CIS 10 stable released

[cruelsister]

Oh My! I'm home for the Holidays so really can't spend too much time on the computer, but my initial feelings about version 10- it surpassed what I expected (and I expect a great deal). The former sandboxing of legitimate applications is way down, and where previously CF would laugh at malware now it is just bashing out their malicious little skulls and stepping on the corpse.

 

[shmu26]

Oh My! I'm home for the Holidays so really can't spend too much time on the computer, but my initial feelings about version 10- it surpassed what I expected (and I expect a great deal). The former sandboxing of legitimate applications is way down, and where previously CF would laugh at malware now it is just bashing out their malicious little skulls and stepping on the corpse.

that sounds pretty interesting. when you get a chance, please elaborate a little on those under-the-hood changes that you saw and others didn't.

 

[Deleted member 2913]

Is there a way to disable file source tracking?

File source tracking, if you mean Comodo adding ADS...V10 doesn't do that, now it does source tracking with some kinda databases.

 

[509322]

File source tracking, if you mean Comodo adding ADS...V10 doesn't do that, now it does source tracking with some kinda databases.

File source tracking using Alternate Data Streams\Zone.Identifier is garbage.

 

[Deleted member 2913]

File source tracking using Alternate Data Streams\Zone.Identifier is garbage.

So its good they removed that in V10, right?

Now they source track with some kinda databases.

 

[509322]

So its good they removed that in V10, right?

Now they source track with some kinda databases.

Monitoring files that come from only certain zones is ludicrous. People use USBs, external drives, CD\DVDs, etc. Besides, malc0ders aren't stupid - they will make sure their file doesn't have a zone.identifier by archiving it and other means.

 

[Deleted member 2913]

Monitoring files that come from only certain zones is ludicrous. People use USBs, external drives, CD\DVDs, etc. Besides, malc0ders aren't stupid - they will make sure their file doesn't have a zone.identifier by archiving it and other means.

In default config i.e Internet Security config - Stuffs already on the system before Comodo install are treated as safe/trusted BUT I think you can still know the unknown/unrecognized stuffs i.e if you check "Unrecognized" files list, it still registers unknown files there, but not autosandbox those as per Internet Secuity config/Autosandbox rules.
You can delete/remove file origin i.e internet/intranet/removable media from Autosandbox rule And then it will monitor unknown/any zone Or you can use Proactive Config, it by default does that.

 

[509322]

However all the various companies wish to do it, it is just plain bunk.

 

[Deleted member 2913]

Comodo V10

First I would like to mention, some users reported driver unsigned prob with V10 install, I didn't had the prob.

And now my experience with V10 (CFW only) on Win 10 64 Pro with 6GB RAM. I tried it for a while to get the feel of the new version.
It was light on my system for everything, system boot, usage, etc... (the only stuffs enabled on the "startup" on my system are Adguard Desktop, Rollback Rx Pro & security software in use, in this case CFW)
Usability seems better & improved (cruelsister too mentioned this in her posts in V10 thread here, she is enjoying vacation, hope when she returns will give us more info)

Overall, for me, And I hardly/rarely say this about Comodo, for reasons, they dont give me an opportunity to say this or it happens hardly/rarely/once in a blue moon with Comodo
So, overall, for me, with my little try of V10, I find it one of the good releases from Comodo

 

[shmu26]

Comodo V10

First I would like to mention, some users reported driver unsigned prob with V10 install, I didn't had the prob.

And now my experience with V10 (CFW only) on Win 10 64 Pro with 6GB RAM. I tried it for a while to get the feel of the new version.
It was light on my system for everything, system boot, usage, etc... (the only stuffs enabled on the "startup" on my system are Adguard Desktop, Rollback Rx Pro & security software in use, in this case CFW)
Usability seems better & improved (cruelsister too mentioned this in her posts in V10 thread here, she is enjoying vacation, hope when she returns will give us more info)

Overall, for me, And I hardly/rarely say this about Comodo, for reasons, they dont give me an opportunity to say this or it happens hardly/rarely/once in a blue moon with Comodo
So, overall, for me, with my little try of V10, I find it one of the good releases from Comodo

yeah, it's a good one.

 

[vivid]

Monitoring files that come from only certain zones is ludicrous. People use USBs, external drives, CD\DVDs, etc. Besides, malc0ders aren't stupid - they will make sure their file doesn't have a zone.identifier by archiving it and other means.

I understand your concern but you are underestimating this solution. Removal storage poses least risk.

 

[509322]

I understand your concern but you are underestimating this solution. Removal storage poses least risk.

Tell that to users in areas of the world where USB infections are an epidemic.

Most of the ransomware I am seeing in email spam campaigns are zipped.

Using ADS\zone.identifier as an exclusion mechanism needlessly results in infections. That's all there is to it.

This inherent flaw is well known in the industry.

 

[vivid]

Tell that to users in areas of the world where USB infections are an epidemic.

Most of the ransomware I am seeing in email spam campaigns are zipped.

Using ADS\zone.identifier as an exclusion mechanism needlessly results in infections. That's all there is to it.

This inherent flaw is well known in the industry.

There is indeed a subtle problem with zipped content but they are handling this with File Groups. Unless you are using some kind of trusted but bashed archiver that also deletes streams data then I see no problem. It can be improved by feeding it with file characteristics. I wouldn't say it's bad. I find it interesting.

 

[509322]

There is indeed a subtle problem with zipped content but they are handling this with File Groups. Unless you are using some kind of trusted but bashed archiver that also deletes streams data then I see no problem. It can be improved by feeding it with file characteristics. I wouldn't say it's bad. I find it interesting.

7zip, for example, will not pass on the ADS unless the user opens and extracts the archive within 7zip to allow for the temp file use. Most users will simply right-click on the archive and select extract - which doesn't pass on the ADS. A file that was Untrusted in the archive will be Trusted upon right-click extraction. It doesn't take a bashed archiver. And typical users aren't paying attention to file attributes. All that matters to them is that the file is prevented from infecting the system.

SmartScreen, for example, doesn't use File Groups and excludes most potentially malicious file types. Having file inspection kick-in based strictly on the presence of a zone.identifier is non-sense. "It doesn't have a zone.identifier or not the correct zone.identifier so we will ignore that file. If it's not from the internet zone then it's not our concern." Microsoft isn't the only one doing this sort of nonsense.

 

[LoLs]

anyone know about the CIS/CF 10 sandbox vtroot folder still on C drive as default, can't be customized?

Thanks

 

[509322]

anyone know about the CIS/CF 10 sandbox vtroot folder still on C drive as default, can't be customized?

Thanks

It's hard coded; can't be relocated by user.

 

[vivid]

7zip, for example, will not pass on the ADS unless the user opens and extracts the archive within 7zip to allow for the temp file use. Most users will simply right-click on the archive and select extract - which doesn't pass on the ADS. A file that was Untrusted in the archive will be Trusted upon right-click extraction. It doesn't take a bashed archiver. And typical users aren't paying attention to file attributes. All that matters to them is that the file is prevented from infecting the system.

SmartScreen, for example, doesn't use File Groups and excludes most potentially malicious file types. Having file inspection kick-in based strictly on the presence of a zone.identifier is non-sense. "It doesn't have a zone.identifier or not the correct zone.identifier so we will ignore that file. If it's not from the internet zone then it's not our concern." Microsoft isn't the only one doing this sort of nonsense.

7-Zip (which is Trusted) is handled trough File Groups and extracted file is not automatically trusted. It is treated as Unknown. They make use of SmartScreen in addition (since you mentioned it).


PS: Merry Xmas.

 

[509322]

7-Zip (which is Trusted) is handled trough File Groups and extracted file is not automatically trusted. It is treated as Unknown. They make use of SmartScreen in addition (since you mentioned it).


PS: Merry Xmas.

Igor Pavlov - developer of 7zip.

Igor Pavlov's own words regarding zone.identifier being wiped when extracted and 7zip: 7-Zip / Bugs / #1649 Zone Identifiers of unzipped files.

Also, just for reference: Downloads and the Mark-of-the-Web

There is no URL-Unknown zone.identifier in Windows.

The scenario I am referring to: user downloads zip from email, right-clicks and extracts it, executes it, SmartScreen doesn't check it due to wiped ADS\z.i, file executes, no Windows Defender detection, system boinked.

Remove Mark of the Web, and there is no Smartscreen application reputation check.

User Space is User Space; there is no need to rely upon the presence or absence of ADS to be a file monitoring trigger. User Space = untrusted, always. It works.

Interesting conversation. Thanks.

 

[Morphius]

Igor Pavlov - developer of 7zip.

Igor Pavlov's own words regarding zone.identifier being wiped when extracted and 7zip: 7-Zip / Bugs / #1649 Zone Identifiers of unzipped files.

Also, just for reference: Downloads and the Mark-of-the-Web

There is no URL-Unknown zone.identifier in Windows.

The scenario I am referring to: user downloads zip from email, right-clicks and extracts it, executes it, SmartScreen doesn't check it due to wiped ADS\z.i, file executes, no Windows Defender detection, system boinked.

Remove Mark of the Web, and there is no Smartscreen application reputation check.

User Space is User Space; there is no need to rely upon the presence or absence of ADS to be a file monitoring trigger. User Space = untrusted, always. It works.

Interesting conversation. Thanks.

This is not a scenario with Comodo. Although "Mark of the Web" is removed after extracting from the archive CIS handles it in the other way and the system is protected. It was said a few times in this topic.

 

[shmu26]

File source tracking using Alternate Data Streams\Zone.Identifier is garbage.

Correct me if I am wrong, but I think this whole discussion about file source tracking is relevant only to the Internet Security and Firewall configs, but not to Proactive config, which has a global autosandbox policy.
If the first two configs no longer rely on file source tracking, so how do they work now?