Advice Request Comodo custom Nagisa config

Please provide comments and solutions that are helpful to the author of this topic.

Nagisa

Level 7
Thread author
Verified
Jul 19, 2018
341
Hey. I was using CF with cruel settings but wanted to make another config, that's not as secure as cruel comodo but i think it has less hassle and is more suitable for inexperienced users. CF works only as a companion app at those settings so I would recommend that one use an AV along with it.

2_.PNG



3.PNG


10.PNG



6.PNG



7.PNG


4_.PNG


8.PNG


-Summary-

HIPS disabled. Auto-Containment only blocks known malicious files and runs specific programs (unrecognized; less than 2 days old) under partial restriction. I thought that virtualization is a big hit on usability. You can't save nor edit any documents easily. File rating and auto-containment automatically quarantines known threats. File rating doesn't automatically trust files originated from trusted(user interaction) installers (I guess user may whitelist a malware by mistake). VirusScope only detects files in containment (unrecognized; less than 2 days old), so it can't create false positives on known trusted files.


  • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)
 
Last edited:

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
First of all: did you switch to "Proactive Security" configuration?
COMODO - Proactive Security - This configuration turns CIS into the ultimate protection machine. All possible protections are activated and all critical COM interfaces and files are protected


Auto-containment rules follow top-down priority, so better to move the "run restricted" rule after the "block" rules
Rules at the top of the list have higher priority. You can re-prioritize rules using the 'Move Up' and 'Move Down' buttons
Better to use the "Restricted" level, "Partially limited" can let some malware escape
Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting
Better to remove the "File age" parameter, otherwise you can miss a true zero-day

I personally prefer to block unknow files, but that's your choice :)

I think VirusScope set to monitor only apps in the container doesn't make sense if you don't use auto-containment rules to run stuffs virtualized (it will only work if you manually run an app into the container)
 

Nagisa

Level 7
Thread author
Verified
Jul 19, 2018
341
First of all: did you switch to "Proactive Security" configuration?

Yeah, but does it make any difference? I thougt it's just a preset and i was applying my own custom settings anyway.

Auto-containment rules follow top-down priority, so better to move the "run restricted" rule after the "block" rules

Yeah, thanks for letting me know (y)

Better to use the "Restricted" level, "Partially limited" can let some malware escape

The purpose of this config is creating the least amount of hassle. If user runs a new legit file, putting that program under heavy restriction would hit the usability. I think partial restriction would make it harder to compromise the system if user runs a zero-day malware.

Better to remove the "File age" parameter, otherwise you can miss a true zero-day

I thought most zero-days would be new files. And most well known AVs should be detecting old malwares anyway. Again, the purpose of this config is to create the least amount of hassle.

I think VirusScope set to monitor only apps in the container doesn't make sense if you don't use auto-containment rules to run stuffs virtualized (it will only work if you manually run an app into the container)

As far as i know, VirusScope also detects files that are under restriction.

9.PNG
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
Yeah, but does it make any difference? I thougt it's just a preset and i was applying my own custom settings anyway.
Yes, your custom settings will be applied to the configuration you set first.

About VirusScope, I'm not sure, from your screenshot isn't clear if VirusScope is monitoring anything.
On Comodo manual they wrote:
Monitor only the applications in the container - VirusScope only tracks the activities of processes that are running in the container. It will not track processes directly running on the host

Everything else is understandable, it's the usual balance between security and usability :)
 
May 23, 2020
1
Long time former user of COMODO here. If my memory is correct, older versions of COMODO dating back to around version 5 used a hybrid approach with sandboxing, meaning that some actions of sandboxed applications are virtualized while other actions are restricted depending on the restriction level (eg. Partially Limited, Limited, Restricted, Untrusted). The old COMODO sandbox did not provide full virtualization, meaning that malware is permitted to make some changes outside the sandbox, and at partially limited, some artifacts of malware can persist on the real system even after resetting the sandbox. Back then, the recommended restriction level for balancing compatibility and security was Limited rather than Partially Limited. The former effectively runs applications without administrative privileges, which makes a massive difference.

In later versions, COMODO introduced and polished fully virtualized sandboxing enabled by default, so total virtualization of unknown applications is achieved with the exception of rare leakages/bugs. This is especially true for versions 10 and beyond which has more fileless protection. Within the virtualized system, there are safeguards, with HIPS blocking access to protected objects for instance. However, a user can manually set a restriction level within the fully-virtualized sandbox for added security.

It is unclear whether the Run Restricted option nowadays utilizes the old hybrid approach or whether it uses no virtualization but sets restrictions totally outside the sandbox. If I had to guess, I would go with the latter and assume that they have phased out the hybrid approach entirely, and that full virtualization is the intended final result of the sandbox feature. The hybrid approach was likely an interim solution to the ultimate goal of full virtualization. COMODO's documentation isn't clear about this.

In any case, if you want to use run restricted, I would recommended using at least the Limited Restriction level over Partially Limited. Also, the proactive configuration has more protected objects in the HIPS, and afaik, HIPS operates even when it is "disabled."
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
Without restricted it's not a sandbox period!
Maslware escaped in cruel sister videos and others who didn't configere comodo with CS settings!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top