Advice Request Comodo Internet Security Setup/configuration thread

[hjlbx]

I have a little question I'd like to share heh

If I have disabled "Create rules for safe applications" on HIPS settings.
I have of course, re-built the "Trusted Software Vendors list"

From Comodo web:


HIPS trusts the applications if:

• The application/file is rated as 'Trusted' in the File List

• The application is from a vendor included in the Trusted Software Vendors list

• The application is included in the extensive and constantly updated Comodo safelist

What is the Comodo safelist, the HIPS could trust an application that is not in the trusted file list, neither in the trusted software vendors list, but actually in the comodo safelist? I know this may have been answered a lot of times already, or comodo needs the 3 rules above to be present in order to trust the application, also how is the performance impact for day to day usage? Has anyone noticed any performance issues that may equals to keep this setting disabled? Thank you all in advnace! NIce thread btw.

There are digitally unsigned files included in the Safe List.

For example, ATI\AMD drivers might be signed or not signed; but both ATI\AMD are in TVL.

Trusted Vendor + digitally signed from recognized certificate authority = automatically Trusted = potentially real bad news; rare, but not unheard of...

First item above = user sets rating to Trusted (e.g. change from Unrecognized to Trusted)

User set rating supersedes Comodo rating.

 

[Tony Cole]

@Umbra why did you stop using Symantec Endpoint Security, is Comodo more powerful?

 

[Deleted member 178]

@Umbra why did you stop using Symantec Endpoint Security, is Comodo more powerful?

no because i dont have the Win10 version compatible. (i didn't bought it in the first place)

 

[SHvFl]

So i just figured out virtualized applications have access to protected files without any alert. Any way to avoid it except disabling sandbox?

 

[TheSuperGeek]

So i've got 1 thing that I haven't undrstand : what to do with TVL ??
Do i need to put HIPS on "training" + disable Auto-sandbox + delete TVL ?
What should I do ?

 

[DracusNarcrym]

So i just figured out virtualized applications have access to protected files without any alert. Any way to avoid it except disabling sandbox?

Files run virtually with NO restriction level (for example "Partially Limited") do have access to protected files, but VIRTUALLY, and since they are virtualized in the Sandbox in the first place, any changes they make using protected files will be nullified when the Sandbox is reset.

So i've got 1 thing that I haven't undrstand : what to do with TVL ??
Do i need to put HIPS on "training" + disable Auto-sandbox + delete TVL ?
What should I do ?

You should delete the TVL ONLY if you want to reconfigure CIS for every single file there is on your system or at least have more control on the Rules that CIS is going to make for files. If you don't want all this, then the only thing I recommend doing is maybe removing some entries which you find suspicious or they are signatures of software rarely found on the Internet.

IN DEFAULT SETTINGS:
CIS is configured to build a File List by itself, without the user having to make any internal changes like deleting or editing the TVL or setting the HIPS security level to "Training Mode" or anything else. It uses 3 components to gradually construct a File List of Trusted, Unrecognized and Malicious file ratings:
1. If a file is signed and its signature is in the Trusted Vendor List, then the file is automatically set as Trusted.
2. If a file's signature isn't in the Trusted Vendor List or if the file isn't signed at all or if its parent file (the file that launched it) isn't a Trusted file, CIS looks it up online in the COMODO Safe List (a list of files on the cloud, which were analyzed by COMODO technicians and found safe) and if it is found there, then it is set to Trusted.
3. If the file cannot be verified as safe by any of the above, it should be auto-Sandboxed, unless the user has changed the settings of CIS so it alerts him, and then the user creates a rule of their own.

SOURCE: COMODO Help | COMODO Internet Security -> Advanced Settings -> Security Settings -> Manage File Rating -> File List

 

[SHvFl]

Files run virtually with NO restriction level (for example "Partially Limited") do have access to protected files, but VIRTUALLY, and since they are virtualized in the Sandbox in the first place, any changes they make using protected files will be nullified when the Sandbox is reset.

I understand that but it means anything can access my camera even though i have a hips rule(protected file) to ask me before it gets accessed.Similar with everything that even temporary access can create problems. Will either have to disable sandbox or find an application that gives me the camera control. Thanks for your input.

 

[hjlbx]

So i just figured out virtualized applications have access to protected files without any alert. Any way to avoid it except disabling sandbox?

They can read, but not write.

If you add file\folder to Protected Files in HIPS, then sandboxed application can only read\no writes.

If you want to make a file\folder invisible to sandboxed application, add file\folder to Protected Data Folders in HIPS.

 

[Deleted member 178]

Yes, all my sensitive folders are read/write protected by Appguard and Comodo.

 

[SHvFl]

They can read, but not write.

If you add file\folder to Protected Files in HIPS, then sandboxed application can only read\no writes.

If you want to make a file\folder invisible to sandboxed application, add file\folder to Protected Data Folders in HIPS.

To get a notification on webcam access you need to make a protected file (\Device\Usb#Vid*). The fact that sandboxed applications are allowed to read them gives them access to camera.
I have no clue if there is a folder i can protect but i for sure don't know how to find this folder.

 

[cruelsister]

Don't mean to butt in here, but a sandboxed app can read as much as it wants; if it is prevented from transmitting out (either by not allowing Sandboxed apps to connect outbound or by using the Custom Firewall setting and Blocking when the popup occurs) there is no information being sent from your system.

Any collection of info locally is inconsequential if the Blackhats can't receive it.

I'll go away now...

 

[SHvFl]

You are correct @cruelsister i didn't think of the transmitting part. I was so focused on the receiving part and i missed your angle. Thanks for your input.

 

[Deleted member 178]

Don't mean to butt in here, but a sandboxed app can read as much as it wants

Protected Data Folders

The data files in the folders listed under the Protected Data Folders area cannot be seen, accessed or modified by any known or unknown application that is running inside the sandbox.

Tip: Files and folders that are added to 'Protected Files' interface are allowed read access by other programs but cannot be modified, whereas the files/folders in 'Protected Data folders' are totally hidden to sandboxed programs. If you want a file to be read by other programs but protected from modifications, then add it to 'Protected Files' list. If you want to totally conceal a data file from all the sandboxed programs but allow read/write access by other known/trusted programs, then add it to Protected Data Folders.

seems contradictory

 

[hjlbx]

@Umbra

@cruelsister is correct; Comodo does not prevent reads to any folders by default; to prevent writes (modification) user must add files\folders to Protected Files or to prevent reads & writes by Sandboxed processes, add files\folders to Protected Data Folders.

Comodo recommends to add System32, SysWOW64 and Hosts file to Protected Folders.

User can duplicate AppGuard folder protections by adding all "User Space" folders to Protected Files.

Only files rated as Trusted can write to Protected Files.

Protected Data Folders cannot be read or modified by Sandboxed processes.

 

[Deleted member 178]

ah ok ,if she meant by default, that is normal.

 

[Deleted member 178]

Comodo recommends to add System32, SysWOW64 and Hosts file to Protected Folders.

you meant "protected files" ?

 

[SHvFl]

Yes protected files. Check here, it gives an example for both.
Protected Files, PC Files, Folders Protection From Malicious Software | COMODO

 

[hjlbx]

Updated Comodo Settings thread with minor changes; will eventually add every Comodo setting.

 

[CMLew]

Can I check if I need to add hmpalert.exe processes into the antivirus excluded application exclusion for HMPA?
I know for EAM I would just follow @Umbra configuration to make it happen.

 

[hjlbx]

Can I check if I need to add hmpalert.exe processes into the antivirus excluded application exclusion for HMPA?
I know for EAM I would just follow @Umbra configuration to make it happen.

I think you will not need to add to Antivirus Exclusions list.

The process of figuring out what needs to be added is trial-and-error, but since @Umbra has HMP.A installed and working with CIS, he can give you definite answer...