Serious Discussion Comodo Internet Security 2024 Beta is now available

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,027
Why would one ever need or have to use 'Run Restricted' for apps running in a Containment???
The apps run in containment what's the point?
Can they escape from Containment somehow when use 'Run Virtually''?
I think @cruelsister mentioned it in one of her videos some years ago but can't recall which. Often the default suggested option is to run a program partially limited and then you have to deal with firewall prompts. Setting the default containment to Restricted makes things simpler but if you want to just deal with the containment prompts, that's fine. the CS approach is simple bulletproof configuration.

The default it Partially limited and less secure as I've mentioned but choice is yours.
  • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)
  • Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
  • Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
  • Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
Why would one ever need or have to use 'Run Restricted' for apps running in a Containment???
The apps run in containment what's the point?
Can they escape from Containment somehow when use 'Run Virtually''?
sure, and ideally if "run restricted" is the selected setting then a good coder might nullify (gray out) Run Virtual Applications. :unsure:
 
  • Like
Reactions: Nevi and vtqhtr413

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
I think @cruelsister mentioned it in one of her videos some years ago but can't recall which. Often the default suggested option is to run a program partially limited and then you have to deal with firewall prompts. Setting the default containment to Restricted makes things simpler but if you want to just deal with the containment prompts, that's fine. the CS approach is simple bulletproof configuration.

The default it Partially limited and less secure as I've mentioned but choice is yours.
sounds like my memory too although mine is (was) a tad more faded.
 

Pico

Level 4
Feb 6, 2023
157
When apps run contained they can perform read operations from the host (like read access to file system and resources) but they cannot perform permanent write operations to the host as these write operations are isolated from the host.
In other words, contained apps can never make permanent changes on the host and as long as contained apps cannot call home (FW set to block inbound and block outbound connections for all contained apps) than I still don't see the need why using 'Run Restricted' or any other limiting setting.

What am I missing in using these limiting settings?
 

Zappathustra

Level 2
Jul 1, 2019
48

Attachments

  • sshot-231.png
    sshot-231.png
    98.2 KB · Views: 148
  • sshot-232.png
    sshot-232.png
    93.3 KB · Views: 140
  • sshot-233.png
    sshot-233.png
    166 KB · Views: 143

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,027
Comodo leaves weird parts of it on my system when i uninstalledd. I had to reinstall windows :/
It tends to leave behind a installer startup entry which you can delete from the registry located here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also tends to leave behind the Event Log folder/entry located here: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\

Both can safely be deleted and just restart afterwards.

There is an Uninstaller via Comodo Forums but it doesn't remove the above entries. Official Comodo Uninstaller v3.2.0.82 Released
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
It tends to leave behind a installer startup entry
It also tends to leave behind the Event Log folder
There is an Uninstaller via Comodo Forums but it doesn't remove the above entries. Official Comodo Uninstaller v3.2.0.82 Released
@Deepz you could also try jv16 uninstalr app, it is discussed here

 
F

ForgottenSeer 100397

When apps run contained they can perform read operations from the host (like read access to file system and resources) but they cannot perform permanent write operations to the host as these write operations are isolated from the host.
In other words, contained apps can never make permanent changes on the host and as long as contained apps cannot call home (FW set to block inbound and block outbound connections for all contained apps) than I still don't see the need why using 'Run Restricted' or any other limiting setting.

What am I missing in using these limiting settings?
Before containment, restriction levels were the primary security measure. They now offer optional protection, which limits software or malware running in the containment. I don’t use restriction levels.
 
Last edited by a moderator:

Pico

Level 4
Feb 6, 2023
157
Before containment, restriction levels were the primary security measure. They now offer optional protection, which limits software or malware running in the containment. I don’t use restriction levels.
That should be 'optional fake containment protection' then.
Why should one want to set restriction level on a contained app?
Two options, either just let the contained app execute without restriction level or just block it altogether, easy.
 
F

ForgottenSeer 97327

@Pico use case for running a contained application with restrictions

Run a portable version of a webrowser in a container with additional restriction to block access to ring-0, allowing this sandboxed portable only write access to the (real system) download folder. Being a portable application it should in normal circumstances never touch elevated processes and UAC protected folders nor registry. Enable HIPS, allowing everything except execution in the download folder.

Pretty strong hassle free security. Can't imagine any malware to break through these additional containment levels.

@cruelsister always removes access to real system, but maybe she could show a version which only allows access to the downloads folder of the real world system and let the HIPS protect this "gateway" to the real world.
 
Last edited by a moderator:

Pico

Level 4
Feb 6, 2023
157
Is containment leaking permanent write operations (excluding the allowed write access to the download folder) to the real system when restriction levels are not being used ???

Running a portable or non-portable app in containment doesn't matter both are handled in the same way, they execute in containment meaning they cannot perform permanent write operations to the real system.
 
F

ForgottenSeer 97327

Is containment leaking permanent write operations (excluding the allowed write access to the download folder) to the real system when restriction levels are not being used ???

Running a portable or non-portable app in containment doesn't matter both are handled in the same way, they execute in containment meaning they cannot perform permanent write operations to the real system.
:) you are not a fan, me neither but now your are saying why use a safety belt when my car has an airbag?
 
F

ForgottenSeer 100397

That should be 'optional fake containment protection' then.
Why should one want to set restriction level on a contained app?
Two options, either just let the contained app execute without restriction level or just block it altogether, easy.
The restriction levels aren't just for containment. You can use a restriction level as primary security without containment.
 
F

ForgottenSeer 100397

That's good. But for containment it has no use.
Run Virtually had some minor problems, such as ransomware leaving a ransom note on the desktop or malware changing the desktop background. This made people question the strength and reliability of the default settings. Personally, I believe that restricting contained apps defeats the purpose of containment. I'm not aware of any legitimate bypass of the default settings with the stable version.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top