Comodo HIPs Create Files Safe Zone

Status
Not open for further replies.
AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Anyone care to look into creating a HIPs zone for protecting files? Idea is to deny access to a created set of areas for all but chosen applications. I could use some help putting this one together and maybe some would find it useful to employ. Doesn't seem like it would be terribly difficult just maybe tricky to get started.

I was looking at 360 Document Protector, and it is kind of a mess honestly. It just backs up anything automatically that is written to a drive no matter where it's written, including logs and files from AppData too. I think this would work better if I could determine how to get started. :)
 
  • Like
Reactions: Av Gurus, ZeroDay, shmu26 and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
HIPS/Protected Objects/Protected Data Folders
this will prevent unrecognized processes from being able to even read the data. You add any folders you want to this protection.

HIPS/Protected Objects/Protected Files
this will deny write permissions to unrecognized processes, but they can still read your data. You add any folders you want to this protection.

This is the closest thing that I know of, in Comodo. It is still not exactly what you are looking for.
I think SpyShelter has your feature, though.
 
  • Like
Reactions: Av Gurus, AtlBo, ZeroDay and 2 others
AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
shmu26 said:
HIPS/Protected Objects/Protected Data Folders
this will prevent unrecognized processes from being able to even read the data. You add any folders you want to this protection.
Click to expand...

Yeah thanks @shmu26. OK, so you gave me an idea and I ran a test. I have a program called FullEventLogView that I keep unrecognized in Comodo if I ever want to test any responses of Comodo or settings or whatever. It's a good portable app to have so I use it too sometimes :). It's in downloads. No rules for it, so I created a rule to bypass the sandbox "ignore FELV.exe if unrecognized" for it just to test the HIPs "Protected Data Folders". I had already set all the areas in Protected Data Folders except Desktop. Well, I got the expected barrage of HIPs alerts when I opened the app and o/c some I didn't expect no big deal. So I then clicked on 5 events and tried to save them to Documents and sure enough I got the trying to write to protected alert for Documents folder. Then tried to save to Desktop and no alert. OK, so this must work just fine then. I added Desktop to PDF and then got the prompt.

Using the Protected Data Folders area, Comodo is a fortress, although I really would like to emphasize how much I would like to be able to completely block any unrecognized from writing to those areas without even a choice. Actually, this kind of has me into a pretty good debate about the need for other HIPs rules (other than this write rule...maybe memory) with @cruelsister 's sandbox settings protecting. What do you think about the potential for that if anything? Maybe there are a few of the HIPs rules I'd like to have not sure, but the registry stuff and some of the others are just another chance to say I change my mind, and I don't think I need that 4 or 5 times per unrecognized. Maybe the keyboard one and screen protect and so on.
 
  • Like
Reactions: ravi prakash saini, shmu26 and ZeroDay
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
AtlBo said:
Yeah thanks @shmu26. OK, so you gave me an idea and I ran a test. I have a program called FullEventLogView that I keep unrecognized in Comodo if I ever want to test any responses of Comodo or settings or whatever. It's a good portable app to have so I use it too sometimes :). It's in downloads. No rules for it, so I created a rule to bypass the sandbox "ignore FELV.exe if unrecognized" for it just to test the HIPs "Protected Data Folders". I had already set all the areas in Protected Data Folders except Desktop. Well, I got the expected barrage of HIPs alerts when I opened the app and o/c some I didn't expect no big deal. So I then clicked on 5 events and tried to save them to Documents and sure enough I got the trying to write to protected alert for Documents folder. Then tried to save to Desktop and no alert. OK, so this must work just fine then. I added Desktop to PDF and then got the prompt.

Using the Protected Data Folders area, Comodo is a fortress, although I really would like to emphasize how much I would like to be able to completely block any unrecognized from writing to those areas without even a choice. Actually, this kind of has me into a pretty good debate about the need for other HIPs rules (other than this write rule...maybe memory) with @cruelsister 's sandbox settings protecting. What do you think about the potential for that if anything? Maybe there are a few of the HIPs rules I'd like to have not sure, but the registry stuff and some of the others are just another chance to say I change my mind, and I don't think I need that 4 or 5 times per unrecognized. Maybe the keyboard one and screen protect and so on.
Click to expand...
The full set of HIPS rules comes in handy if, for instance, a dropper was allowed to run, for whatever reason, and it set the payload to run at reboot.
Upon reboot, the payload will be stopped in the middle of its job, when Comodo starts working (this takes a while). But if you have only autosandbox, it's too late, because the payload is already running.
 
  • Like
Reactions: AtlBo and ravi prakash saini
Terry Ganzi

Terry Ganzi

Level 26
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
AtlBo said:
Yeah thanks @shmu26. OK, so you gave me an idea and I ran a test. I have a program called FullEventLogView that I keep unrecognized in Comodo if I ever want to test any responses of Comodo or settings or whatever. It's a good portable app to have so I use it too sometimes :). It's in downloads. No rules for it, so I created a rule to bypass the sandbox "ignore FELV.exe if unrecognized" for it just to test the HIPs "Protected Data Folders". I had already set all the areas in Protected Data Folders except Desktop. Well, I got the expected barrage of HIPs alerts when I opened the app and o/c some I didn't expect no big deal. So I then clicked on 5 events and tried to save them to Documents and sure enough I got the trying to write to protected alert for Documents folder. Then tried to save to Desktop and no alert. OK, so this must work just fine then. I added Desktop to PDF and then got the prompt.

Using the Protected Data Folders area, Comodo is a fortress, although I really would like to emphasize how much I would like to be able to completely block any unrecognized from writing to those areas without even a choice. Actually, this kind of has me into a pretty good debate about the need for other HIPs rules (other than this write rule...maybe memory) with @cruelsister 's sandbox settings protecting. What do you think about the potential for that if anything? Maybe there are a few of the HIPs rules I'd like to have not sure, but the registry stuff and some of the others are just another chance to say I change my mind, and I don't think I need that 4 or 5 times per unrecognized. Maybe the keyboard one and screen protect and so on.
Click to expand...


I think this will be a great read for you: HIPS Explained
 
  • Like
Reactions: AtlBo
AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
It's true. You are right about that now that I look at most of them. EDIT: NM on these questions that were here apologies :oops:. I found the CF help, and I see better how it works. HIPs hadn't sunk in with me yet. These are pretty specific protections and not broad general ones. I am surprised how many HIPs alerts of these types are generated by programs after looking at them closer. Seems I should take them more seriously than I had been.

Just one single comment if anyone happens to read this. With the Protected Data Folders being a HIPs alert, it brings way more to the front for me the importance of ignoring the "Unblock Applications" option on the widget. If you want to allow a program to run outside containment and then unblock via this option, all elements, containment, HIPs, and Firewall will be all allowed with no monitoring for the application being unblocked. WORST of all by far, the file/application will be elevated to trusted. The "Unblock Applications" dialog is very confusing and I think dangerous in its current form honestly. Using it means no block if the app is ransomware or other malware and no alert if the app decides to write to files in protected areas. Files in the areas will be overwritten even if you have taken the time to designate safe areas via the HIPs settings. NOTE: I think setting HIPs to Paranoid will do the job for HIPs to ignore choices made with the Unblock Application element of the widget, but it is very stringent to say the least, and it takes time and understanding to properly train a system using this setting. HIPs will work no matter what in Paranoid though as I understand things.

Here is the area to look for the protected data folders to protect stored documents and files. HIPs on Safe Mode will give alerts for Unrecognized applications attempting to change files in the areas designated. Just add areas where you have files:

Look Here.png
 
Last edited:
  • Like
Reactions: Rebsat and shmu26
Status
Not open for further replies.

Similar threads

S
Question Is there a way to integrate NPE into the Windows Shell?
Replies
1
Views
272
Norton
Bot
Bot
RRlight
    • Like
Advanced Security RRlight gaming laptop config 2024
Replies
4
Views
214
PC Setup Configuration Help & Showcase
RRlight
RRlight
Gandalf_The_Grey
    • Like
Dedoimedo: OnlyOffice Desktop Editors 8.1 review - Still only good, not great
Replies
0
Views
260
Office, email and business apps
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top