Advice Request Clarifications needed on Comodo

[Fuzzfas]

Hi, i have used Comodo in v5.10 for several years. Now i tried the latest version and i see that the use of sandbox seems more widespread. I have some gaps to fill here, just to be certain that i am not opening a hole in my defense, since i don't use resident AV.

1) I tried Comodo's own leak test and with the sandbox, i don't get full score. I suppose because sandboxing doesn't prevent the use of your webcam for example, it only protects infection. I also found a post with someone who got "hacked" by allowing a VBS to run in sandbox:

I just got hacked! - Viruscope and the concept of whitelisting - Defense+ / Sandbox Help - CIS | Page 2

So, why is the sandbox enabled by default? I guess only for usability?

2) Let's say that something bypasses the sandbox, because the sandbox has a flaw and the attacker exploits it.For example, i read this:

Warning!!! Comodo containment is not working as expected in Windows 10 and fixing the bug is not worth...
If you set a rule for an app to "Run Virtually" or "Run Restricted", that app will be sandboxed as "Partially Limited", no matter what "Restriction Level" you have chosen.
And this can lead to bypass the sandbox and affect the real system

A very good document about making Default Deny practical. - News / Announcements / Feedback - CIS | Page 3

What happens then? Comodo when both D+ and Sandbox are enabled, seems to prioritize the use of the Sandbox. But if the Sandbox is exploited, does D+ intervene or you 're busted???

I was never a big fan of sandboxes, because they are cosy, but you don't get alerted. I prefer D+, but i wanted to understand if there is a point of running both the sandbox and D+. If D+ can protect in case of something that escapes the sandbox, maybe i 'd consider it. But if not, i think i ill just keep D+.

D+ actually saved my bacon some time ago, when a friend came with infected USB and there was a VBS script that was executed after autorun.inf triggered. I was so glad i had D+, Avira didn't see a peep. It was a french malware, called "mercimariejaquie.vbs" or something like that. So i am not even thinking about disabling D+ and keeping ONLY the sandbox. What i want to see is if there is a reason to keep both the sandbox AND D+.

3) This "viruscope" thing, looks like a behaviour blocker or something? I guess if someone disables the sandbox, he can also disable the viruscope, right?


Not a question but, i see that v8 still has the bad habbit of v5 to have Comodo phone home at close intervals, despite unchecking all cloud or update options.


Thanks.

 

[Deleted member 178]

All you need is there :

Question - Comodo Internet Security v8 Setup/configuration thread

 

[Solarlynx]

What happens then? Comodo when both D+ and Sandbox are enabled, seems to prioritize the use of the Sandbox. But if the Sandbox is exploited, does D+ intervene or you 're busted???

If Sanbox is bypassed then HIPS of D+ kicks in. After using all my routine progs and rating scans I just make AutoSandbox to block all unrecognized with HIPS in "Safe Mode" (rather over-paranoid but that's not only me on my PC).

3) This "viruscope" thing, looks like a behaviour blocker or something? I guess if someone disables the sandbox, he can also disable the viruscope, right?

Viruscope is used for reversing of possible malicious actions of running processes. I've never happen to use it though.

 

[hjlbx]

Best part of COMODO IS = HIPS - but COMODO needs to fix the "disappearing rules" bug. That's a big one that has been reported for years.

 

[Fuzzfas]

All you need is there :

Question - Comodo Internet Security v8 Setup/configuration thread

Thanks, but after reading 11 pages, i didn't get any wiser on what i was looking for... Some sandbox info in that thread is also obsolete i think. Relating to restriction levels. This doesn't appear to be present in v8 anymore. Thanks though.

EDIT: My mistake. They 've hidden the restriction levels in the "auto sandbox" settings, where you need to edit the rules or create new. It needed a bit of imagination to figure it out eventually. GUI in v5.10 was more straightforward.

If Sanbox is bypassed then HIPS of D+ kicks in. After using all my routine progs and rating scans I just make AutoSandbox to block all unrecognized with HIPS in "Safe Mode" (rather over-paranoid but that's not only me on my PC).



Viruscope is used for reversing of possible malicious actions of running processes. I've never happen to use it though.

Ah, this is what i was looking for! Thank you very much! This does make the sandbox more interesting. I was accustomed in 5.10 to run with sandbox disabled. I think i will give it a try now, to see if i will have trouble with legitimate processes or not.

Thanks for the viruscope info too.

Best part of COMODO IS = HIPS - but COMODO needs to fix the "disappearing rules" bug. That's a big one that has been reported for years.

I 've read about this bug over the years, but i am not sure i 've had it. At least, i don't think i 've ever head ALL my customs rule disappear. But it's possible that *some* rules do, because sometimes i get the impression that it asks me for things that i had replied before.

Thank you for all the help. Now that i know that D+ is still active in case of sandbox hole, i will try it. I am not sure i really like the idea of having the sandbox run before D+, but i guess i will run some good old leak tests to further see the behaviour and order of intercepting and see how i like it.

I also have Shadow Defender on demand and license for Sandboxie, but, what always bothers me with virtualization, is exactly that a malware can do pretty much anything within the sandbox and you won't get alerted. Which can lead you to think that there is no malware running and then install it. Especially thinking that there is sandbox-aware malware around that "hybernates" if detects virtualization. So, generally, i prefer D+ with sandbox disabled (at least in v5.10 that's what i did).

I will have to test a bit. Thanks again.

 

[Fuzzfas]

Yeah, upon a quick test, i can see how people may like the sandbox, cause it's cosy, but, i have the impression that it added some system lag, compared to running with sandbox disabled and since i don't run AV, i can see me having more problems with it than without.

I also can't wrap my head around the fact that it auto-sandboxes svchost.exe. It's a bit "too much" or "too modern" for me to take. I think that if i want to virtualize something, i will just turn Shadow Defender on and run it, while keeping D+ as the only thing enabled, so that i can see what pop ups i will get...

But i did like the options you get from the sandbox popup (run restricted, run virtually, etc). Still, a "run virtualized" is good for avoiding infection, but not good for alerting you that you are running malware in the sandbox. Which for my use, may fool me into thinking it's not malware and let it run outside the sandbox. If i had an AV running it could have been different i guess, but i HATE the advertisements/ pop ups or bugs that nowdays all free AVs have. I also don't like the gazillion of resident shields. I ended up running MSE for some time, 0 false positives, but it did have some system lag. Comodo is not the lightest thing ever either, so adding more and more hogs the PC at the end.

Or maybe i can enable Comodo's sandbox on demand, when in doubt. Hadn't thought of this before. If i suspect something, i could run SD + Comodo sandox, to let it do its thing and see where it stops and what it produces. Now that's actually a good idea!

 

[Fuzzfas]

@ Solarlynx: You are the same Solarlynx from Wilders? I didn't realize it until now. I remember you from back when i was Wilders member. Good to see familiar faces again.

 

[Deleted member 178]

Wilders & MT have several common members.

 

[Solarlynx]

@ Solarlynx: You are the same Solarlynx from Wilders? I didn't realize it until now. I remember you from back when i was Wilders member. Good to see familiar faces again.

Yes, that's me but don't tell it to anybody. It's a secret.

Thanks for the face.

You didn't call it a snout. It's a very humane attitude to a lynx.

 

[Fuzzfas]

Wilders & MT have several common members.

Yeah, i haven't really followed this forum before, but i imagine security paranoia never really dies, so at the end, we always end up hanging around security forums.

Which by the way, brings me to your configuration:
Comodo Internet Security v8 Setup/configuration thread (Setting Only)

Wow! Talk about Fort Knox! You even edit the Trusted Vendor list! I tried your "search field" trick, but won't work too well. I put AMD, Advanced, Advanced Microsystems (trying to get AMD), Nvidia, they just won't come up. Microsoft does...At the end i will keep the default trusted list. Nice trick though!

EDIT: I think the latest Comodo has a bug with the search field of Trusted Vendors. I just went again, put Nvidia and this time it found it.But as soon as it doesn't find one, if i put Nvidia again, it no longers find it. Oh well, no big deal. I will erase manually some weird vendors i 've never seen before.

To be honest, the infected USB flash drive that came with a friend, is the only live malware i 've seen for years. So, i just run fully proactive, with custom ruleset/very high firewall rules, block ARP spoofing, 2 firewall rules to block Netbios and 445 just in case, a custom block rule with "no log" to block cmdagent.exe from phoning home without spamming my "network intrusion" count with hundreds of Comodo outbound attempts and that's about it...

Yes, that's me but don't tell it to anybody. It's a secret.

Thanks for the face.

Well, your feline face did seem familiar!

 

[Solarlynx]

Well, your feline face did seem familiar!

Sure, felines and canines even can cancel Comodo TVL.

I've managed to disable it with much impunity. Using CF intensively for several weeks with HIPS and AutoSandbox on with regular Rating Scans. Then I just switched off "Trust applications signed by trusted vendors" and "Trust files installed by trusted installers" (maybe the later one is excessive?). And voila. Though I wouldn't dare to do this trick if I didn't have an Eaz-Fix time machine (Rollback Rx abandoned cousin).

 

[Fuzzfas]

Sure, felines and canines even can cancel Comodo TVL.

I've managed to disable it with much impunity. Using CF intensively for several weeks with HIPS and AutoSandbox on with regular Rating Scans. Then I just switched off "Trust applications signed by trusted vendors" and "Trust files installed by trusted installers" (maybe the later one is excessive?). And voila. Though I wouldn't dare to do this trick if I didn't have an Eaz-Fix time machine (Rollback Rx abandoned cousin).

Interesting. I don't have "trusted installers" on, but i have the "trust applications signed by trusted vendors". But i think the fact that you have sandbox on also helps, since, by default the sandbox will just virtualize whatever it is and won't bother you about it. With sandbox off, you would probably have more alerts.

I had EAZ-Fix license (but i was using it with RollbackRX) at some point, but after it destroyed my MBR once and after i discovered that it pretty much disables TRIM for SSDs, i completely ditched it. I just use AOMEI backupper for normal images and that's it.

I 've read that now they give Home edition for free. And i am not even thinking of getting it. Have they even solved the TRIM issue? Probably not.

 

[cruelsister]

Fuzzfas- If you can wait for the weekend I'll be posting a video on this exact topic using Comodo Firewall which will cover how a highly signed malicious file is dealt with by both the Sandbox and the the HIPS.

Also regarding the trusted vendors search box- it is best with how they coded it to use the full name of the company for which you are searching, and also remember that the search is directional (as evidenced by the arrows to the right of the search box) . So if you want to find Nvidia you have to type in at the very least "nvi", but the full name is best. There is really no bug with searching- it's just unusual.

 

[Fuzzfas]

Fuzzfas- If you can wait for the weekend I'll be posting a video on this exact topic using Comodo Firewall which will cover how a highly signed malicious file is dealt with by both the Sandbox and the the HIPS.

Also regarding the trusted vendors search box- it is best with how they coded it to use the full name of the company for which you are searching, and also remember that the search is directional (as evidenced by the arrows to the right of the search box) . So if you want to find Nvidia you have to type in at the very least "nvi", but the full name is best. There is really no bug with searching- it's just unusual.

Thanks Cruel Sister, it will be interesting video for sure.

Ah, the directional thing was the part that i didn't get! Now i figured it out, thanks! I hadn't really noticed the arrows and i would never suspect what their function is.

Wilders & MT have several common members.

Until now, by wandering around, i only recognize Solarlynx. Unless all others are under new nickname...

I miss Bellgamin with his XP!