Advice Request Comodo AutoSandbox -- alert for action?

[shmu26]

Can you set Comodo autosandbox to alert for action, instead of automatically sandboxing the process?
If so, is this a good way to deal with the problem of processes that get mistakenly sandboxed?

 

[SHvFl]

As far as i am aware no. You can just block, allow or sandbox.

 

[yigido]

Can you set Comodo autosandbox to alert for action, instead of automatically sandboxing the process?
If so, is this a good way to deal with the problem of processes that get mistakenly sandboxed?

This option exists on CCAV. The CCAV gives alerts before the unknown files trying to run.
You can choose any option you want. Sandbox - Block or Allow

 

[cruelsister]

Shmu- When something is about to be sandboxed having Comodo ask the user every time to Allow/Deny would be a VERY bad idea as they would be reducing protection to a coin flip. Essentially this would be equivalent to an antivirus asking the user to Run/Don't Run every time a trojan is detected.

Now, what can you do when an application is sandboxed and you are absolutely positive it is good (also, the most common reason for something valid to be sandboxed is that the developer didn't sign something):

1). At the initial sandbox alert, click on the Do Not Sandbox Again link on the popup. Or,
2). if you missed doing the above, run the application again and just go into Sandboxed processes from the main GUI, look for the main application and right click it and change it to Trusted. Or,
3). Go into Advanced settings/Security settings/File Rating/File List. From there tou can find the process you want to make Trusted and change it right there.

 

[shmu26]

Shmu- When something is about to be sandboxed having Comodo ask the user every time to Allow/Deny would be a VERY bad idea as they would be reducing protection to a coin flip. Essentially this would be equivalent to an antivirus asking the user to Run/Don't Run every time a trojan is detected.

Now, what can you do when an application is sandboxed and you are absolutely positive it is good (also, the most common reason for something valid to be sandboxed is that the developer didn't sign something):

1). At the initial sandbox alert, click on the Do Not Sandbox Again link on the popup. Or,
2). if you missed doing the above, run the application again and just go into Sandboxed processes from the main GUI, look for the main application and right click it and change it to Trusted. Or,
3). Go into Advanced settings/Security settings/File Rating/File List. From there tou can find the process you want to make Trusted and change it right there.

I agree with your approach all the way. I love not having to make decisions.
I am just frustrated by my intel graphics processes that keep getting autosandboxed, even though they are signed by microsoft and intel, and even though they are rated as trusted.
I made ignore rules for all related processes, and I even tried making an ignore rule for windows system applications/unrecognized, but no luck yet.

 

[cruelsister]

Try this then-

Go into the File List Window as I noted in my last post- when that screen comes up you'll notice that stuff can be sorted by File Path, Company, First Observed, and File Rating.

Click on the File rating and you'll note things now will be categorized by Trusted, Unrecognized, and malicious. Look for the process you want to make Trusted (which will probably be under Unrecognized), click on the link and make the change right there.

This may seem like a pain to go through, but it is (in my opinion, which is identical to the Word of God) very nice and very safe.

 

[shmu26]

Try this then-

Go into the File List Window as I noted in my last post- when that screen comes up you'll notice that stuff can be sorted by File Path, Company, First Observed, and File Rating.

Click on the File rating and you'll note things now will be categorized by Trusted, Unrecognized, and malicious. Look for the process you want to make Trusted (which will probably be under Unrecognized), click on the link and make the change right there.

This may seem like a pain to go through, but it is (in my opinion, which is identical to the Word of God) very nice and very safe.

I tried that, and the problem processes are rated as trusted, but they still fall into autosandbox.
Truth is, it's not a critical issue, it only affects the GUI for graphic settings (and I never change them), but it makes me worried what might happen next.

 

[hjlbx]

Can you set Comodo autosandbox to alert for action, instead of automatically sandboxing the process?
If so, is this a good way to deal with the problem of processes that get mistakenly sandboxed?

You will only get an alert upon the very first time that the process is to be auto-sandboxed - but you have to have alerts set to maximum. If you select allow or do not run sandboxed - it will still be auto-sandboxed. The difference is that one will create a permanent rule whereas the other will not.

You have to delete the auto-sandbox rule that is created once a process is auto-sandboxed.

IF it keeps happening - which it should not - and I doubt that it is - then you can create a rule to exclude any process from auto-sandboxing.

I would bet that it is not CIS, but instead that you do not know how CIS and the created rules work.

I - as well as a lot of others - found themselves in the very same boat as you when we first started using CIS.

 

[shmu26]

There is something funky about these particular intel processes. If I install Kaspersky Internet Security, they get suppressed and don't start at all -- unless I run KIS in interactive mode, and make an allow rule for them.

this issue happens every time I install Comodo from scratch -- these two intel processes get autosandboxed, and creating an ignore rule doesn't help.

 

[hjlbx]

If I install Kaspersky Internet Security, they get suppressed and don't start at all -- unless I run KIS in interactive mode, and make an allow rule for them.

KIS does not suppress processes unless moved to Application Control > Untrusted\Blocked.

If the Intel processes are those installed by the OEM partition or your driver installer, then they're safe. In other words, if the files have been on your system from day-one of having your brand new, out-of-the-box system then their safe.

It's simple enough to certify the files clean.

 

[shmu26]

KIS does not suppress processes unless moved to Application Control > Untrusted\Blocked.

If the Intel processes are those installed by the OEM partition or your driver installer, then they're safe. In other words, if the files have been on your system from day-one of having your brand new, out-of-the-box system then their safe.

It's simple enough to certify the files clean.

both files are 100% clean according to VT, they have been on my system as long as I can remember, and they are signed by intel and microsoft.
but Kaspersky and COMODO don't like them, can't figure out why.

 

[hjlbx]

both files are 100% clean according to VT, they have been on my system as long as I can remember, and they are signed by intel and microsoft.
but Kaspersky and COMODO don't like them, can't figure out why.

Both within Kaspersky and COMODO you can check how each company rates the files.

There is KSN lookup within KIS and file rating lookup in CIS.

In CIS, after a file has been auto-sandboxed, you have to go to File Rating and change the file rating from Unrecognized to Trusted as others have stated in this thread.

At the same time, you also have to delete the auto-sandbox rule created.

You have to do both or else the file will continue to be auto-sandboxed.

If the files do not specifically have a Digital Signatures tab in the Properties pane of each file (right-click file > Properties) - then they are not digitally signed\they have no Authenticode.

For the files to be auto-Trusted in CIS you have to have "Trust digitally signed files" enabled under File Rating; if you have it unticked, then some digitally signed files will be auto-sandboxed because they are not in the COMODO safe file list.

 

[shmu26]

At the same time, you also have to delete the auto-sandbox rule created.

maybe this is where I am going wrong: I don't see these auto-sandbox rules that you are talking about, for the problem files. I see only the ignore rules that I created to override the autosandbox function.

COMODO file rating gives these files trusted status, so the issue is not there.

 

[hjlbx]

maybe this is where I am going wrong: I don't see these auto-sandbox rules that you are talking about, for the problem files. I see only the ignore rules that I created to override the autosandbox function.

COMODO file rating gives these files trusted status, so the issue is not there.

The order of the rules in the list is the order in which they are applied; top of list - first\bottom of list - last.

So, if your ignore rules are at the bottom of the list then they will be the last to be enforced.

If that's not it, then I'd do a clean install of Windows and start from scratch.

If you are playing with a lot of softs - which I think you are - installing\uninstalling - then you are only asking for problems with CIS and KIS; both require clean installs to work properly. Remnants of other security softs will cause malfunctions or mis-behavior with both CIS and KIS.

I've never seen an Intel driver cause problems with security softs; Nvidia and AMD I've seen auto-sandboxed. Never seen a single problem with KIS.

 

[shmu26]

The order of the rules in the list is the order in which they are applied; top of list - first\bottom of list - last.

So, if your ignore rules are at the bottom of the list then they will be the last to be enforced.

If that's not it, then I'd do a clean install of Windows and start from scratch.

If you are playing with a lot of softs - which I think you are - installing\uninstalling - then you are only asking for problems with CIS and KIS; both require clean installs to work properly. Remnants of other security softs will cause malfunctions or mis-behavior with both CIS and KIS.

I've never seen an Intel driver cause problems with security softs; Nvidia and AMD I've seen auto-sandboxed. Never seen a single problem with KIS.

thanks for help. my ignore rules are higher in the list than the global autosandbox rule.
Could be remnants of other security softs... I am definitely a tinkerer, as you have noticed.
I think I will disable COMODO autosandbox for the mean time, and just go with the HIPS and firewall. I will let Voodoo autopilot handle the rest.

 

[shmu26]

The order of the rules in the list is the order in which they are applied; top of list - first\bottom of list - last.

So, if your ignore rules are at the bottom of the list then they will be the last to be enforced.

If that's not it, then I'd do a clean install of Windows and start from scratch.

If you are playing with a lot of softs - which I think you are - installing\uninstalling - then you are only asking for problems with CIS and KIS; both require clean installs to work properly. Remnants of other security softs will cause malfunctions or mis-behavior with both CIS and KIS.

I've never seen an Intel driver cause problems with security softs; Nvidia and AMD I've seen auto-sandboxed. Never seen a single problem with KIS.

okay, it turns out that Windows was failing in its attempts to update my Intel graphics driver. I downloaded the driver installer directly from Intel, and after booting into safe mode, I was finally successful in installing it.
I tried again with COMODO, and no prob! I am finally a happy camper. My apologies to the COMODO faithfuls.