Comodo Containment Technology

[hjlbx]

Applies to Comodo Internet Security - for the most part - as well...

"Comodo Containment Technology" PDF: https://www.comodo.com/resources/white-papers/comodo-containment-technology.pdf

Comodo’s Solution: Containment Technology

Comodo containment technology defeats zero-day attacks better than any other security
technologies on the market today. Comodo’s solution uses a combination of process
virtualization, whitelisting, file lookups, behavior analysis and traditional AV scans to
intelligently, accurately and quickly identify unknown files and processes. Our technology
authenticates every executable and process that requests runtime privileges and prevents them
from taking actions that compromise user or system data.
Once identified, any unknown processes are launched inside a secure, virtual environment that
does not allow access to system resources or user data. Processes in containment read and
write to a virtual registry, file system, OS core and hardware. Malware in containment cannot
access user data or damage the protected system and are deleted as soon as the user closes the
container. If the processes are determined to be good, they are automatically released out of
the secure container, contingent upon the administrator’s policy.

Comodo containment technology meets the key business deliverable of providing total protection against zero-day threats while having no impact on end-user experience or workflows. Whether the unknown files are malicious or safe, they run in the sandbox just as well as they would on the system. However, they cannot damage or infect the systems
because they cannot access the underlying system. This allows safe applications the freedom to run as needed while denying malicious applications the system access they require to deliver their payloads.

"Comodo Containment Technology" PDF: https://www.comodo.com/resources/white-papers/comodo-containment-technology.pdf

 

[Piteko21]

thanks for the info.
really good to know.
basically, run unknown files inside comodo sandbox, and not in real system. the system remain protected

 

[hjlbx]

thanks for the info.
really good to know.
basically, run unknown files inside comodo sandbox, and not in real system. the system remain protected

It is not "bullet proof." Every so often a malware will be able to by-pass or disable sandbox. It happens. However, it is rare.

Virtualization is not perfect. While it protects the physical system, the entire virtual session can become infected - and - data theft can still occur.

NOTE:

User can configure CIS to block Unrecognized file access to network - but, at some point - user might have to allow access to determine if file is just Suspicious - or - a legitimate, safe application. Wait until file makes IP connect(s), capture IP address(es), then block file's network access, and finally, lookup IP address at IPVoid - for example. Alternatively can use WireShark or the NirSoft's IPNetInfo. Lots of work... not practical for day-to-day use; more suited to malware testing and learning about CIS, IT security, etc.

 

[yigido]

The Melih's words from Comodo forum..
"Comodo Containment Technology" vs "Cryptolocker"

You see this is the power of containment.
Cryptolocker works like this:
1)Reads a file
2)Encrypts it
3)Overwrites the original file with the encrypted file
4)asks for ransom

With Comodo's Containment technology...
Because any new unknown file goes into Containment, the cryptolocker will
1)Reads a file
2)Encrypts it
3)FAIL.....(because in Containment you can't change the data on hard disk, you can only change the data on a temporary hard disk we give you inside the container )
4)happy Comodo user

 

[hjlbx]

The Melih's words from Comodo forum..
"Comodo Containment Technology" vs "Cryptolocker"

You see this is the power of containment.
Cryptolocker works like this:
1)Reads a file
2)Encrypts it
3)Overwrites the original file with the encrypted file
4)asks for ransom

With Comodo's Containment technology...
Because any new unknown file goes into Containment, the cryptolocker will
1)Reads a file
2)Encrypts it
3)FAIL.....(because in Containment you can't change the data on hard disk, you can only change the data on a temporary hard disk we give you inside the container )
4)happy Comodo user

@yigido

I went searching for "Comodo Containment Technology" right after Melih posted a reply to your thread.

That's how I found the above PDF and link.

Hee..hee...

Best Regards,

HJLBX

 

[Ink]

One weakness in this system:

If the processes are determined to be good, they are automatically released out of the secure container.

If above occurs, it's possible to either bypass*

Spoiler: *

Comodo’s solution uses a combination of process virtualization, whitelisting, file lookups, behavior analysis and traditional AV scans.

and infect the PC - nothing is 100%.

Interesting how malicious code can be always one step ahead.

 

[hjlbx]

One weakness in this system:


If above occurs, it's possible to either bypass* and infect the PC - nothing is 100%.

Interesting how malicious code can be always one step ahead.

@Huracan

You mean if Comodo rates piece of malware as Trusted ?

 

[Ink]

It could happen, or there's a fault in one of the processing stages of determining what is "good" or "bad" file.

I am not bashing Comodo, but to say nothing can be 100% regardless of multiple layers of security, or even an experienced users like yourself.

 

[hjlbx]

It could happen, or there's a fault in one of the processing stages of determining what is "good" or "bad" file.

I am not bashing Comodo, but to say nothing can be 100% regardless of multiple layers of security, or even an experienced users like yourself.

@Huracan

Comodo has rated malware as Trusted... it has happened, although it is rare.

Go ahead and bash Comodo - that sort of thing does not bother me one bit. Even though I use it, I bash it all the time...

Best Regards,

HJLBX

 

[Ink]

Where did I say I was bashing the product? I was not. Some believe Comodo is the BEST and cannot be bypassed, my comment was simply backing up your comment about it is not 100% bulletproof.

 

[hjlbx]

Where did I say I was bashing the product? I was not. Some believe Comodo is the BEST and cannot be bypassed, my comment was simply backing up your comment about it is not 100% bulletproof.

@Huracan

Sorry... I was actually making fun... I did not mean it any other way.

I don't think you are bashing Comodo. I understand you are just pointing out Comodo is not 100 %. That is the absolute truth - which no one with any IT common sense can deny.

I was poking fun... I meant, if you choose to bash Comodo, then I do not care. Even though I use Comodo - as dedicated user - I make fun of it, get mad as hell at it... and try to give Comodo Staff as much grief as I can manage along the way.

One can be serious about their system security - but - not take their security softs too seriously. Otherwise, one might blow a gasket with all the various bugs, quirks, issues, incompatibilities, broken apps, etc, etc.

Best Regards,

HJLBX

 

[yigido]

we always said there is now %100 but Comodo is really close to this. This is just my humble opinion.

 

[vivid]

They listen to users anyway. I just don't like it when they stay quiet.

 

[hjlbx]

They listen to users anyway. I just don't like it when they stay quiet.

It is my impression that Comodo does not use its developers in a dedicated capacity. In other words, the developers get moved around a lot - from project to project. For a while they will work on CIS, then move on to other priorities.

Seems to me, most Comodo development resources are allocated to Comodo Enterprise. Changes and improvements made there are then applied to CIS. This makes sense financially for Comodo, since I can't imagine the company earns a huge amount from CIS - whereas they do have a relatively strong commercial division.

That's just my opinion... so take it for what it is... an opinion, and not a statement of fact.

Best Regards,

HJLBX

 

[vivid]

That makes sense. CIS is actually derived from CES.

 

[Cch123]

In the report, they compared their solution to "vendor A" and "vendor B". But they made it so obvious that they might as well just say Invincea and Bromium.

 

[WinXPert]

Virtualization is not perfect. While it protects the physical system, the entire virtual session can become infected - and - data theft can still occur.

and there used to be some rare occurrences where in infection bleeds out of the sandbox.

 

[hjlbx]

@WinXPert

The CIS sandbox is bypassed by malwares from time to time. Some disable it. Others "jump out" of the sandbox. As you state, it is rare occurrence.

Virtualization is valuable, but the fact that data can be stolen is still a huge hole.

A firewall - at the least - is necessary when using light virtualization.

Virtualization is good for protecting physical system from persistent infection.

Anti-executable prevents anything other than "white-listed" apps from executing on system.

Firewall protects against outbound connects.

That is my idea of basic security config.

 

[Rolo]

Here's a thought: don't run unknown executables!

You know Windows has everything you need to have your box locked down: default deny and anti-execute through Group Policy and two-way firewall, default block/explicit allow.

 

[WinXPert]

Here's a thought: don't run unknown executables!

Life would be boring