I have a question about CIS 5's new sandbox restrictions.

Discussion in 'other anti-malware software' started by cheater87, Sep 10, 2010.

Thread Status:
Not open for further replies.
  1. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    I know Comodo 4 had limited restrictions as its limitation on sandboxed software. The new version has some more options. Does anyone know what they are and how they act?
     
  2. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    partial limited, limited, restricted, untrusted and blocked. I'm not really sure what they do though. Oh wait. Here you go.

    Treat unrecognized files as – This has five options and the unrecognized files will be run as per the option
    selected.

    * Partially Limited - The application is allowed to access all the Operating system files and resources like
    clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading
    drivers or debugging other applications are also not allowed.

    * Limited - Only selected operating system resources can be accessed by the application. The application is
    not allowed to execute more than 10 processes at a time and is run with out Administrator account
    privileges.

    * Restricted - The application is allowed to access very few operating system resources. The application is
    not allowed to execute more than 10 processes at a time and is run with very limited access rights.

    * Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

    * Blocked – The application is not allowed to run at all.
     
  3. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Thanks. I'll be setting it on blocked if I decide to switch from Sandboxie.
     
  4. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    I've used the lastest CIS 5 and untrusted works very well. I tested alot of links on MDL and it blocked everything. Funny enough the AV picked up 7/10 of the malware. The rest were restricted from doing anything. It was funny watching all the intrusion attempts. Nothing got through though. Pretty good.
     
  5. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Giving anything untrusted even a little bit of rights for processes or anything is something I'm not very comfortable with. But to each his own. How limited are the rights on restricted, from what you can tell from your experience?
     
  6. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    So from what I see in those options, none of them restrict an untrusted executable from modifying data files? By that I mean no rollback option? So malware I allow to run, and yes, I understand my role in not executing it in the first place, can go modify any of my documents or spreadsheets or text files it wants to without me being alerted or able to rollback the changes?

    If not, how do I get alerted to changes to data files, or how do I role back?

    BTW, I did a very brief test of V4.xx and that was my impression. I mean brief. I did not spend much time trying to figure out how or if I could role back the changes made. I just knew they were made and I saw no alerts. And no, it wasn't malware. I just expected to be alerted, since CIS didn't know anything about the exe.
     
  7. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    On untrusted the malware is allow to run. From what I can see it only has some access to browser cache. It does try to modify registry entries but its not allowed. It also is able to open cmd.exe but again it doesn't go any farther than that.
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
  9. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Auto-sandboxing still doesn't virtualize file system and registry writes in the latest RC. As such, it's not really sandboxing, unless you run them in the sandbox manually.

    Those security context settings should be on the Sandbox settings tab as well since they also apply when you run things in the sandbox manually and have auto sandboxing turned off.
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    is the sandbox criple or incomplete?
     
  11. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Can Comodo be installed with the av left out? I am thinking about installing the firewall w/d+ and the pseudo sandbox and cloud scanner whatever that is. I hear the cloud scanner is not yet incorporated into the firewall though. Anyone running Comodo 5 like this?
     
  12. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Customer requested to install comodo firewall with D+ today leaving the av out.. working ok..I think you can choose the components through the installer..
     
  13. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Anti Virus is optional.
     
Loading...
Thread Status:
Not open for further replies.