps but only when aps execute. i am not getting any other alert. And it looks we cant use limited, own ruleset (i dont know why just it doesnt show)

Fully Virtualization (without any drop rights) doesnt give security. Malware cant harm computer but it can leak my data. and i cant find any way to use HIPS with FV.

@Sordid

if you get alert and i dont, and we are using same settings, there is a problem about CIS. The problem is i cant use "limited preset" so malware can record keylog in FV area. and HIPS doesnt show any alert about keylogger activity for FV apps.

The end of this month, CIS will release HIPS update. i hope it can help us.

 

Create a new ruleset. It will add to the drop selection.

But to be like sandboxie the analog would be adding key_sim.exe to the HIPS rules and the in the sandbox. Sounds strange, I know, and why you shouldn't use full virt outside of forced trusted programs, not unknowns. Even Edgemen says it won't work by default.

The key here is that it the BB untrusted worked and it didn't per you post at Comodo forums.

 

Actually problem is here. it didnt add itself there.

 

hmm actually you are very wrong here.Comodo offers a virtual area to run certain softwares etc.
Runsafer and forcefield are nothing like this.