Comodo Internet Security's Auto-Sandbox (Containment) & HIPS interaction explanation

Discussion in 'Comodo' started by Umbra, Nov 27, 2012.

Thread Status:
Not open for further replies.
  1. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,170
    29,702
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #1 Umbra, Nov 27, 2012
    Last edited: May 9, 2017
    INTRODUCTION

    As you know CIS, since v6, has an Auto-Sandbox (called behavior Blocker on v8, and now on v10 it is called "Containment" ) and an HIPS.


    On the settings, HIPS can be "disabled" , about searching on Comodo Forum, "disabling" is not "turning-off" the HIPS, just "hidding" it

    THEORY

    1- HIPS disabled

    the Autosandbox will do the prevention job running the process in a restricted mode (set by the user) , unless the "full virtualization" is enabled, in this case the process is totally functional but will not harm the system.

    The HIPS will activate only on unrecognized files that do not enter in the BB rules.

    2- HIPS enabled

    The BB is still active, and still acting depending its rules (as above).

    The HIPS is now "woke up" and every actions of the process generate an alert from the HIPS regardless of the BB actions.
    The HIPS will have priority, it is why Comodo developers suggest to average users to choose either the HIPS or the Autosandbox , using both is for advanced users who want total control of CIS

    TEST

    For the test i will use a "safe" keygen.
    CIS' Autosandbox is set to full virtualization so the keygen will run as if in my real system


    1- Autosandbox enabled / HIPS disabled

    [​IMG]

    As you can see no reaction from the HIPS, the Autosandbox had priority

    2- Autosandbox Enabled/HIPS enabled

    a- HIPS popup appears, if user allow, (then the Autosandbox take the relay as shown above)

    [​IMG]

    if user block :

    [​IMG]


    3- Autosandbox disabled/HIPS enabled

    only the HIPS will generate alerts, one alert for each modifications on the system.



    This is all i know for the moment, i will update when i will discover new elements.
     
    Daniel Keller, Tiny, Parsh and 11 others like this.
  2. Mundungas

    Mundungas New Member

    Jan 17, 2013
    35
    1
    Very nice! I'll spread the word about this one :)
     
    testing01 likes this.
  3. MalwareVirus

    MalwareVirus New Member

    Oct 6, 2012
    741
    22
    Mars
    Very nice and clear info
    Thanks :)
     
    testing01 likes this.
  4. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,170
    29,702
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Thanks ;)
     
    Wave and testing01 like this.
  5. Amiga500

    Amiga500 Level 12

    Jan 27, 2013
    637
    561
    lincolnshire.
    Thank you umbra.much appreciated.
     
    testing01 likes this.
  6. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,170
    29,702
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    this thread should be pinned :)
     
    Wave and testing01 like this.
  7. Littlebits

    Littlebits Retired Staff

    May 3, 2011
    3,868
    3,095
    Oklahoma
    It's done.

    Enjoy!! :D
     
    testing01 likes this.
  8. Moose

    Moose Level 22

    Jun 14, 2011
    2,275
    1,185
    Are you using the Free Version? :)

    > I have using for the Free Comodo Firewall.
    > Putting my browser within the SandBox.
    > Also, with Emsisoft Anti-Malware Current version.
    > Run quick with no slow down!
     
  9. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,170
    29,702
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    why pay when it is free ^^
     
    Wave likes this.
  10. Amiga500

    Amiga500 Level 12

    Jan 27, 2013
    637
    561
    lincolnshire.
    the only issue i have with using the comodo sandboxed browser is that it shows intrusions on the GUI when it is used.Its a very solid sandbox but is there any way of stopping the intrusion counter.
     
  11. illumination

    illumination Guest

    If it is accessing memory, it will show. There used to be a way to exclude these in v5, not sure with v6 if that option is still available, but would assume so..
     
  12. dragonmew

    dragonmew New Member

    Feb 21, 2013
    359
    138
    so whats the best setting for behaviour blocker as mine is set at default
     
  13. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,170
    29,702
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Untrusted or restricted, full virtualization if you know what you do
     
    Wave and cruelsister like this.
  14. (BlackBox) Hacker

    (BlackBox) Hacker New Member

    Apr 21, 2014
    179
    83
    WOW nice stuff mate!!!

     
  15. Ulikedat

    Ulikedat New Member

    Apr 20, 2014
    324
    1,359
    My fav HIPS/Behaviour Blockers of all time: CyberHawk (now owned by Shitmantec?), Sana Identity Protect (Also owned by Shitmantec i think) and ProSecurity (Now owned by Comodo). These were actually great against zero day malware! Especially ProSecurity was pretty much bulletproof! Why do you think Comodo does so well at Matousec ;) That's not inhouse tech. There were a few more outstanding ones but i can't recall them. Sorry for looking back in time, i'm old school like dat <3
     
  16. Davidov

    Davidov Level 10

    Sep 9, 2012
    466
    1,523
    CR
    Windows 7
    Isolation
    #16 Davidov, Dec 12, 2014
    Last edited: Dec 14, 2014
    It works well CIS8 when setting off HIPS and full virtualization sandbox as the first commentary ??? Thanks all. http://i.imgur.com/OcT1J.jpg
     
Loading...
Similar Threads Forum Date
Update Comodo Internet Security Essentials v.1.3.436779.133 - RC Comodo Jan 4, 2018
Update Comodo Internet Security v10.1.0.6460 - Beta Comodo Dec 23, 2017
Update Recognizer v1.10.0.105 for Comodo Internet Security v10 (RC) Comodo Dec 12, 2017