Comodo Internet Security's Auto-Sandbox (Containment) & HIPS interaction explanation

Status
Not open for further replies.
D

Deleted member 178

Thread author
INTRODUCTION

As you know CIS, since v6, has an Auto-Sandbox (called behavior Blocker on v8, and now on v10 it is called "Containment" ) and an HIPS.


On the settings, HIPS can be "disabled" , about searching on Comodo Forum, "disabling" is not "turning-off" the HIPS, just "hidding" it

THEORY

1- HIPS disabled

the Autosandbox will do the prevention job running the process in a restricted mode (set by the user) , unless the "full virtualization" is enabled, in this case the process is totally functional but will not harm the system.

The HIPS will activate only on unrecognized files that do not enter in the BB rules.

2- HIPS enabled

The BB is still active, and still acting depending its rules (as above).

The HIPS is now "woke up" and every actions of the process generate an alert from the HIPS regardless of the BB actions.
The HIPS will have priority, it is why Comodo developers suggest to average users to choose either the HIPS or the Autosandbox , using both is for advanced users who want total control of CIS

TEST

For the test i will use a "safe" keygen.
CIS' Autosandbox is set to full virtualization so the keygen will run as if in my real system


1- Autosandbox enabled / HIPS disabled

Fa42q.jpg


As you can see no reaction from the HIPS, the Autosandbox had priority

2- Autosandbox Enabled/HIPS enabled

a- HIPS popup appears, if user allow, (then the Autosandbox take the relay as shown above)

OcT1J.jpg


if user block :

fFwxR.jpg



3- Autosandbox disabled/HIPS enabled

only the HIPS will generate alerts, one alert for each modifications on the system.



This is all i know for the moment, i will update when i will discover new elements.
 
Last edited by a moderator:

Moose

Level 22
Jun 14, 2011
2,271
Are you using the Free Version? :)

> I have using for the Free Comodo Firewall.
> Putting my browser within the SandBox.
> Also, with Emsisoft Anti-Malware Current version.
> Run quick with no slow down!
 

Amiga500

Level 12
Verified
Jan 27, 2013
661
the only issue i have with using the comodo sandboxed browser is that it shows intrusions on the GUI when it is used.Its a very solid sandbox but is there any way of stopping the intrusion counter.
 
I

illumination

Thread author
the only issue i have with using the comodo sandboxed browser is that it shows intrusions on the GUI when it is used.Its a very solid sandbox but is there any way of stopping the intrusion counter.

If it is accessing memory, it will show. There used to be a way to exclude these in v5, not sure with v6 if that option is still available, but would assume so..
 

(BlackBox) Hacker

Level 2
Verified
Apr 21, 2014
179
WOW nice stuff mate!!!

INTRODUCTION

As you know CIS v6 has a Behavior Blocker ( previously called the Auto-Sandbox, but improved) and an HIPS.

On the settings, HIPS can be "disabled" , about searching on Comodo Forum, "disabling" is not "turning-off" the HIPS, just "hidding" it

THEORY

1- HIPS disabled

the BB will do the prevention job running the process in a restricted mode (set by the user) , unless the "full virtualization" is enabled, in this case the process is totally functional but will not harm the system.

The HIPS will activate only on unrecognized files that do not enter in the BB rules.

2- HIPS enabled

The BB is still active, and still acting depending its rules (as above).

The HIPS is now "woke up" and every actions of the process generate an alert from the HIPS regardless of the BB actions.
The HIPS will have priority, it is why Comodo developers suggest to average users to choose either the HIPS or the BB , using both is for advanced users who want total control of CIS

TEST

For the test i will use a "safe" keygen.
CIS' Behavior Blocker is set to full virtualization so the keygen will run as if in my real system


1- BB enabled / HIPS disabled

Fa42q.jpg


As you can see no reaction from the HIPS, the BB had priority

2- BB Enabled/HIPS enabled

a- HIPS popup appears, if user allow, (then the BB take the relay as shown above)

OcT1J.jpg


if user block :

fFwxR.jpg



3- BB disabled/HIPS enabled

only the HIPS will generate alerts, one alert for each modifications on the system.



This is all i know for the moment, i will update when i will discover new elements.
 

Ulikedat

Level 7
Verified
Well-known
Apr 20, 2014
331
My fav HIPS/Behaviour Blockers of all time: CyberHawk (now owned by Shitmantec?), Sana Identity Protect (Also owned by Shitmantec i think) and ProSecurity (Now owned by Comodo). These were actually great against zero day malware! Especially ProSecurity was pretty much bulletproof! Why do you think Comodo does so well at Matousec ;) That's not inhouse tech. There were a few more outstanding ones but i can't recall them. Sorry for looking back in time, i'm old school like dat <3
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top