App Review Basic sandbox demo(for beginners)

[Prayag]

Could be you saw a reference in @cruelsister's videos where she states that rebooting will shut down the malware from running in the sandbox. You are also correct that the sandbox must be cleared manually. Reboot as you mention doesn't clear the sandbox with Comodo.

OK, if I am wrong about the below please correct me. This is how I understand Comodo's auto-sandboxing.

I believe the reason @cruelsister mentioned that malware cannot hurt the system even when running while a reboot is begun was that some malware in the sandbox can affect a system such that is makes a system mildly unstable. Depends on the sandbox settings for restriction level, where restricted is basically a block for all purposes. However, I believe with Partially Limited or straight Virtualized with no limitations, malware could open some things and maybe even drop some files sometimes or make the processor race. At any rate running malware in the sandbox could still lead someone to want to try a reboot, and there is no harm in doing so. Malware can't do harm to the system or files, and rebooting will mean the malware is no longer running.

You may have noticed that in some of @cruelsister's videos malware running in the sandbox changed the wallpaper and dropped ransom note. That's an example of what can happen at some sandbox restriction levels (settings). I guess partly she does this to show what the malware attempts to do. Reboot and you will have to fix those problems manually (with or without reboot actually), but the malware will not still be running in the sandbox when the PC restarts. To run it must be restarted manually (bad idea o/c). At that point you can just empty the sandbox manually and its traces will be gone. Just make sure to delete the malicious file too.

One thing that I am feeling very keen to add here is that if you use comodo firewall without hips and with auto sandbox,then the first thing to do is to change firewall to proactive config as that will suppress/defeat many sandbox bypasses.
All other settings have already been defined by CS very beautifully.
As far as my config is concerned,I use it at firewall config with hips turned on at my settings and haven't seen any false blockage yet.

 

[AtlBo]

As far as my config is concerned,I use it at firewall config with hips turned on at my settings and haven't seen any false blockage yet.

That's good. I am using Proactive because I like to see alerts from normal programs. I believe it alerts even for "Trusted" applications. I like to see firewall the alert once and then allow or block (just a few but some devs are sketchy with connection usage or just not a well known dev).

I have HIPS on Safe Mode. Still working on how to best configure it. At one point, I eliminated all HIPS rules except some for scripts I have introduced onto the system and then the Comodo defaults. At that point, I was seeing clearly the power of Comodo HIPS, but this requires a great deal of understanding. Great that Comodo can automatically make use of the "Exclusions" for each HIPS rule from HIPS rules alerts, but also not something a novice will notice in the settings or know how to choose from an alert.

Example of this is Safe Mode HIPS rules for Explorer.exe. Any time an "Unrecognized" process is opened via the start menu or from an open folder, HIPS will create an Explorer.exe alert for the program. If I allow and remember, Comodo auto-creates an "Exclusion" for the Explorer.exe rule. The best part is it can be "Allow" or "Block" either way. This is really powerful for my usage. It takes HIPS to a second level of choice and configurability.

It would be great if Comodo added something similar somehow with the firewall to easily allow locally connected machines on a home network to communicate. I mean a way for me to identify which are local machines using an alert or whatever. This way all the local traffic could easily be monitored separately from traffic that travels across the internet.

 

[Prayag]

Using comodo FW at firewall settings is used by me for 3 reasons:
1. Ratio of blocking clean files is much lesser as compared to proactive config,
2. Is best to use with any other AV as it will offer more compatibility than proactive setting while offering the optimal level of protection.
3. HIPS provides the best level of protection at the firewall config as far as compatibility, false positives and user experience is concerned.
This config is basically designed to provide a user(even an average user) a seamless experience without many false positives,greater compatibility,good protection and auto-blocking of malicious threats.
These are my experience with comodo firewall so far.
What are your thoughts about it?

 

[AtlBo]

This config is basically designed to provide a user(even an average user) a seamless experience without many false positives,greater compatibility,good protection and auto-blocking of malicious threats.
These are my experience with comodo firewall so far.
What are your thoughts about it?

@Prayag I really like your setup for what you say. Wish I had more experience with the Firewall configuration to understand better the scope of protections using the config. I have been on Proactive only for so long I can't even determine how the settings are different. I have only run Firewall config for minutes at a time to import a config or after installing Comodo.

Have you been able to test yet with malware or with "Unrecognized" files? I have been testing various ways of dealing with "Unrecognized" files. The primary focus of this for me is to determine the best way to think and act so as to avoid changing "Unrecognized" files into "Trusted" ones.

If I might suggest, maybe you could perform a battery of malware tests if you are a tester. I think the best test would be to turn off the sandbox and test the HIPS and firewall to see if you are getting what you like alerts/rules-wise. You may notice the finer points of how you choose to respond to an alert affects how the app/file is handled. I recommend checking to see how various choices affect the file/app trust status in the files list.

You would probably only need to run 20-30 "Unrecognized" samples to get a good feel for how to advise users about responding when there is an alert. Hopefully, you could get a look at a command-line alert or maybe some others. Ultimately, 50 samples might be ideal and would probably take a couple of hours I guess.

I have almost book I could explain about the protections and settings change sequences of Comodo, but there are unknowns in my determinations. Comodo help is good but not so great about how choices affect file/app status and also about how file/app status affects general initial/default protections (of each config). What I can say about Comodo has helped me be able to test on a normal system, which I needed for now to be able to do. Otherwise, in a VM you should be able to test without any worry of what happens to the system or Comodo, etc. Definitely if you ever test malware "Unrecongized" do so in a VM.