Serious Discussion Comodo Internet Security 2024 Beta is now available

[ErzCrz]

Why would one ever need or have to use 'Run Restricted' for apps running in a Containment???
The apps run in containment what's the point?
Can they escape from Containment somehow when use 'Run Virtually''?

I think @cruelsister mentioned it in one of her videos some years ago but can't recall which. Often the default suggested option is to run a program partially limited and then you have to deal with firewall prompts. Setting the default containment to Restricted makes things simpler but if you want to just deal with the containment prompts, that's fine. the CS approach is simple bulletproof configuration.

The default it Partially limited and less secure as I've mentioned but choice is yours.

• Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)

• Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
• Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

• Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.

 

[simmerskool]

Why would one ever need or have to use 'Run Restricted' for apps running in a Containment???
The apps run in containment what's the point?
Can they escape from Containment somehow when use 'Run Virtually''?

sure, and ideally if "run restricted" is the selected setting then a good coder might nullify (gray out) Run Virtual Applications.

 

[simmerskool]

I think @cruelsister mentioned it in one of her videos some years ago but can't recall which. Often the default suggested option is to run a program partially limited and then you have to deal with firewall prompts. Setting the default containment to Restricted makes things simpler but if you want to just deal with the containment prompts, that's fine. the CS approach is simple bulletproof configuration.

The default it Partially limited and less secure as I've mentioned but choice is yours.

sounds like my memory too although mine is (was) a tad more faded.

 

[simmerskool]

Please, allow me to disagree here.

which is better... it depends. I appreciate that Comodo corporation publishes "official" announcements on its forum (or website); however, I find I get good info here regarding CF and other computer related topics too.

 

[ForgottenSeer 100397]

The “Restricted” level probably doesn’t block connections or suspend firewall prompts. The help files don’t mention it either. @cruelsister posted a video of CFW Beta 2024. The test has firewall prompts for powershell.exe, svhost.exe, and coinminer.exe with containment set to restricted.

 

[Pico]

When apps run contained they can perform read operations from the host (like read access to file system and resources) but they cannot perform permanent write operations to the host as these write operations are isolated from the host.
In other words, contained apps can never make permanent changes on the host and as long as contained apps cannot call home (FW set to block inbound and block outbound connections for all contained apps) than I still don't see the need why using 'Run Restricted' or any other limiting setting.

What am I missing in using these limiting settings?

 

[Zappathustra]

No and Yes.

The "No" part:

 

[ErzCrz]

Comodo leaves weird parts of it on my system when i uninstalledd. I had to reinstall windows :/

It tends to leave behind a installer startup entry which you can delete from the registry located here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also tends to leave behind the Event Log folder/entry located here: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\

Both can safely be deleted and just restart afterwards.

There is an Uninstaller via Comodo Forums but it doesn't remove the above entries. Official Comodo Uninstaller v3.2.0.82 Released

 

[simmerskool]

It tends to leave behind a installer startup entry
It also tends to leave behind the Event Log folder
There is an Uninstaller via Comodo Forums but it doesn't remove the above entries. Official Comodo Uninstaller v3.2.0.82 Released

@Deepz you could also try jv16 uninstalr app, it is discussed here

Discussion Thread - Uninstalr: Or how I tested all the Windows uninstallers and ended up making a new one

I tested all the popular Windows uninstaller programs. That is: Bulk Crap Uninstaller, Geek Uninstaller, HiBit Uninstaller, IObit Uninstaller, Revo Uninstaller and Total Uninstall. I found out that many of them had some very rudimentary user interface problems, none of them were able to perform...

malwaretips.com

 

[ForgottenSeer 100397]

When apps run contained they can perform read operations from the host (like read access to file system and resources) but they cannot perform permanent write operations to the host as these write operations are isolated from the host.
In other words, contained apps can never make permanent changes on the host and as long as contained apps cannot call home (FW set to block inbound and block outbound connections for all contained apps) than I still don't see the need why using 'Run Restricted' or any other limiting setting.

What am I missing in using these limiting settings?

Before containment, restriction levels were the primary security measure. They now offer optional protection, which limits software or malware running in the containment. I don’t use restriction levels.

 

[ForgottenSeer 100397]

Why would one ever need or have to use 'Run Restricted' for apps running in a Containment???
The apps run in containment what's the point?
Can they escape from Containment somehow when use 'Run Virtually''?

In @Shadowra's test, Run Virtually successfully contained malware and protected the system.

 

[Pico]

Before containment, restriction levels were the primary security measure. They now offer optional protection, which limits software or malware running in the containment. I don’t use restriction levels.

That should be 'optional fake containment protection' then.
Why should one want to set restriction level on a contained app?
Two options, either just let the contained app execute without restriction level or just block it altogether, easy.

 

[ForgottenSeer 97327]

@Pico use case for running a contained application with restrictions

Run a portable version of a webrowser in a container with additional restriction to block access to ring-0, allowing this sandboxed portable only write access to the (real system) download folder. Being a portable application it should in normal circumstances never touch elevated processes and UAC protected folders nor registry. Enable HIPS, allowing everything except execution in the download folder.

Pretty strong hassle free security. Can't imagine any malware to break through these additional containment levels.

@cruelsister always removes access to real system, but maybe she could show a version which only allows access to the downloads folder of the real world system and let the HIPS protect this "gateway" to the real world.

 

[Pico]

Is containment leaking permanent write operations (excluding the allowed write access to the download folder) to the real system when restriction levels are not being used ???

Running a portable or non-portable app in containment doesn't matter both are handled in the same way, they execute in containment meaning they cannot perform permanent write operations to the real system.

 

[likeastar20]

After I uninstalled Comodo with Uninstalr, I can't seem to get it to install again.

 

[ForgottenSeer 97327]

Is containment leaking permanent write operations (excluding the allowed write access to the download folder) to the real system when restriction levels are not being used ???

Running a portable or non-portable app in containment doesn't matter both are handled in the same way, they execute in containment meaning they cannot perform permanent write operations to the real system.

you are not a fan, me neither but now your are saying why use a safety belt when my car has an airbag?

 

[ForgottenSeer 100397]

That should be 'optional fake containment protection' then.
Why should one want to set restriction level on a contained app?
Two options, either just let the contained app execute without restriction level or just block it altogether, easy.

The restriction levels aren't just for containment. You can use a restriction level as primary security without containment.

 

[Pico]

Who needs an airbag when wearing a safety belt

 

[Pico]

The restriction levels aren't just for containment. You can use a restriction level as primary security without containment.

That's good. But for containment it has no use.

 

[ForgottenSeer 100397]

That's good. But for containment it has no use.

Run Virtually had some minor problems, such as ransomware leaving a ransom note on the desktop or malware changing the desktop background. This made people question the strength and reliability of the default settings. Personally, I believe that restricting contained apps defeats the purpose of containment. I'm not aware of any legitimate bypass of the default settings with the stable version.