Comodo's swiss army knife Sandboxing & Virtualisation

Discussion in 'sandboxing & virtualization' started by Kees1958, Jan 13, 2013.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay, I am not a fan of Comodo because they often struggle with software quality, launch new applications to abandon them a few month's later again.

    Honesty requires to say that I am impressed by the new CFW 6.0. because it offers capabilities found in three other sandboxing and virtualisation programs:
    1. Auto sandboxing of new executables based on whitelist (Avast like.with more granular control).
    2. Sandboxing threatgate applications based on predefined containment policies (BufferZone only has two policies)
    3. Full Application Virtualisation using sandbox shortcuts like Sandboxie (Sandboxie is faster and more granular)

    Brilliant combo I have to admit :blink: All three for free, without the need to enable the D+ HIPS component.

    Custom install, without Geek buddy, Comodo Dragon and Comodo DNS.

    Next enable make sure Comodo does not bites itself in its tail or locks your OS-out (temporarely unselect auto sandbox)
     

    Attached Files:

    Last edited: Jan 14, 2013
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Setting up the Avast like auto-sandboxing of unknown applications.

    First remove the default build in white list (optional). Open Windows explorer, navigate to Comodo Installation Directory, by drilling down to folder 'COMODO Internet Security\database' Next rename the file Vendor.n to VendorDotn.txt I just like to define myself which publishers I whitelist and define the ones you known are allready on your PC. But this step (disabling build-in vendor list and defining your own set of trusted publisher list) is optional.

    Next goto http://help.comodo.com/topic-72-1-4...lization-for-Auto-Sandboxed-Applications.html on how to change to registry value, or copy text below *** to notepad, save as enable_full_virtualization.reg

    *********************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\software\Comodo\Firewall Pro]
    "EnableDefaultVirtualization"=dword:00000001

    ;the Enable Full Virtualization registry trick
     

    Attached Files:

    Last edited: Jan 14, 2013
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Now let's put some extra limitations on threat gate programs. Creat a build in list to sandbox, like BufferZone has. By trial and error I discovered what policies I could apply, without breaking the functionality. Foxit ran in restricted mode and Outlook and Classic Media Player ran fine as Limited. Surprising thing was although not fullyvirtualiszed, the data store is also virtualised (even with Limited and Restricted). That is why I had to exclude the data folders of e-mail, media player (added documents for PDF reader, just to be certain). See pictures.

    Outlook, Media Player and Foxit run with the green border in Limited, Limited and Restricted User containers (sandboxes).

    I now have the following threatgate sandboxed (simular to Bufferzone, only having more policies to choose from)
    1. Chrome running in its own Low IL/Untrusted Sandbox
    2. Foxit running as Restricted (simular to Spyshelter experimental option) with data folders excluded
    3. Outlook and Classic Media player running as Limited (simular to AppGuard's guarded policy) with data folders excluded
     

    Attached Files:

    Last edited: Jan 14, 2013
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    FInally I created a shortcut (with a different icon), see picture, where Chrome runs 'normally' (with its own internal sandbox) and an incognito version runs fully virtualized (with green border). Normal Icon + Norman browsing = Chrome's default (policy) sandbox, Yellow Icon + Greenborder and Incognito = additional SBIE-like application virtualisation (I just added --incognito in the Comodo Kiosk generated shortcut)

    To be honest, the Full Virtualisation feels sllower than BufferZone, Sandboxie start in 1.8 secs on my PC, BufferZone browser in 2.6 seconds and Comodo Virtual Chrome in 3.4 secs. Chrome (default own sandbox) normally starts in less than a second (< 0.3 secs). The full virtualisation it is only for on demand usage (Chrome has an excellent policy sandbox of its own), so I can live with the delay.

    Regards Kees
     

    Attached Files:

    Last edited: Jan 14, 2013
  5. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    617
    Location:
    Wembley, London
    Very nice tutorial.
    Thanks for your time :)
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Surprisingly the CFW firewall without AV, still does check critical entrypoints and checks unknown programs in the cloud, see pic
     

    Attached Files:

    Last edited: Jan 14, 2013
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    It is possible to adopt the task bar (horizontal bar of icons), I added view logs and reset sandbox.
     

    Attached Files:

  8. wasgij6

    wasgij6 Registered Member

    Joined:
    Mar 29, 2011
    Posts:
    263
    remember changing the task bar icons also changes them on the widget, if you use it.
     

    Attached Files:

    • 064.gif
      064.gif
      File size:
      12 KB
      Views:
      2,129
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Last tweaks, seperation of data (trusted/virtualised) is seamless like GeSWall, only application level interaction is allowed between virtualised apps like Bufferzone. So trusted aps can communicate through Api's/messages etc with trusted aps, and sandboxed aps with sandboxed aps.

    Outlook Add-ons
    To make Contact and Aganda sync of Google/Gmail (my Android devices) work with Outlook (my Windows desktop), I had to run these programs as "partially limited" and add them manually to the firewall to interact properly.

    So Outlook/e-mail programs can be contained in sandbox, but data folders need to be excluded, simular to a Sandboxie forced program where data from specified folders is immediately recovered to the real world (disk) at end of session.


    [PDF] Printing
    From a sandboxed application it is impossible to print something. This is my work around. Print to Microsoft XPS Document Writer, save this XPS print file to a directory which is excluded from sandboxing (e.g. in my case My Documents folder). Foxit Reader also allows to print to XPS print file. Next double click this XPS file and print from Microsoft XPS

    See pic
     
    Last edited: Jan 15, 2013
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Very nice tour of Comodo's new capabilities. I still haven't tried v6, i will wait for it to mature first a bit.

    I see the improvement in the part that it minimizes the demand for decisions on part of the user (and pop ups). I am not so sure about the interface, which is prettier than v5, but maybe overcomplicated a bit and i am still uncertain on whether i would want everything sandboxed or not.

    I mean, even with v 5.10, i am still undecided whether i should prefer going with the sandbox enabled or disabled. Enabled gives more automation, sparing you popups. However, it also stops the HIPS part from showing you what exactly an exe is trying to do. So automation is good for drive-by infections, but if by mistake you try to execute locally something infected, it becomes more complicated. If you click "don't sandbox it again", it's end of game, it's automatically trusted. Certainly the automated procedure is much better if you are certain that what you intentionally run or install, isn't malicious.


    Anyway, v6 will certainly be interesting.


    Thank you Kees for the in-depth, as always, analysis.
     
  11. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    617
    Location:
    Wembley, London
    I am also waiting on a few updates before I leap.
    This has been bookmarked for future reference, thanks :thumb:
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, I understand your doubt on Comodo's X.00 versions. I am on x32 bit, so this code is older and hopefully well tested

    With Windows7 it is really easy to add a DENY "Traverse folder/execute file" for EVERYONE through ACL on user folders and data partitions. On Pro or higher user SRP. CFW 6 with ACL/SRP is near impossible to make a 'shoot in the foot error' plus you will get three for free (types of sandboxing that is) :D
     
  13. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    The preset sandboxes seem to stutter executable boot time even without virt, so I apply HIPS rules to those progs that one would apply EMET much like you have done via boxes.

    So you get the joys of the safe mode HIPS notifications with the action of paranoid because the rules have already been user applied. You must apply block because running under safe mode, ask is much like allow for trusted programs.

    In other words, I can drop more rights/privs on a browser than most pre-set sandbox limits would allow granted the more protective ones like "restricted" would break actual usage. By applying custom HIPS privileges, Goldilocks is sated and very safe from bear arms o_O

    You can also apply HIPS rights to your "isolated" programs that way too although it would be under one generic HIPS user rule.
     
  14. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Kees, you clearly love SRP and have perfected this to an art, but myself, i never took interest in such things, i know i have Applocker in Win 7 Pro, but i m pretty sure it would take me time to configure it in a way that no program is disturbed and i find very annoying having to go there every time and add a new rule. I know i can make it trigger a notification to show me what's blocked so i can go edit a rule or something, but i find it annoying as concept. I even can't stand EMET at max security, i have the impression that browsing gets slower and i also had a batch file i have to clear all windows logs run much slower than normal. So i just have DEP for all programs and left EMET alone.

    So, at the end, i have opted to what is more immediate and know better, rely on 3rd party programs. After all, all i care about is to be able to suspect that i got infected. If i do, i will revert to an old image and case closed. In the rare cases i may want to install something of dubious origin, i have (aside Virus Total), the options to:

    - Run it first under Shadow Defender and see whether it behaves legitimately or not.
    - In Comodo, temporarily disable Sandbox, so to have D+ kick in and show what it wants to do step by step.
    - Install ExeWatch (useful to show what things do once you let them.)


    It may not be elegant, but it should be enough and less trouble for me.
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    That is the idea behind this setup, no HIPS notifications. :)

    You are right, third party software adds CPU and disk overhead (measured with AppTimer).

    The lag is barely noticeable in Outlook, the startup of Chrome feels the same
     

    Attached Files:

    Last edited: Jan 14, 2013
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You are right
    1) It is a personal computer
    2) It is a free world
    3) Many ways lead ro Rome
     
  17. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    It's also a matter of habbit. I 've been using classical HIPS since Process Guard was out. I 've learnt to endure pop ups and find them informative. On the contrary, i really never used policy restrictions and even more, i think it will be a pain to configure applocker without blocking legitimate things and every time having to go to Local Security Policy and edit rules or make new ones. I wish they had put an icon sitting on the systray and...a popup to automake a new rule editable on the fly. Instead, you install EMET and you have a "notifier" icon sitting on your tray doing nothing and this runs at startup! Thanks a lot, MS, all i was missing was a useless startup entry a grey locket in my systray... If i were a programmer at Microsoft, first thing i would do in Applocker, would be "show as icon in tray" option and "enable pop-ups for rule generation". The idea alone that i must do rules by a combination of guesstimate and trial and error, each time going there, makes me want to enable paranoid mode in Comodo. At least i am more used in such popups than i am editing Applocker rules... :D
     
    Last edited: Jan 14, 2013
  18. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Isn't supposed to have an option something like "run outside sandbox" when ever it detect installers.
    right now am not using comodo...so not sure about it.

    thanks,
    harsha
     
  19. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I m not using Comodo right now either, but yes, there is this option. However, the real danger doesn't come from installers, assuming you get programs from reputable sources. It comes from simple executables, such as "nodvd patch" for games for example (who doesn't love nodvd pacthes).
     
  20. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    The thing is this. Sandboxing based on virtualization or policy restriction can avoid infection virtually perfectly. Comodo 5.10 uses basically restriction on executables. The executable may run fine or may not get enough priviledges to run properly. Infection averted. But, the problem is, what if you want to "make it work". The sandbox won't tell you what this wants to do and why it didn't work.
    The classical HIPS will. It's not certain that you will be able to understand it's malicious, but you will have usually more than one chance to see something. For example, if you are trying to patch a game and the supposed patch is really a malware, in the sandbox it won't run and it won't infect. But you wonder "maybe it was too restricted". If you try to run it with the classical HIPS and suddenly see that its main target of interest isn't the game but instead it tries to hijack windows processes or put a startup entry in the registry, then you 're positive it's malware.
     
    Last edited: Jan 14, 2013
  21. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    @fuzz


    Yeah, that's why I wanted for better Comodo Program Manager integration with v6 and Kiosk. Add repo support and 3rd party AV scans within the install sandbox--perfection!


    @kees

    Yeah, in my method, if the HIPS is set to safe mode and detect installers, you will get very, very few popups as yours.

    But you will access faster program boot speed and more granular rules. This is more like Geswall premium rulesets.

    The loss is that you have to take the time to see what is the lowest rules set you can allow without breakage. You gain executable rules (what programs it can execute) and even program protection, but lose the number of executables spawned. You technically can run both rule sets for true sandbox inception.
     
  22. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I agree 100%. I haven't used v6, but there should be a way to integrate more things to the sandboxing idea. Sandboxing is great if you want to maintain a "frozen" enviroment, where you are sure that what you have is clean and want to keep it that way keeping everything in the sandbox. The danger comes when you must bring something outside the sandbox and you don't get enough alert of it.

    In Comodo 5.10, i tried Comodo leak test with the sandbox. It did i think 320/340. The thing is, all you were seeing was "clt.exe sandboxed" and then nothing. If this was an exe that i THOUGHT it was legitimate, i would have no idea that it was malicious. So if i were to click "don't isolate again", it would have been "game over". Because, you don't get to see that "CLT.exe is trying to make dll injection to iexplore.exe" for example, like you 'd see with the classical mode of D+.

    Not surprisingly, with D+ enabled as classical HIPS and sandbox disabled, it gets 340/340. The explanation in Comodo forum that "the test wasn't designed to work properly in sandbox", is IMHO unsubstantiated, more of a "smoke and mirrors" reply with no explanation. My thought, is that with the sandbox, it scores lower, because the sandbox, even if set to "restricted" (which i use), does let some thing to execute, while D+ asks every time the clt.exe is about to sneeze. That's why the sandbox gets lower score. The tests, manages to run with very little priviledges.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ;) Yep true, but the fun was THREE for FREE (virtualization).

    I am familiar with HIPS like ProcesGuard, AppDefend, Antihook, SSM, CoreForce, Comodo, Online Armor, Outpost, S&S Syswatch, Neova Guard, EQSecure, NetChina, RTD (real time defender), ProSecurity, MalwareDefender.

    Regards Kees
     
    Last edited: Jan 15, 2013
  24. skokospa

    skokospa Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    177
    Location:
    Srbija
    I did not know that there are so many HIIPS...I've heard for some(OA,ProcesGuard,Outpost)... for the first time I hear for others.
     
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Process Guard used to have dedicated forum in Wilders. Then some day, they went AWOL. Luckily, they didn't have online activations, so their users kept using the program. One of the devs re-appeared some years later, i think saying about a health problem (car accident, not sure) and that the company would be running again. Then he disappeared again. The domain nowdays still exists and seems they prepare to resell antiviruses. Back in XP days, they were also giving an ultralight, very cose freebie, RegistryProt, that was warning you about new registry startup entiries, giving you the chance to deny them.

    System Safety Monitor (SSM) was also a great HIPS, at some point it closed. Most gracefully, the dev offered free registration keys for the Pro version to those who wanted to mail him, so that they could use the last version even if they had never bought it. They also had a free version, but the Pro was way better.

    RegDefend/AppDefend also used to have a forum here, at some point it closed. Luckily they didn't have online activation. They were offering also a great free firewall, Ghostwall. I used to use that in XP. Lightest firewall ever, you could only filter ports and protocols, not applications. Unless i am mistaken, the devs also pulled a disappearing stunt from Wilders.


    Antihook, Neoava, Prosecurity all closed too. Neoava i think was beta and never exited that. Antihook was i think free. Prosecurity had a paid version for sure.

    Those days, in the forum there was even Paul Wilders posting. At some point he disappeared too.

    P.S.: I almost feel guilty about SSM. I was using the SSM free for a long time and got the Pro for free when they shut down. I wish i had bought the Pro version, it deserved the money for support, i almost felt guilty when i got the Pro for free, but unfortunately, i was still at high school, with no means of paying anything online... Still, i feel sad thinking about them. It was such a shame they had to shut down.
     
    Last edited: Jan 17, 2013
Loading...
Thread Status:
Not open for further replies.