Advice Request CIS 10 Config: Default or Proactive?

[Rengar]

Hello. I was wandering what is better if you donwload CIS 10. Leave it with default setting or enable the proactive defence?

 

[AtlBo]

Using the Comodo Firewall (similar), it is effective to set on Proactive and then go into sandbox settings and set the "All Processes/unrecognized" rule to "Restricted". Then make sure Auto-sanboxing is enabled. The Trusted Vendors list is long but it's a good list. You won't get too many alerts.

 

[shmu26]

it really depends on the level of security you are looking for.
If you want the highest level, do like @AtlBo says.
But the firewall config is good, too, especially if you enable autosandbox. It might give you less troubles that way. This is because the autosandbox will not interfere with system files and trusted programs.

 

[Rengar]

Using the Comodo Firewall (similar), it is effective to set on Proactive and then go into sandbox settings and set the "All Processes/unrecognized" rule to "Restricted". Then make sure Auto-sanboxing is enabled. The Trusted Vendors list is long but it's a good list. You won't get too many alerts.

Thanks for your reply but im talking about Comodo Internet Security and not for the standalone firewall

 

[shmu26]

doesn't matter, because CIS is the same as standalone firewall, except that it also has the AV component

The AV component is virtually worthless as protection, it is really only there to make ignorant consumers happy. You don't want a configuration that relies on such a weak AV for protection, so go with firewall config or proactive config.

 

[cruelsister]

Totally agree with shmu- The Comodo AV may catch stuff on occasion, but even a blind squirrel will find a nut sometimes. And remember that even CF has a Cloud AV and Valkrie, so the only thing you will miss is the Local AV scanner. The really important thing to do is enable the sandbox at either the Restricted or Untrusted (if you are an old hand) level. If you really want to have an AV, go with something like Qihoo or Avast for local scans.

About the configuration- By all means change to Proactive. This will increase the baseline protection significantly with stuff like shutting off the pathway to screwing with Com interfaces, a common attack pathway.

 

[shmu26]

Com interfaces, a common attack pathway.

thanks for this peek under the hood
is this security advantage of proactive config relevant only if unknowns are virtualized, or also if they are Restricted or Untrusted ?

 

[vivid]

CFW has File Lookup Services (FLS), not Valkyrie.
COM interfaces protection is not limited to Auto-Sandbox (but average user finds such alerts confusing when Auto-Sandbox is not used). You also get better coverage with Proactive Security configuration. It's a good addition if you consider: more applications you install = wider attack surface.

 

[shmu26]

CFW has File Lookup Services (FLS), not Valkyrie.
COM interfaces protection is not limited to Auto-Sandbox (but average user finds such alerts confusing when Auto-Sandbox is not used). You also get better coverage with Proactive Security configuration. It's a good addition if you consider: more applications you install = wider attack surface.

great explanations.
So let's say I am on firewall config, and I enable autosandbox.
I set autosandbox to restricted for unknown files.
And not only that, but whenever I get a prompt from HIPS, I block at the first prompt, i.e., the initial execution of the file.
Will I still have better protection if I switch to proactive config, and if so, why?

 

[vivid]

Yes. You get a more secure posture if you are using Proactive Security configuration. It depends on which application is used. It's very very possible that you will get an alert for something that's not a process execution and a trusted application will be used (task scheduler, task kill and so on) in such a chain of events. There is a common misconception that you get new processes and similar stuff but you can avoid these by utilizing COM. It's not something to be ignored.

 

[shmu26]

Yes. You get a more secure posture if you are using Proactive Security configuration. It depends on which application is used. It's very very possible that you will get an alert for something that's not a process execution and a trusted application will be used (task scheduler, task kill and so on) in such a chain of events. There is a common misconception that you get new processes and similar stuff but you can avoid these by utilizing COM. It's not something to be ignored.

so the extra COM protection of proactive config is useful in preventing exploits?

 

[vivid]

I wouldn't call it that way but yes, kind of.

 

[AtlBo]

Is "COM protection" referring directly to the choice of the HIPS setting for COM alerts? I haven't studied the "Firewall" config to be able to follow how Proactive is better, although I can understand it is.

Maybe it's too much, but I am curious if it would be helpful to rank the danger level of CF/CIS HIPS alerts? I'd love to see a really great breakdown of this and the contexts and risks of choices with CF. Like I'd love to be able to know when I have an option beyond what I am seeing now, such as Auto-sandbox is about to kick in.

Been thinking some about this, and the sky is the limit with Comodo for really outstanding alerts system. I hope there is work in this area, because I do like CF in its current state too.

 

[shmu26]

Yes. You get a more secure posture if you are using Proactive Security configuration. It depends on which application is used. It's very very possible that you will get an alert for something that's not a process execution and a trusted application will be used (task scheduler, task kill and so on) in such a chain of events. There is a common misconception that you get new processes and similar stuff but you can avoid these by utilizing COM. It's not something to be ignored.

just trying to understand how this works.
The general rule of thumb with COMODO HIPS is that a trusted process will not produce alerts.
So how does task scheduler (as an example) produce COM-related alerts, when it is a trusted process?

 

[vivid]

Is "COM protection" referring directly to the choice of the HIPS setting for COM alerts? I haven't studied the "Firewall" config to be able to follow how Proactive is better, although I can understand it is.

Maybe it's too much, but I am curious if it would be helpful to rank the danger level of CF/CIS HIPS alerts? I'd love to see a really great breakdown of this and the contexts and risks of choices with CF. Like I'd love to be able to know when I have an option beyond what I am seeing now, such as Auto-sandbox is about to kick in.

Been thinking some about this, and the sky is the limit with Comodo for really outstanding alerts system. I hope there is work in this area, because I do like CF in its current state too.

COM protection is not exclusive to COM interfaces. You could get alert for a protected registry key and not a COM alert depending on the case. You could say that strength is directly influenced by (number of) protected objects.
The reasoning behind is that, by auto-sandboxing, you are silently guided to a good approach because alert is silently auto-answered.
** where text with italics means a simplified explanation for better understanding

just trying to understand how this works.
The general rule of thumb with COMODO HIPS is that a trusted process will not produce alerts.
So how does task scheduler (as an example) produce COM-related alerts, when it is a trusted process?

In my previous post, I considered your scenario and explained why it's better to switch to Proactive Security configuration if action (intended word : action, not executable to avoid possible misconception) jumps out of Sandbox. Thus, you will not get alert because it's trusted and COM protection is a good addition. Also, more protected objects = lower probability to use such action to jump out of Sandbox.

 

[AtlBo]

So then HIPS approvals actually weaken Auto-sandbox (Restricted) protection, and A/S is not a complete override? I was thinking of A/S as a virtualization fallback add-on where only the sandbox rules apply. Fortunately, I haven't been creating many HIPS rules, since I really wasn't sure how to view this interaction.

 

[Rodney74]

Well I am using CFFW 8 and F-Secure Ultra-light. I am using C.S settings. Thanks C.S.

I disabled Hips and Viruscope since I am running F-Secure Ultra-light.

I am only using F-Secure AV Cloud Support, as I figured the 235MB download offline AV would slow things down.

 

[vivid]

So then HIPS approvals actually weaken Auto-sandbox (Restricted) protection, and A/S is not a complete override? I was thinking of A/S as a virtualization fallback add-on where only the sandbox rules apply. Fortunately, I haven't been creating many HIPS rules, since I really wasn't sure how to view this interaction.

If you'd get alerts for every action of sandboxed applications then yes, it would weaken. It's human error mostly because you cannot interpret every HIPS alert.
Luckily, it doesn't work like that although some users (wrongly) suggest/want it. Instead, you do not get HIPS alerts for sandboxed applications. Even if you create bad rules, these are ignored by Sandbox.

 

[AtlBo]

Thanks vivid. The HIPS rules are only in effect for non-sandboxed. Think I understand now, and I was hoping this was the case.

 

[Rengar]

Yes. You get a more secure posture if you are using Proactive Security configuration. It depends on which application is used. It's very very possible that you will get an alert for something that's not a process execution and a trusted application will be used (task scheduler, task kill and so on) in such a chain of events. There is a common misconception that you get new processes and similar stuff but you can avoid these by utilizing COM. It's not something to be ignored.

How do you know all this staff??