CIS Program Sandboxing Policy/Criteria, etc...

[Deleted member 2913]

Since version 8 CIS introduced new autosandbox default rules i.e "Internet" that replaced "Any". Now I dont know how the "Internet" rules decides to autosandbox the programs, on what basis...what criteria...are considered by the "Internet" rules to decide to autosandbox the programs or not...but I must say "Internet" rules seems a vast improvement & have definitely made CIS a lot better & usable especially for average users.

Nowadays I am trying latest CIS with default settings. For usability check, I installed/updated/upgraded, etc... quite many programs i.e average users programs/popular programs/required programs & some not so popular programs, etc...& not a single program was autosandboxed or generated alerts. Thats a huge plus & improvements.

But I am confused a little. Programs installed were not autosandboxed but some programs entries are there in Unrecognized Lists -Can anyone explain this? Programs are working fine & definitely not running sandboxed thats good.
Is this expected behavior & something new as per new autosandbox default rules "Internet" & other policies, criteria, etc...?

 

[Rolo]

How fortuitous that I happen to have the exact help page open in another tab:
https://help.comodo.com/topic-72-1-623-7755-Unknown-Files---The-Scanning-Processes.html

An application can become recognized as 'safe' by CIS (and therefore not auto-sandboxed or scanned in the cloud) in the following ways:

• Because it is on the local Comodo White List of known safe applications

• Because the user has rated the file as 'Trusted' in the File List
  
  
• By the user granting the installer elevated privileges (CIS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CIS regards the installer and all files generated by the installer as safe)

• Additionally, a file is not auto-sandboxed or sent for analysis in the cloud if it is defined as an Installer or Updater in HIPS Ruleset (See Active HIPS Rules for more details)

I don't recommend defaults for two reasons:
- Their objectives with choosing defaults may not match your objectives
- Examining your options and setting them yourself gives you a better understanding of how the program works

By changing "Any" to "Internet" lets CIS treat what's already on the box differently than what comes from outside the box; this way, you won't get bombarded with alerts for programs you already know are safe. How it decides a file came from the Internet is a question I am looking for the answer to as well--especially since I disabled Windows' zone-checking nag-screen behaviour in group policy (Asking "Are you sure?" EVERY. SINGLE. TIME. is not security!)

 

[Deleted member 2913]

Installed Trojan Hunter.

No files in Trusted Lists. Files in Unrecognized Lists. I didn't get any alerts. Trojan Hunter runs fine i.e not virtualized/no green border. KillSwitch also shows virtualization disabled for Trojan Hunter.

 

[hjlbx]

Installed Trojan Hunter.

No files in Trusted Lists. Files in Unrecognized Lists. I didn't get any alerts. Trojan Hunter runs fine i.e not virtualized/no green border. KillSwitch also shows virtualization disabled for Trojan Hunter.

Comodo file rating system is a mess... and does nothing but sows confusion amongst users. There are a lot of reported Comodo file rating system related bugs on the forum. It's a long-standing issue that, as far as I can tell, Comodo has struggled to fix. It does not work correctly all the time - especially if the user starts messing with settings and creates custom rules. Detailed explanations are not forthcoming from Comodo... what's new, right?

On my system some System32 and SysWOW64 files are auto-sandboxed as Unrecognized. Others are listed as Unrecognized, but are not auto-sandboxed. Some are Trusted, but still sandboxed. Same with files from the Programs directories.

Furthermore, files that are user rated as Trusted still get auto-sandboxed... which definitely is not supposed to happen. The user rating is to take priority over Comodo's. Even if a user adds an entire directory to the Trusted file list, there will be individual files that will generate HIPS alerts and be auto-sandboxed.

Damned if I can figure it out. I've tried to cross-reference using Sigcheck and TVL... but that has not given me any idea of how the entire thing actually works... and I'm not going to figure it out because there are various issues - as evidenced by the large number of bug reports centered around the File Rating system.

Reading the 600+ page Comodo manual will not help either... nor will asking questions on the forum.

In the end, Comodo gives the user the ability to create Allow rules for all such situations... so nothing is ever broken permanently. That's one of Comodo's real strengths - the ability to create "work-a-round" rules when the need arises. Not the best way, but just what you need to keep the machine running and protected. Not ideal, but at the same time, not so very terrible; bottom line is the damn thing works despite such quirky, confusing, infuriating issues...

However, I like you yesnoo, would like a whole lot more clarification.

 

[Rolo]

Even if a user adds an entire directory to the Trusted file list, there will be individual files that will generate HIPS alerts and be auto-sandboxed.

That's because HIPS has nothing to due with the file trust list. It's a firewall for system areas. Giving a trusted file unfettered access to the system (say, boot sector, system registry areas, keyboard driver, etc.) would render HIPS useless--especially since trusted files can get infected/modified. cf. https://help.comodo.com/topic-72-1-623-7731-HIPS-Settings.html

The very first sentence of the manual on HIPS (emphasis added):

HIPS constantly monitors system activity and only allows executables and processes to run if they comply with the prevailing security rules that have been enforced by the user.

It didn't say "trusted files list" and nowhere in HIPS rules will you find trusted/unknown/malicious.

Reading the 600+ page Comodo manual will not help either

Dismissing the manual published by the creators of the software is foolish for two reasons:
1. It tells you how the software works and how to configure it (I'm finding it very helpful)
2. You can't even think about approaching the devs with a bug report if you don't use their manual as a basis; they won't engage a fool in his folly; they don't have time for that and, speaking as a former author, it is really, really, really annoying to get bug reports on things that aren't bugs and are described in the manual)

 

[Deleted member 2913]

hjlbx,

The prob is... you install a program, there were no alerts, program didn't run in green border, killswitch shows virtualization disabled for the program, no files in sandbox... you take it as a whitelisted program.
You check "Files List", you see files related to the program in both "Trusted" & "Unrecognized" List... you wonder files at both the places? Is this a trusted or unknown program? If its trusted program, did it installed completely on the system? If its unknown program why no alerts/autosandbox?
And files in both the places... no sandbox alerts were there but you get Firewall alerts? (if "Dont show FW popups" is unchecked). But you should get FW alerts for unknown programs only... And if this program is unknown then why no sandbox alerts? And if this program is trusted then why FW alerts & files in Unrecognized List too?

 

[Rolo]

A program typically consists of multiple files and not all files are signed or trusted. This is why there's the option to "treat all files installed by a trusted installer as trusted" option so the program, as a whole, is trusted rather than ripped apart by sandboxing portions of it.

Additionally, firewall and sandbox are two completely different things--pretend they are two different products by two different vendors on two different interfaces. Treating them as one is what tripped me up in understanding what Comodo was doing.

 

[Deleted member 2913]

I use default settings. And "treat files by trusted installer as trusted" is enabled in default settings.

A whitelisted program by Comodo is allowed to install normal & connections are allowed automatically. And this was not the case i.e FW alerts were there.

 

[Rolo]

I use default settings. And "treat files by trusted installer as trusted" is enabled in default settings.

A whitelisted program by Comodo is allowed to install normal & connections are allowed automatically. And this was not the case i.e FW alerts were there.

Firewall and File Rating are separate things; you won't find "Trusted/Unknown/Malicious" anywhere in Firewall settings. Allowing a program to execute is one thing; allowing it to talk on the network is another thing, with fine granularity on what networks, what ports, and what protocols it is allowed to use. i.e. You allow your web browser to talk to web sites on those ports specifically allocated (80 & 443 and maybe 8080) for those communications only.

Here's how the firewall works: https://help.comodo.com/topic-72-1-623-7621-Advanced-Firewall-Settings.html

• Both application rules and global rules are consulted when the firewall is determining whether or not to allow or block a connection attempt.

• For Outgoing connection attempts, the application rules are consulted first and then the global rules.

• For Incoming connection attempts, the global rules are consulted first and then application specific rules.

Again, think of each section (AV, Firewall, HIPS) as made by different manufacturers and don't commingle the settings.

 

[hjlbx]

Rolo, you are not understanding how Comodo's File Rating system works. A file's rating determines whether alerts will not be generated (Trusted), generated (Unrecognized) and blocked (Malicious). This applies to Comodo's HIPS, sandbox and firewall modules. In other words, how Comodo "handles\treats" an application is directly dependent upon that application's File Rating. Trusted files should not generate alerts nor require any rules whatsoever... that is how it is supposed to work, but in actuality it does not function that way on every single user's system.

Comodo specifically states that they designed CIS to theoretically work this way to cut down on the creation of rules and the consumption of system resources.

There are long-standing bugs, where Comodo will generate various alerts that contravene the File Rating that exists for the application. This is nothing new... and yesnoo, as well as a lot of others - including myself, experience the same thing. It is a known issue - to both Comodo and users.

 

[Rolo]

Rolo, you are not understanding how Comodo's File Rating system works. A file's rating determines whether alerts will not be generated (Trusted), generated (Unrecognized) and blocked (Malicious). This applies to Comodo's HIPS, sandbox and firewall modules. In other words, how Comodo "handles\treats" an application is directly dependent upon that application's File Rating. Trusted files should not generate alerts nor require any rules whatsoever... that is how it is supposed to work, but in actuality it does not function that way on every single user's system.

My firewall log entry on a trusted application:

Ditto.exe is a safe application. However you are about to receive a connection from another computer. If you are not sure what to do, you should block this request.

The Comodo manual states otherwise. The implications of what you are saying is that the Comodo manual is wrong, my firewall log is wrong, and the Comodo developers got it wrong and your opinion is correct (it is your opinion only since no authoritative sources were cited). To demonstrate what you say, you'll have to show it with the manual or from a dev where CIS is supposed to function the way you describe. You'll also have to demonstrate where software fundamentally works differently on a per-machine basis with measurable, observable specificity. Otherwise, I respectfully and vehemently disagree with your opinion and would discourage your filing bug reports that aren't bugs. (Did you retract that one on PAF files since there is no such thing as a PAF file?)

When you trust a file, you are only trusting it as far as execution only. If trusted files had free and total access, the firewall and HIPS would be useless since they would ignore every file executed on your system! (Update: HIPS is excluded, see below)

 

[hjlbx]

My firewall log entry on a trusted application:


The Comodo manual states otherwise. The implications of what you are saying is that the Comodo manual is wrong, my firewall log is wrong, and the Comodo developers got it wrong and your opinion is correct (it is your opinion only since no authoritative sources were cited). To demonstrate what you say, you'll have to show it with the manual or from a dev where CIS is supposed to function the way you describe. You'll also have to demonstrate where software fundamentally works differently on a per-machine basis with measurable, observable specificity. Otherwise, I respectfully and vehemently disagree with your opinion and would discourage your filing bug reports that aren't bugs. (Did you retract that one on PAF files since there is no such thing as a PAF file?)

When you trust a file, you are only trusting it as far as execution only. If trusted files had free and total access, the firewall and HIPS would be useless since they would ignore every file executed on your system!

I stand by my previous posts - as they are statements of fact.

From the online Comodo help files:

• Choose the rating to be assigned to the file(s). The available options are:

• Trusted – The file(s) will be assigned the 'Trusted' status and allowed to run without any alerts

• Unrecognized – The file(s) will be assigned the 'Unrecognized' status. Depending on your HIPS settings, the file(s) will be allowed to run with an alert generation.

• Malicious – The file will not be allowed to run.

• Click OK in the 'Add Files' dialog

• Click 'OK' in the 'Advanced Settings' for your changes to take effect.

* * * * *

Bugs - are - for the most part - system\OS specific. In other words, a soft may work on W7 great, but not on W8/8.1, W-8/8.1 but not 10.

* * * * *

I'm just gonna leave it at that...

 

[Rolo]

Trusted files are excluded from monitoring by HIPS - reducing hardware and software resource consumption.

Trusted – The file(s) will be assigned the 'Trusted' status and allowed to run without any alerts

That is exactly what I said: it is allowed to execute, not talk on the network. One cannot take a help file (or any written or spoken word) out of context; that is talking about auto-sandboxing and, as I've just found, HIPS, but not the firewall. cf. File Rating help page: https://help.comodo.com/topic-72-1-623-7725-Manage-File-Rating.html

Trusted files are excluded from monitoring by HIPS - reducing hardware and software resource consumption.

Note that nowhere on that page or the firewall page does it say trusted files are excluded from the firewall.

Current copy, complete context: https://help.comodo.com/topic-72-1-623-8441-File-List.html#user_defined_file_rating

Trusted Files

Files with 'Trusted' rating are automatically given Defense+ trusted status.

Firewall is not part of Defense+

• Choose the rating to be assigned to the file(s). The available options are:

• Trusted – The file(s) will be assigned the 'Trusted' status and allowed to run without any alerts

• Unrecognized – The file(s) will be assigned the 'Unrecognized' status. Depending on your HIPS settings, the file(s) will be allowed to run with an alert generation.

• Malicious – The file will not be allowed to run.

(emphasis added) Note the lack of firewall mention

These aren't bugs; the manual needs to be made more clear.

 

[hjlbx]

CIS does not generate firewall alerts for Trusted files... except when run in the sandbox either by the user or launched by an Unrecognized file.

The one exception for Trusted file firewall alerts is in-bound network connection alerts - but that is, like all things Comodo, dependent upon settings.

Most CIS users stealth all ports - which blocks all inbound connections and therefore no alerts are generated... for any file type - Trusted or Unrecognized - for inbound connections only.

Furthermore, Trusted files are given unrestricted system access except to protected objects.

The OP is reporting a known issue - to both Comodo and users. It has been reported on the Comodo forum for a long time now. There are numerous issues with Comodo's file rating system and cloud lookup that cause CIS to behave in quirky ways on different systems.

 

[Deleted member 2913]

Rolo,

I dont know about other config but CIS default config i.e Internet Security config "Trusted Files" are allowed to run automatically i.e not sandboxed & no firewall alerts (IS config - FW popups are disabled & allowed automatically, you have to enable FW popups). If FW popups are enabled, you will get FW alerts for unknown programs only & not trusted programs.
You can confirm this on Comodo forum or with a member Cruelsister here, she knows well how CIS works.

 

[Rolo]

I already confirmed how it works with the Comodo manual and my own experience with a program I use called Ditto clipboard manager (try it yourself). Nobody has confirmed/quantified otherwise.

You mention default config; I specifically stated config-agnostic as I am talking about how CIS works, not how a particular configuration works. If you configure your firewall to not alert you about safe programs (whether manually or choosing defaults), why are bug reports being filed that CIS isn't alerting on safe files? "Pilot error" or "Layer 8 issue" is why. (Understandable, since CIS is pretty intricate and the UI doesn't make it easy and the manual could use a little improvement.)

cf. https://help.comodo.com/topic-72-1-623-7621-Advanced-Firewall-Settings.html

By the defaults that you mention, incoming connections to any application not on the firewall application rules (even trusted ones, see screenshot) will be caught because of the "Block IP in From MAC Any To MAC Any Where Protocol Is Any" global rule. Outbound connections will be allowed because of the "Allow IP Out..." rule(s) for your network(s). Change the global "Block IP In" rule to "Block IP In or Out" and see what happens; everything (even "safe" or "trusted") not explicitly stated in the firewall application rules won't talk on the network. If you want default deny then you have to configure it explicitly--otherwise Comodo will be bombarded with "Comodo broke my Internet!" bug reports.

To anyone who might say, "It doesn't work that way on my computer.", I will say, "It doesn't' work that way with your Comodo configuration; you may want to check that first."

 

[hjlbx]

The OP was not about firewall issues. The OP was about a File Rating quirk that causes CIS not to auto-sandbox some Unrecognized files. No one stated there was a firewall bug.

The bug is with Comodo's File Rating system and how it causes CIS to work improperly on some specific systems. And yes... it is a bug - verified well over a year ago by Comodo itself. The fix(es) is\are on-going with every new version.

@yesnoo , the best thing is to let CIS "do its thing" - and if it "breaks" a Trusted\Safe app - then create Allow rules to get it to work. On the other hand, if CIS is not alerting to (if HIPS enabled) and auto-sandboxing (if enabled) Unrecognized programs - well that's a serious security risk, isn't it? As you are using default CIS config, any Unrecognized files should be auto-sandboxed upon execution.

For the sake of testing, you can right-click on a file known to be Unrecognized by Comodo, select "Run in Comodo sandbox." In that case, there should definitely be alerts - from all CIS modules - despite a file's rating - Trusted or Unrecognized. If you run any file in the sandbox, and get no alerts, then there is a major issue...

 

[Deleted member 2913]

hjlbx,

My programs are running fine & no probs.
Guess CIS is working fine too.
I test with clt.exe & always get "elevated privilege" alert.

My confusion was with some files in "unrecognized list", some programs files in both "trusted" & "unrecog" list (not same, different files) but there was no autosandbox or elevated privilege alerts for those files.

For ex- Recently I installed Trojan Hunter. There was no autosandbox or elevated privilege alerts. No Trojan Hunter files in "trusted" list. Trojan Hunter files in "unrecog" list. Trojan Hunter runs normal i.e not sandboxed.

Is there different rules for FW for "block all incoming connections" & "per application basis" when "trusted" programs are concerned?

 

[hjlbx]

hjlbx,

My programs are running fine & no probs.
Guess CIS is working fine too.
I test with clt.exe & always get "elevated privilege" alert.

My confusion was with some files in "unrecognized list", some programs files in both "trusted" & "unrecog" list (not same, different files) but there was no autosandbox or elevated privilege alerts for those files.

For ex- Recently I installed Trojan Hunter. There was no autosandbox or elevated privilege alerts. No Trojan Hunter files in "trusted" list. Trojan Hunter files in "unrecog" list. Trojan Hunter runs normal i.e not sandboxed.

Is there different rules for FW for "block all incoming connections" & "per application basis" when "trusted" programs are concerned?

Hard to tell what might be occurring with only limited infos. I know this much, Bytelayer AB (the digital signature on TH files) is not in the CIS Trusted Vendor List (TVL)... so, using default configuration, alerts\auto-sandboxing should occur.

Did you submit the file to Comodo via the user interface... or do a Lookup using the File List?

If you do not select "Stealth All Ports," then CIS FW will alert to all inbound network connections. You as user can handle each one on a "per application basis."

 

[hjlbx]

hjlbx,

My programs are running fine & no probs.
Guess CIS is working fine too.
I test with clt.exe & always get "elevated privilege" alert.

My confusion was with some files in "unrecognized list", some programs files in both "trusted" & "unrecog" list (not same, different files) but there was no autosandbox or elevated privilege alerts for those files.

For ex- Recently I installed Trojan Hunter. There was no autosandbox or elevated privilege alerts. No Trojan Hunter files in "trusted" list. Trojan Hunter files in "unrecog" list. Trojan Hunter runs normal i.e not sandboxed.

Is there different rules for FW for "block all incoming connections" & "per application basis" when "trusted" programs are concerned?

@yesnoo

Hard to tell what might be occurring with only limited infos. I know this much, Bytelayer AB (the digital signature on TH files) is not in the CIS Trusted Vendor List (TVL)... so, using default configuration, alerts\auto-sandboxing should occur.

Did you submit the file to Comodo via the user interface... or do a Lookup using the File List?

If you do not select "Stealth All Ports," then CIS FW will alert to all inbound network connections. You as user can handle each one on a "per application basis."

"Elevated privileges" alert is nothing more than an additional sandbox alert for files that request full admin rights - typically installers. What exactly is clt.exe - as I haven't bothered to look it up ?