I have a question about CIS 5's new sandbox restrictions.

I know Comodo 4 had limited restrictions as its limitation on sandboxed software. The new version has some more options. Does anyone know what they are and how they act?

 

partial limited, limited, restricted, untrusted and blocked. I'm not really sure what they do though. Oh wait. Here you go.

Treat unrecognized files as – This has five options and the unrecognized files will be run as per the option
selected.

* Partially Limited - The application is allowed to access all the Operating system files and resources like
clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading
drivers or debugging other applications are also not allowed.

* Limited - Only selected operating system resources can be accessed by the application. The application is
not allowed to execute more than 10 processes at a time and is run with out Administrator account
privileges.

* Restricted - The application is allowed to access very few operating system resources. The application is
not allowed to execute more than 10 processes at a time and is run with very limited access rights.

* Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

* Blocked – The application is not allowed to run at all.

 

Thanks. I'll be setting it on blocked if I decide to switch from Sandboxie.

 

I've used the lastest CIS 5 and untrusted works very well. I tested alot of links on MDL and it blocked everything. Funny enough the AV picked up 7/10 of the malware. The rest were restricted from doing anything. It was funny watching all the intrusion attempts. Nothing got through though. Pretty good.

 

Giving anything untrusted even a little bit of rights for processes or anything is something I'm not very comfortable with. But to each his own. How limited are the rights on restricted, from what you can tell from your experience?

 

So from what I see in those options, none of them restrict an untrusted executable from modifying data files? By that I mean no rollback option? So malware I allow to run, and yes, I understand my role in not executing it in the first place, can go modify any of my documents or spreadsheets or text files it wants to without me being alerted or able to rollback the changes?

If not, how do I get alerted to changes to data files, or how do I role back?

BTW, I did a very brief test of V4.xx and that was my impression. I mean brief. I did not spend much time trying to figure out how or if I could role back the changes made. I just knew they were made and I saw no alerts. And no, it wasn't malware. I just expected to be alerted, since CIS didn't know anything about the exe.

 

On untrusted the malware is allow to run. From what I can see it only has some access to browser cache. It does try to modify registry entries but its not allowed. It also is able to open cmd.exe but again it doesn't go any farther than that.

 

nice

 

Auto-sandboxing still doesn't virtualize file system and registry writes in the latest RC. As such, it's not really sandboxing, unless you run them in the sandbox manually.

Those security context settings should be on the Sandbox settings tab as well since they also apply when you run things in the sandbox manually and have auto sandboxing turned off.

 

is the sandbox criple or incomplete?

 

Can Comodo be installed with the av left out? I am thinking about installing the firewall w/d+ and the pseudo sandbox and cloud scanner whatever that is. I hear the cloud scanner is not yet incorporated into the firewall though. Anyone running Comodo 5 like this?

 

Customer requested to install comodo firewall with D+ today leaving the av out.. working ok..I think you can choose the components through the installer..

 

Anti Virus is optional.