Serious Discussion Comodo Containment "Restricted" Restriction Level

[rashmi]

For Containment, some Comodo users opt for @cruelsister's configuration, which primarily includes Proactive Configuration + Restricted (Restriction Level). According to @cruelsister, the "restricted" level prevents network connections from contained programs. Comodo users who use CruelConfig have also discussed the restricted level here and on Comodo forums.

The Comodo help files do not explicitly mention network connection prevention for the "restricted" level.
"Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting."

I experimented with two programs, using the CruelConfig or Restricted level. Comodo whitelists do not include GOM Player, a signed program, and Ant Download Manager, an unsigned program. During installation, GOM Player establishes an internet connection, whereas Ant Download Manager connects to the internet after installation. In both cases, the CruelConfig or Restricted level didn't block network connections, but it triggered firewall alerts.

Please correct me if I'm wrong with any information.

 

[ErzCrz]

For Containment, some Comodo users opt for @cruelsister's configuration, which primarily includes Proactive Configuration + Restricted (Restriction Level). According to @cruelsister, the "restricted" level prevents network connections from contained programs. Comodo users who use CruelConfig have also discussed the restricted level here and on Comodo forums.

The Comodo help files do not explicitly mention network connection prevention for the "restricted" level.
"Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting."

I experimented with two programs, using the CruelConfig or Restricted level. Comodo whitelists do not include GOM Player, a signed program, and Ant Download Manager, an unsigned program. During installation, GOM Player establishes an internet connection, whereas Ant Download Manager connects to the internet after installation. In both cases, the CruelConfig or Restricted level didn't block network connections, but it triggered firewall alerts.

Please correct me if I'm wrong with any information.

I don't have first had experience as I am not a malware tester but I've noticed in @cruelsister videos when she compares Restricted to default configuration, she would get firwall alerts only when running the malware with containment level set to default which is Partially Limited.

 

[Brahman]

Comodo whitelists do not include GOM Player, a signed program, and Ant Download Manager, an unsigned program.

If I remember correctly, even if comodo doesn't have whitelist signature, it checks for signature for whitelisted programs in the cloud too. There is a setting to switch it off. I don't use it now, so I don't remember where it is. So make sure that that setting is switched off.
Edit: I think the setting is " cloud Lookup" in File rating

 

[rashmi]

I don't have first had experience as I am not a malware tester but I've noticed in @cruelsister videos when she compares Restricted to default configuration, she would get firwall alerts only when running the malware with containment level set to default which is Partially Limited.

Use either GOM Player or Ant Download Manager to test the config. Your system remains unaffected by running installations in containment.

 

[rashmi]

If I remember correctly, even if comodo doesn't have whitelist signature, it checks for signature for whitelisted programs in the cloud too. There is a setting to switch it off. I don't use it now, so I don't remember where it is. So make sure that that setting is switched off.

In what way is it connected to the test? CruelConfig doesn't recommend turning it off.

 

[Brahman]

In what way is it connected to the test? CruelConfig doesn't recommend turning it off.

yes, she doesn't. But see the setting while you install cis.

any untrusted file will be checked for whitelisted programs in the cloud ( if not disabled in "file rating") and if found whitelisted, may not generate a block as expected.

 

[rashmi]

yes, she doesn't. But see the setting while you install cis.
View attachment 284558
any untrusted file will be checked for whitelisted programs in the cloud ( if not disabled in "file rating") and if found whitelisted, may not generate a block as expected.

I ran another test without the cloud setting disabled, but I still received firewall alerts.

 

[ForgottenSeer 114834]

I ran another test without the cloud setting disabled, but I still received firewall alerts.

The next step would be to test other applications besides the two you are using to see if you get the same results. Alternating the settings during as well.

 

[cruelsister]

For Containment, some Comodo users opt for @cruelsister's configuration, which primarily includes Proactive Configuration + Restricted (Restriction Level). According to @cruelsister, the "restricted" level prevents network connections from contained programs. Comodo users who use CruelConfig have also discussed the restricted level here and on Comodo forums.

The Comodo help files do not explicitly mention network connection prevention for the "restricted" level.
"Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting."

I experimented with two programs, using the CruelConfig or Restricted level. Comodo whitelists do not include GOM Player, a signed program, and Ant Download Manager, an unsigned program. During installation, GOM Player establishes an internet connection, whereas Ant Download Manager connects to the internet after installation. In both cases, the CruelConfig or Restricted level didn't block network connections, but it triggered firewall alerts.

Please correct me if I'm wrong with any information.

Thank you for your post! If I gave the impression that Containment, at whatever level, would prevent Firewall popups I certainly did not mean to do so!

With the FW in Safe Mode all files deemed legitimate will be allowed to connect out without any FW alert, any file that is in Containment (even Untrusted) that attempts to connect to the Network will always yield a FW alert for the User to answer. Although I love this process as it shows me that something amiss may be going on (and it’s easy to Block and terminate at the FW alert), popups of any sort may be an issue for the novice.

For those that desire automatic blocking of Network connections by possible malware, Silent Mode should be enabled. Any Network requests by such will be prevented, and won’t even show up in the Network Intrusion list on the main GUI.

Although having nothing to do with automatic connection blocking, the different levels of Containment will do various things. At the Limited and partially Limited levels certain low level System changes will be allowed (like Wallpaper swaps seen with certain ransomware). The Untrusted Level goes a bit too far in my opinion as legitimate things like consent.exe (used as part of UAC) will be contained (the reason for this is that consent.exe can be used maliciously in DLL Loading redirection Hijacking (not that I would know anything of that being Kind and gentle).

Anyway, to silently block FW alerts while still stopping malware from connecting out, Silent Mode should be used. And although all levels will protect from System infection, Partially Limited and Limited are too permissive, Untrusted is too Inclusive, but restricted is just right.

Hope that helped!

 

[rashmi]

Thank you for your post! If I gave the impression that Containment, at whatever level, would prevent Firewall popups I certainly did not mean to do so!

If I'm correct, you've mentioned it in your videos, and users also bring it up when recommending your config here and on Comodo forums. Just saying

 

[ErzCrz]

@rashmi It's been a rough week, I must have mis-remembered. Thanks @cruelsister for the fantastically detailed explanation

 

[rashmi]

@rashmi It's been a rough week, I must have mis-remembered. Thanks @cruelsister for the fantastically detailed explanation

My friend, it's been a rough week, but if I remember well, you've posted the same information in different threads here. I usually avoid quoting or posting in threads involving celebrated users because I understand how things can go. I started this thread not to target @cruelsister, but to confirm the information. I've seen multiple users, including Comodo moderators, posting this information for her configuration here and on Comodo forums, but it wasn't accurate when I tested it. I'm curious how that information became associated with her configuration if she didn't mention it. Anyway, @cruelsister has confirmed or clarified it, so I will end the discussion here.

 

[ErzCrz]

My friend, it's been a rough week, but if I remember well, you've posted the same information in different threads here. I usually avoid quoting or posting in threads involving celebrated users because I understand how things can go. I started this thread not to target @cruelsister, but to confirm the information. I've seen multiple users, including Comodo moderators, posting this information for her configuration here and on Comodo forums, but it wasn't accurate when I tested it. I'm curious how that information became associated with her configuration if she didn't mention it. Anyway, @cruelsister has confirmed or clarified it, so I will end the discussion here.

I have mentioned that there wasn't an alert when set to restricted in comparing the restriction level from default to restricted. Your the first to have corrected me regarding this so looks like I must mistakenly been spreading misinformation to users. I didn't target CruelISister, far from it, simply @'d her for clarification and to correct me if I was wrong.

I've use CF since 2.0 but I'm no malware tester. I'm not currently using it because I'm resolving stability issues on my pc following removal and reinstalls of CF/CIS and having to manually remove leftover drivers and registry entries. I probably won't use it until next version comes out or there is an update to fix issues current users are having but if I get my system stable and create some disk images, I might have another go once I iron out the network stability and other small errors I'm having.

Thank you for the correction, time I re-read the very outdated help information before advising people who use it. In the meantime will probably use WFC, some other firewall or harden Windows Firewall with Andy Ful's tools. Stepping back from the fight for what Comodo is until I've had time to regroup and revaluate.

 

[darko999]

I use custom ruleset on low level alert for Firewall, wouldn't matter then if I have proactive or restricted, as it would ask to manually alow or deny for any app running in the cointainment module. I have no idea outside this, what the firewall does by itself at managing cointainment apps request to access the network. Would be nice to have it clear but I guess we can't afford that.

 

[wat0114]

Running the Beta because of rekindled interest, I have so far put Unrecognized files to Restriction level = Restricted. Keepass2 password keeper ran as Unrecognized and I was unable to copy the password for this site to the clipboard and paste in this site's login field. Once I set Keepass to trusted, I could then paste the password into the login pw field. Interesting how much more the effects of higher restricted levels have on an application. I am eager to see more of these effects.

 

[rashmi]

Running the Beta

Why not the stable?

 

[wat0114]

Why not the stable?

I wanted to see what the Beta was like. but I've actually reverted to the latest stable.

 

[darko999]

2025 premium has fixed a missing tray icon for CIS, only issue I had while using stable 2024.

sing

 

[New_Style_xd]

What CIS needs is more updates every month or every 3 months.
As other antivirus programs on the market do.
The problem is that CIS takes a long time to update something.
The software is full of bugs.
At the moment I am trusting in CIS's self-containment, but I really wish it would have its bugs fixed quickly or even release versions in less time.

 

[wat0114]

What CIS needs is more updates every month or every 3 months.
As other antivirus programs on the market do.
The problem is that CIS takes a long time to update something.
The software is full of bugs.
At the moment I am trusting in CIS's self-containment, but I really wish it would have its bugs fixed quickly or even release versions in less time.

Rest assured I'm not a Comodo Fanatic Fanboyz, nor an adoring admirer of CS, but I've been running v12.3.3.8140 set up similar to the CS with a few exceptions, in particular much enforcement of the firewall rules, because I obsess over this sort of thing, alongside Andy Ful's Configure Defender and WHHL MS Defender tools, and in my completely unbiased view, I've yet to see any buggy behavior. It is so far as I can tell, working as intended - based on my understanding of how the program is supposed to work. I have put lots of time and effort into learning how the program works.

That's not to say I don't have any complaints about it; on the contrary, the firewall component is clunky and complicated - for me anyway - to set up rules and takes considerable time and effort to figure out how it works. That said, it is filtering traffic for both applications and system components the way I would expect it to with the rules I have in place.

I did experience a major bug a few years ago that others have seen when I had the HIPS module enabled with numerous rules I created, and they one day out of the blue disappeared on me. Other than that, using only the Auto-containment with Firewall rules has been working well. I also deleted the Vendor File Rating list and disabled the Cloud lookup, because I only want signed and trusted vendors that are running on my device and I don't it searching vendors for me.