Advice Request Comodo Internet Security Setup/configuration thread

[hjlbx]

How do I get an installer to work if comodo doesn't recognize it and constantly sandboxes it? I've tried adding rules to HIPS and exclusions etc I don't get it It keeps opening the installer I want to open in a sandbox no matter what I do. I currently am trying to install my HTC Drivers on my host machine they install just fine on my VM I do dev work on... What gives I tried checking the differences in settings with my CIS and there is no difference I don't get it... I tried adding the rule for the .exe that my VM has doesnt work b/c it autolaunches the installer itself in a sandbox and then error's b/c it's sandboxed. Any help would be much appreciated. Can someone please explain the exact way I go about this adding an exclusion so it doesn't sandbox an installer it doesnt recognize?

You can change rating of installer from Unrecognized to Trusted in Advanced Settings > File Rating Settings > File List

or

You can create auto-sandbox Ignore rule for the installer - but CIS might still auto-sandbox all the files that it installs if the vendor is not on the COMODO Trusted Vendor List or is unsigned. Create Ignore rule via Auto-Sandbox > Rules > Add (+) tab at bottom of screen > Ignore from drop-down menu in upper left hand corner of window.

Also, if you run the installer, in the sandbox alert, you will see "Do not isolate again." Select it. Run the installer again. It should not be sandboxed.

Easiest is to change rating from Unrecognized to Trusted... then everything it installs should be treated as Trusted.

Final option is to submit installer for white-listing on the COMODO forum. It takes 3 to 5 days to get white-listed and avoid the rigmarole you are currently dealing with.

 

[pneuma1985]

You can change rating of installer from Unrecognized to Trusted in Advanced Settings > File Rating Settings > File List

or

You can create auto-sandbox Ignore rule for the installer - but CIS might still auto-sandbox all the files that it installs if the vendor is not on the COMODO Trusted Vendor List or is unsigned. Create Ignore rule via Auto-Sandbox > Rules > Add (+) tab at bottom of screen > Ignore from drop-down menu in upper left hand corner of window.

Also, if you run the installer, in the sandbox alert, you will see "Do not isolate again." Select it. Run the installer again. It should not be sandboxed.

Easiest is to change rating from Unrecognized to Trusted... then everything it installs should be treated as Trusted.

Final option is to submit installer for white-listing on the COMODO forum. It takes 3 to 5 days to get white-listed and avoid the rigmarole you are currently dealing with.

I tried both it still sandboxes them its even sandboxing autoruns from sysinternals... I tried adding it to trusted vendors says ms already is. I set an ignore rule and it still sandboxes it?

 

[hjlbx]

I tried both it still sandboxes them its even sandboxing autoruns from sysinternals... I trier adding it to trusted vendors says ms already is. I set an ignore rule and still its sandboxes?

You changed rating of Installer ?

Did you perform clean install of OS before installing COMODO ?

If not, COMODO can mis-behave.

What is your config ?

 

[pneuma1985]

Yes comodo was installed on a clean slate. Config is CIS Sandboxie and HMPA...
-proactive mode
Defense+
Enable realtimeScan
Enable Scanning Optimization
Run Cache Builder when computer is idle
Scan Computer memory after startup
Decompress Archives
Use heuristics High
HIPS
TainingMode
Enable Adapter Mode
Enable enhanced protection mode
do heuristics command line
detect shellcode injections
Sndbox
-Settings
do not virtualize acces to specified folders share folders since i didnt change that but I usually just deselect it I tried setting that with an exclusion also which didnt work
Enable automatic Startup for services in sandbox
show highlight frame
detect programs which require elevated priveleges
show privilege elevation alerts
Auto-Sandbox
enable autosandbox
enable file source tracking
Block all malicious
block suspicious
run virtually all apps unrecognized - I tried adding it to the list with an ignore rule set, still sandboxes
VirusScope
Enable viruscope
File Rating-Settings
Enable Cloud lookup
Analyze Unknown files
Detect PuPs
Tried turning on and off trust applications signed by trusted vendors and trust files installed by trusted installers with the ignore ruleset in place just to see since i'm so novice with CIS
Trusted Vendors - I removed a crap-ton of them but none that meant anything to me. I'm currently trying to install the htc sync manager so i can extract the drivers out of it as it's installing, but it won't install the drivers b/c it's sandboxed. I try to add it to this list it tells me " The file does not seem to be valid signed executable."

I hoping this is what you wanted I have exclusions for hmpa and sandboxie which work just fine.
Can't see how the other areas would effect it in anyway any help is greatly appreciated.

 

[hjlbx]

Yes comodo was installed on a clean slate. Config is CIS Sandboxie and HMPA...
-proactive mode
Defense+
Enable realtimeScan
Enable Scanning Optimization
Run Cache Builder when computer is idle
Scan Computer memory after startup
Decompress Archives
Use heuristics High
HIPS
TainingMode
Enable Adapter Mode
Enable enhanced protection mode
do heuristics command line
detect shellcode injections
Sndbox
-Settings
do not virtualize acces to specified folders share folders since i didnt change that but I usually just deselect it I tried setting that with an exclusion also which didnt work
Enable automatic Startup for services in sandbox
show highlight frame
detect programs which require elevated priveleges
show privilege elevation alerts
Auto-Sandbox
enable autosandbox
enable file source tracking
Block all malicious
block suspicious
run virtually all apps unrecognized - I tried adding it to the list with an ignore rule set, still sandboxes
VirusScope
Enable viruscope
File Rating-Settings
Enable Cloud lookup
Analyze Unknown files
Detect PuPs
Tried turning on and off trust applications signed by trusted vendors and trust files installed by trusted installers with the ignore ruleset in place just to see since i'm so novice with CIS
Trusted Vendors - I removed a crap-ton of them but none that meant anything to me. I'm currently trying to install the htc sync manager so i can extract the drivers out of it as it's installing, but it won't install the drivers b/c it's sandboxed. I try to add it to this list it tells me " The file does not seem to be valid signed executable."

I hoping this is what you wanted I have exclusions for hmpa and sandboxie which work just fine.

Keep Cloud lookup, "Trust applications signed by Trusted vendors" and "Trust applications installed by Trusted installers" enabled.

Bad news... CIS and Sandboxie can be incompatible; try adding Sandboxie to Shell Code Injection exclusions.

If that doesn't work, then uninstall Sandboxie.

If that all doesn't work, then I am not sure what is happening - because - changing the file rating of the installer from Unrecognized to Trusted should work.

 

[pneuma1985]

Ok I did a restore with acronis I took on the 30th and now everything seems to be fine let me try to install these htc drivers with an ignore rule lets see if that works.. autorun works fine now though which it refused to before. Still doesnt work I'll try removing sandboxie right quick the only issue is its working perfectly with cyberfox and other software... Not sure why it's auto-sandboxing this particular installer from htc's website? I've had sandboxie in the shellcode injection exclusions the whole time so can't explain it. Guess uninstalling it is the only way to go... And use the comodo sandbox i guess?

 

[DracusNarcrym]

Ok I did a restore with acronis I took on the 30th and now everything seems to be fine let me try to install these htc drivers with an ignore rule lets see if that works.. autorun works fine now though which it refused to before. Still doesnt work I'll try removing sandboxie right quick the only issue is its working perfectly with cyberfox and other software... Not sure why it's auto-sandboxing this particular installer from htc's website? I've had sandboxie in the shellcode injection exclusions the whole time so can't explain it. Guess uninstalling it is the only way to go... And use the comodo sandbox i guess?

COMODO Sandbox is perfectly fine for browser sandboxing. In fact, it is more than suitable for sandboxing common applications.
If you used to test software using Sandboxie, you can instead use virtual machine.

 

[pneuma1985]

Keep Cloud lookup, "Trust applications signed by Trusted vendors" and "Trust applications installed by Trusted installers" enabled.

Bad news... CIS and Sandboxie can be incompatible; try adding Sandboxie to Shell Code Injection exclusions.

If that doesn't work, then uninstall Sandboxie.

If that all doesn't work, then I am not sure what is happening - because - changing the file rating of the installer from Unrecognized to Trusted should work.

Same results removed sandboxie etc and I still get the same issue this one actually
error 1719 The windows installer service could not be accessed - Defense+ / Sandbox Help - CIS

No matter what I do it refuses to launch this installer outside the sandbox? I dont get it... I removed sandboxie and tried the installer, rebooted to be sure tried again. I made sure I had the rules for it set, and it still does it. I tried in virtual desktop same results... Driving me crazy it works on the vm why not on my host machine... The service is set right no problem using the windows installer service when comodo recognizes it.

 

[Deleted member 178]

for sandboxie with CIS, you have to manually add each Sbie executable in the File List

 

[hjlbx]

Submit installer for white-listing:

Submit Applications Here To Be Whitelisted - 2016 - News / Announcements / Feedback - CIS

 

[hjlbx]

Same results removed sandboxie etc and I still get the same issue this one actually
error 1719 The windows installer service could not be accessed - Defense+ / Sandbox Help - CIS

No matter what I do it refuses to launch this installer outside the sandbox? I dont get it... I removed sandboxie and tried the installer, rebooted to be sure tried again. I made sure I had the rules for it set, and it still does it. I tried in virtual desktop same results... Driving me crazy it works on the vm why not on my host machine... The service is set right no problem using the windows installer service when comodo recognizes it.

OK... sorry I missed it. Your problem is neither COMODO nor Sandboxie related; the problem is probably a corrupted Windows Installer file.

To trouble-shoot Windows Installer Service Cannot be Accessed:

https://support.microsoft.com/en-us/kb/2438651

Most of what is covered in the above linked Knowledge Base still applies to Windows 8 and 10.

It's a start...

 

[pneuma1985]

And no worries about the reply above I fixed that issue.
I seriously am a magnet to these weird bugs!
Ok this morning I realized I was having an issue... Was testing F-Secure as I have been for the last 12 days or so. I noticed today that Comodo wasn't updating anymore over the VPN... For the first umm 9 days it worked no problems at all. So I took an image real quick and went back to before I installed the vpn made sure comodo updated. Then reinstalled the vpn on that earlier image tried to update again and same thing it says it downloads the updates but when it goes to Install updates it just start to count down as if it didnt download the updates. Same issue occurs on my latest image. Not sure why this is happening all of the sudden and it has to be the vpn b/c it only happened after I installed it. Wondering if anyone had any input or way of fixing this perhaps its a bug I'm not sure, it apparently hadn't updated in 3 days and said I needed to do it on the secure bar or whatever of its gadget. Strange issue and was all of the sudden havent installed anything new machine state remands the same... So whats going on I read on comodo forums of something similar happening to someone else on a vpn: they said to remove the comodo Application rules in firewall settings?
So figured I'd ask the comodo guru first *cough* @hjlbx *cough*

 

[hjlbx]

And no worries about the reply above I fixed that issue.
I seriously am a magnet to these weird bugs!
Ok this morning I realized I was having an issue... Was testing F-Secure as I have been for the last 12 days or so. I noticed today that Comodo wasn't updating anymore over the VPN... For the first umm 9 days it worked no problems at all. So I took an image real quick and went back to before I installed the vpn made sure comodo updated. Then reinstalled the vpn on that earlier image tried to update again and same thing it says it downloads the updates but when it goes to Install updates it just start to count down as if it didnt download the updates. Same issue occurs on my latest image. Not sure why this is happening all of the sudden and it has to be the vpn b/c it only happened after I installed it. Wondering if anyone had any input or way of fixing this perhaps its a bug I'm not sure, it apparently hadn't updated in 3 days and said I needed to do it on the secure bar or whatever of its gadget. Strange issue and was all of the sudden havent installed anything new machine state remands the same... So whats going on I read on comodo forums of something similar happening to someone else on a vpn: they said to remove the comodo Application rules in firewall settings?
So figured I'd ask the comodo guru first *cough* @hjlbx *cough*

I have no need of VPN - so never comboed one with COMODO.

This sort of thing is a trial-and-error issue.

Did you add VPN software exclusion in COMODO - including Allow rule in firewall ?

 

[pneuma1985]

No but it is set to a trusted application do I need a ruleset for the f-secure client? When I change the CIS application rules in firewall to allowed application for CIS it works just fine. Strange issue but if I disable the VPN and just use my IP it updates the sigs just fine... But kind of a pain if you wanna use a vpn you'd have to get a single tunnel vpn for this to work I imagine... Definitely an issue either with the vpn client or with comodo can't tell which until I test it on another vpn. So ended up changing the ruleset for cis back to strictly outgoing like it is stock... Maybe I'll mess with some rules for the freedome client see if that fixes it.

 

[marzametal]

@Umbra - In your Protected Registry Keys spoiler... what registry keys were you protecting for Sandboxie, AppGuard, Shadow Defender and AdGuard?

EDIT: Would it be as simple as searching through Registry and making notes on paths? eg: similar method used to check for residue left behind after an uninstall...

 

[Deleted member 178]

@Umbra - In your Protected Registry Keys spoiler... what registry keys were you protecting for Sandboxie, AppGuard, Shadow Defender and AdGuard?

i don't have them in mind right now since im not using Comodo anymore; i asked on each of the vendors' forum which keys should be protected. i just remember adding the whole group keys.

 

[Deleted member 178]

@marzametal if you really need them my posts should be still there.

 

[shmu26]

Trusted Vendor
there we are, the (In)famous TVL, the weakest chain of CIS, since any vendor/individual who pay the right price can be added as trusted...
I deleted all of them except Microsoft, my drivers and all my "sure-to-be-safe" software's vendors.

that list is as long as the world.
Is there any sane way to selectively delete most of the entries?

 

[Deleted member 178]

yes, scroll and delete (very long) , or do like i did : delete all and add those you trust.

 

[cruelsister]

I think the list is about 5000 entries. If concerned, check out AppGuard's Trusted vendor list (about a dozen) and just stick with that. In the past signed malware was almost always used for targeted attacks, but with the release of Spymel earlier this year has made me rethink things a bit. This will be covered (eventually) in the current RAT video series.