(COMODO) Creating a custom rule for my 'malware' folder...

[porkpiehat]

Hi, would it be possible to create a custom rule, that assigns a 'untrusted/unrecognised' rule to every file that I download/run from my 'malware' folder? cheers.

 

[Spawn]

What components of Comodo have you installed, and disabled or enabled?

Configure Sandbox: https://help.comodo.com/topic-72-1-451-4768-.html

File Rating: https://help.comodo.com/topic-72-1-451-4777-Manage-File-Rating.html

Defense+: https://help.comodo.com/topic-72-1-451-4759-Defense+-Settings.html

Are these of any help?

 

[porkpiehat]

CFW, Proactive, and HIPS enabled ... thanks, I shall check these links out..

 

[Sloth]

You can do that using the auto-sandbox settings. Check this, https://help.comodo.com/topic-72-1-623-7763-Configuring-Rules-for-Auto-Sandbox.html

 

[porkpiehat]

many thanks, I'll give it a go...

 

[porkpiehat]

ok, I've set up the rule, with 'block' and 'quarantine' as the actions.... downloaded the 'adware fake optimizer' into the 'malware' folder, and run the fake optimizer program... which alerts UAC and proceeds with its 'select a language' installer... at what point should Comodo have jumped on it and blocked/quarantined the program?

 

[porkpiehat]

I seem to have lost the ability to post an image???

 

[jamescv7]

@porkpiehat : The first protocol is quarantine them for safe keeping purpose as much as possible, especially for probably FP rates that you can restore anytime.

Blocked can be acceptable that which only prevent the execution but not removing the totality of file existence.

 

[porkpiehat]

update, I re installed CIS, and everything is working as it should... click on file, and BAM...GO TO JAIL!! happy days

 

[hjlbx]

ok, I've set up the rule, with 'block' and 'quarantine' as the actions.... downloaded the 'adware fake optimizer' into the 'malware' folder, and run the fake optimizer program... which alerts UAC and proceeds with its 'select a language' installer... at what point should Comodo have jumped on it and blocked/quarantined the program?

@porkpiehat

You set up rule for auto-sandbox to Block the execution of any Unrecognized file - then auto-quarantine that file... is this correct ?

 

[porkpiehat]

well, that's the option I've given it...

 

[hjlbx]

well, that's the option I've given it...

So, you created the rule and it is still not blocking the installer... correct ?

 

[porkpiehat]

actually, I've just discovered that EAM was screwing up the auto sandbox rules... now that I've deleted EAM everything is being caught... although I'm chuffed that Comodo is working, I'm totally gutted that I cannot run EAM with it.... ho hum!!