Advice Request Comodo Desktop - extra Protection

[Tony Cole]

Good Evening Ladies & Gentlemen:

Today I was online, thinking of several things - based on what we know today, and I can answer that in part from my time here on MalwareTips. But, I wanted to ask/pick your brains, if I use the Comodo virtual desktop to browse online, and a piece of malware i.e., keylogger or malware capable of taking screen shots etc., etc., would I be a) more secure in this virtual environment, or b) no, launching the normal virtual browser would do the same? I do also make one change (thanks to cruelsister) I untick the box in Comodo’s sandbox settings “do not virtualize access to specified files/folders.

Tony.

 

[hjlbx]

Good Evening Ladies & Gentlemen:

Today I was online, thinking of several things - based on what we know today, and I can answer that in part from my time here on MalwareTips. But, I wanted to ask/pick your brains, if I use the Comodo virtual desktop to browse online, and a piece of malware i.e., keylogger or malware capable of taking screen shots etc., etc., would I be a) more secure in this virtual environment, or b) no, launching the normal virtual browser would do the same? I do also make one change (thanks to cruelsister) I untick the box in Comodo’s sandbox settings “do not virtualize access to specified files/folders.

Tony.

1. The virtual kiosk sandbox is the same as the "standard" sandbox; they are one in the same. Comodo only uses one sandbox. The virtual kiosk is like Bitdefender Safe Pay, Kaspersky Safe Money... in that it adds the virtual keyboard. There are some other purported protections in VK, but getting technical infos is next to impossible.

2. For usability, it is more convenient to add Downloads folder to Protected Data Folders in HIPS - Protected Objects. This will block access to that folder by any sandboxed process.

Max protection = virtualize, convenience = add to Protected Data Folder

 

[379EXHD]

I don't run my browser or any other program in the sandbox. Running cruelsister's settings all malware encountered is running there so I want to run outside. Basically I see it as possibly throwing the chicken in the wolf pen. I reserve the sandbox for bad stuff and unknown. Has worked well here.

 

[Moose]

Interesting video of Comdo and sandboxie, 2010.
Episode 703 - Free Application Sandbox Challenge and Top -Ultra- Warez

 

[Tony Cole]

Adding documents, pictures, download folder(s) to the protected data folder, do I need hips enabled, my config is proactive security, with the tweaks cruelsister suggested?

 

[hjlbx]

Adding documents, pictures, download folder(s) to the protected data folder, do I need hips enabled, my config is proactive security, with the tweaks cruelsister suggested?

Proactive Security config default HIPS settings is on (Safe Mode).

If you get HIPS alert you do not understand, just "Block and Terminate" and don't tick "Remember my answer." This blocks\terminates process and doesn't create permanent rule. Give you some time to get some help. If HIPS alert disappears, then it is blocked by default. You can always Allow after you find out if safe or not.

Besides, if you create rule that you are uncertain of you can always delete it and CIS will start from scratch for that application\file...

Just don't delete any of the rules created by Comodo and included in the config - like Windows Updater Applications, Explorer, Metro Apps, Windows Applications, All Applications.

IMPORTANT ! "Treat As" creates a rule for the file performing the action indicated in the HIPS alert, NOT the target file !!!!

I have seen time and again where user creates Trusted Installer rule for Explorer (= really bad news) because they do not understand the above point.. It isn't clear from HIPS alert - although the infos of what is being done is much better than average.

You'll have to practice. On clean system, HIPS almost never alerts if using applications with good reputation.

HIPS alerts take some practice... unfortunately.

 

[Tony Cole]

@hjlbx Thank you

 

[cruelsister]

Hi Tony- Sorry that I didn't see your post earilier.

With Comodo, as long as you have set both the sandbox and firewall to the settings suggested, all else: HIPS, Virtual Desktop, and configuration settings are really trivial. This is because the sandbox will stop any malware long before with the configuration (the Proactive protects COM settings better) and the HIPS ever kick in to catch anything.

So an analogy to using HIPS or Virtual Desktop when you have the sandbox and firewall settings in place would be like if when it is raining using an umbrella even though you are indoors.

But about the only thing that you may see are stuff like exploits (such as Remote code execution thingies), but even these aren't of concern as any browser spawn will be sandboxed and thus isolated (actually will be releasing a video about this on Saturday).

 

[Tony Cole]

Thanks cruelsister, I enjoy your video's. I suppose Comodo is trying to look cool, may be to the novice user - who a virtual desktop very secure. I must admit I enjoy using it, but I'm a big kid with new technology Hope you are well.

 

[hjlbx]

Thanks cruelsister, I enjoy your video's. I suppose Comodo is trying to look cool, may be to the novice user - who a virtual desktop very secure. I must admit I enjoy using it, but I'm a big kid with new technology Hope you are well.

Virtual Kiosk is nothing more than Comodo's version of Bitdefender Safe Pay and Kaspesky's Safe Money. Comodo recommends it be used when doing online banking\financial transactions to prevent against screen and clipboard capture + virtual keyboard.

 

[Tony Cole]

Is this review correct that Comodo's features can be easily disabled and key area's bypassed: Sandbox and Virtual Kiosk - Comodo Firewall (2013) Review & Rating | PCMag.com

 

[hjlbx]

Is this review correct that Comodo's features can be easily disabled and key area's bypassed: Sandbox and Virtual Kiosk - Comodo Firewall (2013) Review & Rating | PCMag.com

That's a review of an old version using mostly the default Internet Security configuration - which isn't that great; CIS has been improved. Rubenking is correct regarding the lack of exploit and web protections. Comodo's attitude is that it isn't necessary to block such attacks since Defense+ will auto-sandbox the files (and presumably the physical system is protected from a persistent infection). That's all fine and good, but sandboxing itself doesn't protect against data loss. Protecting the system against a persistent infection is only one part of the puzzle.

To rectify potential data loss Comodo added Protected Folders and Protected Data Folders in the CIS HIPS module. Protected Folders will not allow any Read\Write access except to Trusted files. Protected Data Folders deny write access by sandboxed files. Protected Objects protection only works if HIPS is enabled !

For better anti-exploit protections the user can add an anti-exploit and\or don't use widely distributed softs that are regularly targeted by malware authors - e.g. Adobe Acrobat, Reader & Flash, Oracle Java and Java Runtime Environment, Microsoft Office Suite, etc, etc.

For better web protections, switch to Norton Safe Search DNS.

There is a dependency between Defense+ and the firewall. For maximum protection, HIPS should be enabled. In addition, the firewall should be set to Block all Unrecognized files from accessing the network.

Comodo's sandbox is quite robust at this point, but that doesn't mean something can't come along that will smash it.., however you have it configured. I've seen it for myself on a few occasions. However, this sort of thing applies to every single other security soft.

It is best to set the sandbox to run files at the Untrusted level instead of the default Run Virtual (fully virtualized). Just note that some applications will not run as Untrusted inside the sandbox.

 

[Tony Cole]

How do you get files to run untrusted in the sandbox, I've enabled this for unknown files (followed cruelsisters configuration advice)?

I did have one big question, if you are using the virtual desktop and you are hit by ransomware and are unable to exit to reset, what should you do?

 

[hjlbx]

How do you get files to run untrusted in the sandbox, I've enabled this for unknown files (followed cruelsisters configuration advice)?

I did have one big question, if you are using the virtual desktop and you are hit by ransomware and are unable to exit to reset, what should you do?

@Tony Cole

• If you changed the auto-sandbox rule for Unrecognized file from "Run Virutally" to "Untrusted" then that is all you need to do; all files run in the sandbox will be executed as Untrusted (restricted access\permissions to system resources).

• Ransomware lock-out - like some tough ransom screenlocker. Reboot should reset (delete) sandbox.

 

[floalma]

What's the main differences between Virtual Desktop and sandboxed when running a program ? For example, if I create a Virtual desktop and I run a program on it or if I directly run sandboxed a program (with the right-click menu). What's will be the differences ??

 

[hjlbx]

What's the main differences between Virtual Desktop and sandboxed when running a program ? For example, if I create a Virtual desktop and I run a program on it or if I directly run sandboxed a program (with the right-click menu). What's will be the differences ??

Difference = Virtual Keyboard

And there are purportedly keylogger protections. Maybe others as well, but no technical infos from Comodo.... they assured everyone on Comodo forum about year ago that everything is protected as described...

Described where... ?

Not very reassuring...

 

[floalma]

@hjlbx

I will try it to explain again.

Here are the two different scenarios :

1. I create a Virtual Desktop (old Kiosk) and then I run Firefox. Not run Firefox as sandboxed but only from the Virtual Desktop

2. I right click on the firefox exe file and run as sandboxed.

Let me know the differences, thanks.