Comodo Internet Security's Auto-Sandbox (Containment) & HIPS interaction explanation

Status
Not open for further replies.

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,419
OS
Windows 10
Antivirus
Default-Deny
#1
INTRODUCTION

As you know CIS, since v6, has an Auto-Sandbox (called behavior Blocker on v8, and now on v10 it is called "Containment" ) and an HIPS.


On the settings, HIPS can be "disabled" , about searching on Comodo Forum, "disabling" is not "turning-off" the HIPS, just "hidding" it

THEORY

1- HIPS disabled

the Autosandbox will do the prevention job running the process in a restricted mode (set by the user) , unless the "full virtualization" is enabled, in this case the process is totally functional but will not harm the system.

The HIPS will activate only on unrecognized files that do not enter in the BB rules.

2- HIPS enabled

The BB is still active, and still acting depending its rules (as above).

The HIPS is now "woke up" and every actions of the process generate an alert from the HIPS regardless of the BB actions.
The HIPS will have priority, it is why Comodo developers suggest to average users to choose either the HIPS or the Autosandbox , using both is for advanced users who want total control of CIS

TEST

For the test i will use a "safe" keygen.
CIS' Autosandbox is set to full virtualization so the keygen will run as if in my real system


1- Autosandbox enabled / HIPS disabled



As you can see no reaction from the HIPS, the Autosandbox had priority

2- Autosandbox Enabled/HIPS enabled

a- HIPS popup appears, if user allow, (then the Autosandbox take the relay as shown above)



if user block :




3- Autosandbox disabled/HIPS enabled

only the HIPS will generate alerts, one alert for each modifications on the system.



This is all i know for the moment, i will update when i will discover new elements.
 
Last edited:

Moose

Level 22
Joined
Jun 14, 2011
Messages
2,274
#8
Are you using the Free Version? :)

> I have using for the Free Comodo Firewall.
> Putting my browser within the SandBox.
> Also, with Emsisoft Anti-Malware Current version.
> Run quick with no slow down!
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,419
OS
Windows 10
Antivirus
Default-Deny
#9
why pay when it is free ^^
 
Likes: Wave

Amiga500

Level 12
Verified
Joined
Jan 27, 2013
Messages
639
#10
the only issue i have with using the comodo sandboxed browser is that it shows intrusions on the GUI when it is used.Its a very solid sandbox but is there any way of stopping the intrusion counter.
 
I

illumination

Guest
#11
the only issue i have with using the comodo sandboxed browser is that it shows intrusions on the GUI when it is used.Its a very solid sandbox but is there any way of stopping the intrusion counter.
If it is accessing memory, it will show. There used to be a way to exclude these in v5, not sure with v6 if that option is still available, but would assume so..
 
Joined
Apr 21, 2014
Messages
179
#14
WOW nice stuff mate!!!

INTRODUCTION

As you know CIS v6 has a Behavior Blocker ( previously called the Auto-Sandbox, but improved) and an HIPS.

On the settings, HIPS can be "disabled" , about searching on Comodo Forum, "disabling" is not "turning-off" the HIPS, just "hidding" it

THEORY

1- HIPS disabled

the BB will do the prevention job running the process in a restricted mode (set by the user) , unless the "full virtualization" is enabled, in this case the process is totally functional but will not harm the system.

The HIPS will activate only on unrecognized files that do not enter in the BB rules.

2- HIPS enabled

The BB is still active, and still acting depending its rules (as above).

The HIPS is now "woke up" and every actions of the process generate an alert from the HIPS regardless of the BB actions.
The HIPS will have priority, it is why Comodo developers suggest to average users to choose either the HIPS or the BB , using both is for advanced users who want total control of CIS

TEST

For the test i will use a "safe" keygen.
CIS' Behavior Blocker is set to full virtualization so the keygen will run as if in my real system


1- BB enabled / HIPS disabled



As you can see no reaction from the HIPS, the BB had priority

2- BB Enabled/HIPS enabled

a- HIPS popup appears, if user allow, (then the BB take the relay as shown above)



if user block :




3- BB disabled/HIPS enabled

only the HIPS will generate alerts, one alert for each modifications on the system.



This is all i know for the moment, i will update when i will discover new elements.
 

Ulikedat

New Member
Joined
Apr 20, 2014
Messages
324
#15
My fav HIPS/Behaviour Blockers of all time: CyberHawk (now owned by Shitmantec?), Sana Identity Protect (Also owned by Shitmantec i think) and ProSecurity (Now owned by Comodo). These were actually great against zero day malware! Especially ProSecurity was pretty much bulletproof! Why do you think Comodo does so well at Matousec ;) That's not inhouse tech. There were a few more outstanding ones but i can't recall them. Sorry for looking back in time, i'm old school like dat <3
 
Status
Not open for further replies.

Similar Threads

Similar Threads