Comodo Auto-Sandbox -- as good as an anti-executable?

shmu26 · May 29, 2016

How well does Comodo Auto-Sandbox lock down a system?
I am running Comodo Firewall free version, without anti-virus component.
unrecognized applications are set to run virtually, and I have set location to : any
config is: Firewall Security
besides all that, I am manually running my browser in comodo sandbox.

Am I overdoing it?

Does turning on HIPS significantly improve protection?

Windows 10 x64
Webroot SecureAnywhere 2016
HitmanPro.Alert

Captain Awesome · May 29, 2016

shmu26 said:
Am I overdoing it?

Does turning on HIPS significantly improve protection?

Q1.NO.
Q2.Yes.It is.But HIPS set to Safe Mode.

illumination · May 29, 2016

shmu26 said:
1. Am I overdoing it?

2. Does turning on HIPS significantly improve protection?

Judging by your set up of the autosandbox, you have looked at cruelsisters recommended settings, and if so, you should know she disables the HIPS.

1. No, that should cover you, the strength of CIS or CFW is its sandbox, it is basically the backbone of the product.

2. Turning on Hips provides another layer yes, but will in the end only significantly improve the amount of time you will be spending answering pop ups. The auto sandbox already has you covered with the settings you have it at.

yigido · May 29, 2016

Please turn on "Proactive Security" configuration under settings
Restart PC
Disable HIPS (agreed to @illumination words about HIPS)

You will have auto-sandbox with a whitelist (local & cloud).. unknowns goes to sandbox. Infection? Forget about it

ahh by the way, you have cloud antivirus in free firewall too

shmu26 · May 29, 2016

I noticed that the shared folder, where the downloads go, is only partially virtualized.
If I try to open an exe file it is blocked, but if I open a Word file or a PDF file, it opens unsandboxed
Isn't that a security problem? One of the most common attack vectors is through a Word file or PDF file that has malicious code.

1qay1qay · May 29, 2016

in time that you wait on HIPS to protect you youre files are normal already encrypted, so as other says sandbox and block for every unknown files ... block not run virtualized . For prof and deep explaination follow cruelsis video channel on youtube

shmu26 · May 29, 2016

1qay1qay said:
in time that you wait on HIPS to protect you youre files are normal already encrypted, so as other says sandbox and block for every unknown files ... block not run virtualized . For prof and deep explaination follow cruelsis video channel on youtube

the english was a little hard to understand, but I think you were saying that it's a waste of time to go through the whole HIPS rigmarole on sandboxed files. Right. Better to just turn off HIPS.

yigido · May 29, 2016

shmu26 said:
the english was a little hard to understand, but I think you were saying that it's a waste of time to go through the whole HIPS rigmarole on sandboxed files. Right. Better to just turn off HIPS.

While you are using fully automatic sandbox with whitelist.. you do not need the HIPS. It will just pop you more alert. Without HIPS, firewall will be moree silent

Run a rating scan with CFW and send the unknown files to Comodo for whitelisting, with this way you will help the community and your own setup

shmu26 · May 29, 2016

yigido said:
While you are using fully automatic sandbox with whitelist.. you do not need the HIPS. It will just pop you more alert. Without HIPS, firewall will be moree silent Run a rating scan with CFW and send the unknown files to Comodo for whitelisting, with this way you will help the community and your own setup

But in file rating, one should consider turning off trusting digital signatures.

yigido · May 29, 2016

shmu26 said:
But in file rating, one should consider turning off trusting digital signatures.

Did you mean you want to turn off 'trusting digital signatures' ?
Then, you will get too much sandboxed files, processes.. even Microsoft one.. Your system will be unusable.. Just a warn from a friend.

shmu26 · May 29, 2016

yigido said:
Did you mean you want to turn off 'trusting digital signatures' ?
Then, you will get too much sandboxed files, processes.. even Microsoft one.. Your system will be unusable.. Just a warn from a friend.

you can leave on "trust files installed by trusted installers". That will give you a more limited trust list .

yigido · May 29, 2016

shmu26 said:
you can leave on "trust files installed by trusted installers". That will give you a more limited trust list .

Those list collected and the list has very strict rules. While using KIS, if a file digitally signed.. KIS trusts it. But many adware have digital signature these days. Comodo trusted vendors are huge and it will increase the usability of auto-sandbox. For example, using privatefirewall, it has very small list of vendors and it is harder to use than Comodo.
But you can still remove the any vendor from Comodo trusted vendors that you do not like.

1qay1qay · May 29, 2016

sorry for my bad English - but basically yes - my point is that best protection today is "default deny" and block all unknown files ... but problem arise if malware will start to use digicert ... as gov spyware already use digi cert i suppose ... they found a guy in China last month that "lease" his state mobile company cert to malware group to sign an app .... i really dont know what to do anymore ... if we block "verified publisher" windows will break down with todays realtime updates policy .... and there is newest problem with filleless infections via Angular exploit kit (ok, filleless concept is not new and it was around before, but this time is weaponized and idiotproof three-click exploit readay on sale for xxx € to anyone )... Did anyone test this memory hijacking concept - do this infection at some point use disk to store payloadit or not ... if not, then this can not be stopped with sandboxing and anti-exe policy.

shmu26 · May 29, 2016

you can turn off trusted vendors, and leave on trusted installers. That should save you from the common criminals. The big governments are not looking for you anyway.

to protect from the exploits, add an anti-exploit like HitmanPro.Alert.

shmu26 · May 29, 2016

this got repeated, I don't know why...

1qay1qay · May 29, 2016

"turn off trusted vendors, and leave on trusted installers" ... i will try that

Regard exploit i use Heimdal pro on all computers as url filter and local DNS + Yandex as offline DNS ... lets hope to the vest

hjlbx · May 29, 2016

1qay1qay said:
sorry for my bad English - but basically yes - my point is that best protection today is "default deny" and block all unknown files ... but problem arise if malware will start to use digicert ... as gov spyware already use digi cert i suppose ... they found a guy in China last month that "lease" his state mobile company cert to malware group to sign an app .... i really dont know what to do anymore ... if we block "verified publisher" windows will break down with todays realtime updates policy .... and there is newest problem with filleless infections via Angular exploit kit (ok, filleless concept is not new and it was around before, but this time is weaponized and idiotproof three-click exploit readay on sale for xxx € to anyone )... Did anyone test this memory hijacking concept - do this infection at some point use disk to store payloadit or not ... if not, then this can not be stopped with sandboxing and anti-exe policy.

Clean install your OS
Clean install desired softs
Install anti-executable or software restriction policy
Don't use Trusted Vendors (if paranoid)

It is also recommended:

Run exploitable\abusable programs and process with limited file system and registry access rights

You should be safe except in case you are targeted - which, in that case, you won't be able to protect your system no matter what security softs you use...

* * * * *

It's not that difficult. You can accomplish this with either AppGuard, ReHIPS or COMODO.

shmu26 · May 29, 2016

hjlbx said:
Clean install your OS

Clean install desired softs

Install anti-executable or software restriction policy

Don't use Trusted Vendors (if paranoid)

It is also recommended:

Run exploitable\abusable programs and process with limited file system and registry access rights

You should be safe except in case you are targeted - which, in that case, you won't be able to protect your system no matter what security softs you use...

* * * * *

It's not that difficult. You can accomplish this with either AppGuard, ReHIPS or COMODO.

there always has to be an attack vector.
so if you sandbox your browser, use only web mail, and open your downloaded files in sandbox, I can't figure out how you are going to get infected -- unless you are targeted, like you said. With gmail and other webmail services, you can open most attachments in a webpage, in order to read it or view it or print it. So you usually don't even have to download anything.

cruelsister · May 30, 2016

Shmu- Remember that a Word document (or a Excel sheet) to be malicious would have a script (macro) attached to it; popular now are Powershell macros contained within Office docs. When things like these are run in Comodo although the document itself could be fine and be opened, the macro, being unsigned will be sandboxed. Most likely the whole thing would just show up as an error to open.
The best way to protect against this sort of thing (whether the macro is signed or unsigned) is independent of any anti-malware application. Just do not enable macros in either Micrososft Office or Apache Open Office and disable powershell (which is the most popular recently) in Windows.

Finally I don't want to comment on signed malware right now as it will be covered in the current RAT video series.

Really finally- 1qay- Thank you for joining MalwareTips!!!! It's like you read my mind. The issue of governments either strong-arming legitimate software companies to "share" their certificates, or by setting up companies themselves that produce legitimate software with a secret surprise coded within is something that is never ever discussed but is a grave concern for those with a need to know.

shmu26 · May 30, 2016

cruelsister said:
Shmu- Remember that a Word document (or a Excel sheet) to be malicious would have a script (macro) attached to it; popular now are Powershell macros contained within Office docs. When things like these are run in Comodo although the document itself could be fine and be opened, the macro, being unsigned will be sandboxed. Most likely the whole thing would just show up as an error to open.
The best way to protect against this sort of thing (whether the macro is signed or unsigned) is independent of any anti-malware application. Just do not enable macros in either Micrososft Office or Apache Open Office and disable powershell (which is the most popular recently) in Windows.

Finally I don't want to comment on signed malware right now as it will be covered in the current RAT video series.

Really finally- 1qay- Thank you for joining MalwareTips!!!! It's like you read my mind. The issue of governments either strong-arming legitimate software companies to "share" their certificates, or by setting up companies themselves that produce legitimate software with a secret surprise coded within is something that is never ever discussed but is a grave concern for those with a need to know.

very interesting. I didn't know that the macro could be sorted out from the actual office doc. I thought the authors obfuscated the code enough so it didn't appear as malicious.

Search

Comodo Auto-Sandbox -- as good as an anti-executable?

shmu26

Level 85

Captain Awesome

Level 23

illumination

yigido

shmu26

Level 85

1qay1qay

Level 1

shmu26

Level 85

yigido

shmu26

Level 85

yigido

shmu26

Level 85

yigido

1qay1qay

Level 1

shmu26

Level 85

shmu26

Level 85

1qay1qay

Level 1

hjlbx

shmu26

Level 85

cruelsister

Level 42

shmu26

Level 85

Similar threads