Solved Comodo IS Sandbox too touchy

Status
Not open for further replies.

swftech

New Member
Thread author
Jun 20, 2011
56
I just wanted to say that I like Comodo IS but lately is constantly sandboxes things I have told it not to. Mainly Steganos locknote which I use for passwords and other data. Everytime I open Locknote and make a change it sandboxes it as soon as I save and close Locknote. I have repeatedly told Comodo to allow Locknote and have added it to the trusted files list. Has anyone else had this problem? I am thinking of trying out Avast again "it's been awhile". Thoughts would be great!!
 
D

Deleted member 178

never had this kind of issue, CIS asked just once at 1st utilisation not after. how did you set D+ and the sandbox?
 
Upvote 0

swftech

New Member
Thread author
Jun 20, 2011
56
umbrapolaris said:
never had this kind of issue, CIS asked just once at 1st utilisation not after. how did you set D+ and the sandbox?

Thanks for your reply umbrapolaris, I thought it would be easiest to show the screenshots of each....

http://i.imgur.com/1CBpZ.png
http://i.imgur.com/B419r.png
http://i.imgur.com/uLdU0.png
http://i.imgur.com/g2G6U.png

And like i said, I also added Locknote to trusted files. Anything else that I allow is remembered by CIS, but for some reason every time I add changes Steganos Locknote, once I click save and close it CIS sandboxes it and the changes I saved are lost. I now have to disable the sandbox feature every time I use Locknote which is quite often.

Edit to add...It just occured to me that I have the shortcut to Locknote on my Rocketdock. Maybe because I am opening Locknote via a Rocketdock shortcut CIS sees that as a possible malicious attempt? I will try it by opening locknote directly and see what happens.

Still doesn't work even after opening Locknote directly, it gets isolated immediately after closing. Oh well, it's worth putting up with since I really like and trust CIS over everything else. I've just heard that the new Avast is pretty good too. Thanks again for taking the time to reply.
 
Upvote 0
D

Deleted member 178

your setting are correct. an advice, uncheck "automatically trust files from trusted installers" some vendors in the whitelist are not so white ^^

can you show me captures of your Trusted File list . (when you click on Trusted Files and after doing a purge) and those of Computer Security Policy

on the Execution Control Setting tab affter clicking on Exclusion, did you add Locknote?

i had a launcher before too and this issue never happened.
 
Upvote 0

savit

Level 1
Apr 9, 2011
120
umbrapolaris said:
uncheck "automatically trust files from trusted installers" some vendors in the whitelist are not so white ^^

Good point.

and

advise 'Treat Unrecognized file as' -> 'Untrusted' is better security.

'Untrusted' - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

Unknown file (Unrecognized) practice isolate at 'untrusted' sandbox and you can see sandbox popup message. if safe file click 'Dont isolate it again'. :)

2r40pop.jpg
 
Upvote 0
D

Deleted member 178

yes of course,e but for his issue i dont want to raise his setting to high until it is fixed
 
Upvote 0

swftech

New Member
Thread author
Jun 20, 2011
56
umbrapolaris said:
your setting are correct. an advice, uncheck "automatically trust files from trusted installers" some vendors in the whitelist are not so white ^^

can you show me captures of your Trusted File list . (when you click on Trusted Files and after doing a purge) and those of Computer Security Policy

on the Execution Control Setting tab affter clicking on Exclusion, did you add Locknote?

i had a launcher before too and this issue never happened.

Here ya go umbrapolaris..
http://i.imgur.com/jqq8h.png

And I think you might have figured it out. When clicking on "exclusions" in Execution control settings nothing is listed. So adding them to trusted is not enough, I have now added Steganos Locknote as an exclusion and the problem seems to be fixed. Thanks so much for all your help.



savit said:
umbrapolaris said:
uncheck "automatically trust files from trusted installers" some vendors in the whitelist are not so white ^^

Good point.

and

advise 'Treat Unrecognized file as' -> 'Untrusted' is better security.

'Untrusted' - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

Unknown file (Unrecognized) practice isolate at 'untrusted' sandbox and you can see sandbox popup message. if safe file click 'Dont isolate it again'. :)

2r40pop.jpg

Thanks for your help also savit, I took your advice as well and changed the setting to untrusted. Thanks to both of you for your help and suggestions, the problem seems to be solved and CIS is even more secure!!
 
Upvote 0
D

Deleted member 178

RE: (SOLVED) Comodo IS Sandbox too touchy

no problem it was a pleasure to help a co-user ^^
 
Upvote 0

HeffeD

Level 1
Feb 28, 2011
1,690
umbrapolaris said:
your setting are correct. an advice, uncheck "automatically trust files from trusted installers" some vendors in the whitelist are not so white ^^

Sorry for the late reply, I've been out of town...

This setting is very misunderstood... It really has little to do with the whitelist... For longtime CIS users, this is the new incarnation of the extinct Installation Mode.

Like Installation Mode, what this setting actually does is to stop CIS from giving you multiple alerts or possible sandboxing of child processes spawned by an installer. It is not giving permissions for installers to run if they are whitelisted! It is only telling CIS to be quiet during installation...

Standard D+ protection still applies with this setting enabled. If a user instantiates an installer, all is well. (You will still be alerted if your settings require all processes to ask your permission) If an application tries to start an installer, you will get an alert.

Trusted installers can mean either installers on the whitelist or an installer the user has given rights to run. If you allow the installer to run, you've just considered it trusted.

With this setting disabled, whether the installer is whitelisted or not, if the installer attempts to spawn a child process, this process will be intercepted by CIS. Depending on your settings, it will either give you an alert asking if you wish the process to be allowed, or if the process is unrecognized, it will be automatically sandboxed, which could cause the installation to fail.

If this setting is enabled, the minimum alert you may get is D+ asking if the installer is allowed to run. (Depending on your settings, you may not see this initial alert) Once the installation process begins, every process the installer utilizes will be allowed with no user interaction.

I'm really not sure why anyone would choose to disable this setting because you're only asking for problems. Even if your security settings are such that D+ will ask you if you want the installer to run, unless you're the type of idiot that just clicks allow on every alert, you purposefully chose to install this application! Why not allow the installer to do its thing unimpeded? If you are the least bit unsure about the installer, you shouldn't be installing it! Instead, running the installer in a Virtual Machine or Sandboxing application would have been a better choice.

My recommendation is to leave Automatically trust files from trusted installers and Automatically detect installers/updaters and run them outside the sandbox enabled.

Also, the exclusions under the Execution Control Settings are only excluding those processes from buffer overflow protection. It has no impact on whether or not a process is sandboxed.

If an application is continually being sandboxed, it is because the application is changing in some way. CIS recognizes files by their file Hash, so if there are any changes, CIS will no longer recognize the file. There are numerous reasons a file could be constantly changing, so I don't know specifically what is going on with Steganos. The current workaround for files that do this are to give them the Installer or Updater security policy.
 
Upvote 0

swftech

New Member
Thread author
Jun 20, 2011
56
HeffeD said:
umbrapolaris said:
your setting are correct. an advice, uncheck "automatically trust files from trusted installers" some vendors in the whitelist are not so white ^^

Sorry for the late reply, I've been out of town...

This setting is very misunderstood... It really has little to do with the whitelist... For longtime CIS users, this is the new incarnation of the extinct Installation Mode.

Like Installation Mode, what this setting actually does is to stop CIS from giving you multiple alerts or possible sandboxing of child processes spawned by an installer. It is not giving permissions for installers to run if they are whitelisted! It is only telling CIS to be quiet during installation...

Standard D+ protection still applies with this setting enabled. If a user instantiates an installer, all is well. (You will still be alerted if your settings require all processes to ask your permission) If an application tries to start an installer, you will get an alert.

Trusted installers can mean either installers on the whitelist or an installer the user has given rights to run. If you allow the installer to run, you've just considered it trusted.

With this setting disabled, whether the installer is whitelisted or not, if the installer attempts to spawn a child process, this process will be intercepted by CIS. Depending on your settings, it will either give you an alert asking if you wish the process to be allowed, or if the process is unrecognized, it will be automatically sandboxed, which could cause the installation to fail.

If this setting is enabled, the minimum alert you may get is D+ asking if the installer is allowed to run. (Depending on your settings, you may not see this initial alert) Once the installation process begins, every process the installer utilizes will be allowed with no user interaction.

I'm really not sure why anyone would choose to disable this setting because you're only asking for problems. Even if your security settings are such that D+ will ask you if you want the installer to run, unless you're the type of idiot that just clicks allow on every alert, you purposefully chose to install this application! Why not allow the installer to do its thing unimpeded? If you are the least bit unsure about the installer, you shouldn't be installing it! Instead, running the installer in a Virtual Machine or Sandboxing application would have been a better choice.

My recommendation is to leave Automatically trust files from trusted installers and Automatically detect installers/updaters and run them outside the sandbox enabled.

Also, the exclusions under the Execution Control Settings are only excluding those processes from buffer overflow protection. It has no impact on whether or not a process is sandboxed.

If an application is continually being sandboxed, it is because the application is changing in some way. CIS recognizes files by their file Hash, so if there are any changes, CIS will no longer recognize the file. There are numerous reasons a file could be constantly changing, so I don't know specifically what is going on with Steganos. The current workaround for files that do this are to give them the Installer or Updater security policy.

Thanks for the very "detailed" reply HeffeD it's much appreciated. And your absolutely right about a change in the file. Everytime I open Locknote and add new info to the doc, when I save and close, it creates a new "temp" file and that is what CIS is isolating because it is an unreconized temp file. I have changed the permissions for Locknote and all is ok now. Thanks again, and have an awesome week!!

BTW, I would like to give all of you good rep, but I guess I'm too new to the forum because I don't have the option yet. I was told I should see a green flag under users posts next to "find", but all that is there is Email and PM. Is there a way I can do that for you guys or do I need to wait? If a mod sees this and has the ability to give rep to the users who have taken the time to help me out with this issue it would be great.
 
Upvote 0

HeffeD

Level 1
Feb 28, 2011
1,690
RE: (SOLVED) Comodo IS Sandbox too touchy

You're welcome. :)

As for the rep, don't worry about it. I'm just here to help. Reputation isn't important to me.
 
Upvote 0
D

Deleted member 178

HeffeD said:
I'm really not sure why anyone would choose to disable this setting because you're only asking for problems. Even if your security settings are such that D+ will ask you if you want the installer to run, unless you're the type of idiot that just clicks allow on every alert, you purposefully chose to install this application! Why not allow the installer to do its thing unimpeded? If you are the least bit unsure about the installer, you shouldn't be installing it! Instead, running the installer in a Virtual Machine or Sandboxing application would have been a better choice.

ok thanks for those clarifications HeffeD, i always thought it was closely related to the Vendor List.

for the bold line, you know that many users primary infection's cause is that they install cracked installers for softwares and games. Btw it is still interesting to know what windows component the various process affect (at least for me ^^)
 
Upvote 0
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top