Advice Request Comodo custom Nagisa config

[Nagisa]

Hey. I was using CF with cruel settings but wanted to make another config, that's not as secure as cruel comodo but i think it has less hassle and is more suitable for inexperienced users. CF works only as a companion app at those settings so I would recommend that one use an AV along with it.

Spoiler: Firewall

Spoiler: HIPS

Spoiler: auto-containment

Spoiler: file rating

Spoiler: VirusScope

-Summary-

HIPS disabled. Auto-Containment only blocks known malicious files and runs specific programs (unrecognized; less than 2 days old) under partial restriction. I thought that virtualization is a big hit on usability. You can't save nor edit any documents easily. File rating and auto-containment automatically quarantines known threats. File rating doesn't automatically trust files originated from trusted(user interaction) installers (I guess user may whitelist a malware by mistake). VirusScope only detects files in containment (unrecognized; less than 2 days old), so it can't create false positives on known trusted files.

• Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)

 

[imuade]

First of all: did you switch to "Proactive Security" configuration?

COMODO - Proactive Security - This configuration turns CIS into the ultimate protection machine. All possible protections are activated and all critical COM interfaces and files are protected

Auto-containment rules follow top-down priority, so better to move the "run restricted" rule after the "block" rules

Rules at the top of the list have higher priority. You can re-prioritize rules using the 'Move Up' and 'Move Down' buttons

Better to use the "Restricted" level, "Partially limited" can let some malware escape

Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting

Better to remove the "File age" parameter, otherwise you can miss a true zero-day

I personally prefer to block unknow files, but that's your choice

I think VirusScope set to monitor only apps in the container doesn't make sense if you don't use auto-containment rules to run stuffs virtualized (it will only work if you manually run an app into the container)

 

[Nagisa]

First of all: did you switch to "Proactive Security" configuration?

Yeah, but does it make any difference? I thougt it's just a preset and i was applying my own custom settings anyway.

Auto-containment rules follow top-down priority, so better to move the "run restricted" rule after the "block" rules

Yeah, thanks for letting me know

Better to use the "Restricted" level, "Partially limited" can let some malware escape

The purpose of this config is creating the least amount of hassle. If user runs a new legit file, putting that program under heavy restriction would hit the usability. I think partial restriction would make it harder to compromise the system if user runs a zero-day malware.

Better to remove the "File age" parameter, otherwise you can miss a true zero-day

I thought most zero-days would be new files. And most well known AVs should be detecting old malwares anyway. Again, the purpose of this config is to create the least amount of hassle.

I think VirusScope set to monitor only apps in the container doesn't make sense if you don't use auto-containment rules to run stuffs virtualized (it will only work if you manually run an app into the container)

As far as i know, VirusScope also detects files that are under restriction.

 

[imuade]

Yeah, but does it make any difference? I thougt it's just a preset and i was applying my own custom settings anyway.

Yes, your custom settings will be applied to the configuration you set first.

About VirusScope, I'm not sure, from your screenshot isn't clear if VirusScope is monitoring anything.
On Comodo manual they wrote:

Monitor only the applications in the container - VirusScope only tracks the activities of processes that are running in the container. It will not track processes directly running on the host

Everything else is understandable, it's the usual balance between security and usability

 

[Nagisa]

@imuade According to the quote, VirusScope is monitoring restricted applications as well. They do counted as "Contained applications".

 

[Nagisa]

@imuade oh, haha

 

[imuade]

@imuade oh, haha

View attachment 242904

We both are blind

 

[[Inactive User 48391948]]

Long time former user of COMODO here. If my memory is correct, older versions of COMODO dating back to around version 5 used a hybrid approach with sandboxing, meaning that some actions of sandboxed applications are virtualized while other actions are restricted depending on the restriction level (eg. Partially Limited, Limited, Restricted, Untrusted). The old COMODO sandbox did not provide full virtualization, meaning that malware is permitted to make some changes outside the sandbox, and at partially limited, some artifacts of malware can persist on the real system even after resetting the sandbox. Back then, the recommended restriction level for balancing compatibility and security was Limited rather than Partially Limited. The former effectively runs applications without administrative privileges, which makes a massive difference.

In later versions, COMODO introduced and polished fully virtualized sandboxing enabled by default, so total virtualization of unknown applications is achieved with the exception of rare leakages/bugs. This is especially true for versions 10 and beyond which has more fileless protection. Within the virtualized system, there are safeguards, with HIPS blocking access to protected objects for instance. However, a user can manually set a restriction level within the fully-virtualized sandbox for added security.

It is unclear whether the Run Restricted option nowadays utilizes the old hybrid approach or whether it uses no virtualization but sets restrictions totally outside the sandbox. If I had to guess, I would go with the latter and assume that they have phased out the hybrid approach entirely, and that full virtualization is the intended final result of the sandbox feature. The hybrid approach was likely an interim solution to the ultimate goal of full virtualization. COMODO's documentation isn't clear about this.

In any case, if you want to use run restricted, I would recommended using at least the Limited Restriction level over Partially Limited. Also, the proactive configuration has more protected objects in the HIPS, and afaik, HIPS operates even when it is "disabled."

 

[Vitali Ortzi]

Without restricted it's not a sandbox period!
Maslware escaped in cruel sister videos and others who didn't configere comodo with CS settings!

 

[Nagisa]

Without restricted it's not a sandbox period!
Maslware escaped in cruel sister videos and others who didn't configere comodo with CS settings!

I watched cruel sister's videos. I don't remember she tested with "run restricted" only.

@Scythian Thanks for the detailed post