NCLR´s P2P-rig

Status
Not open for further replies.

LaserWraith

Level 1
Feb 24, 2011
497
RE: NCLR need recommendation on improvements.

elliotcroft said:
The sandbox set to restricted is a good first step without increasing alerts.

Wait, you mean Execution Control settings? I don't see anything like that in Defense+ Settings > Sandbox Settings.
 

LoftedAphid86

New Member
Feb 24, 2011
1,107
RE: NCLR need recommendation on improvements.

LaserWraith said:
elliotcroft said:
The sandbox set to restricted is a good first step without increasing alerts.

Wait, you mean Execution Control settings? I don't see anything like that in Defense+ Settings > Sandbox Settings.
It's the tab to the left of sandbox settings.
 

bogdan

Level 1
Jan 7, 2011
1,362
RE: NCLR need recommendation on improvements.

He probably means Defense+ -> Defense+ Settings -> Execution Control Settings -> Threat unrecognized files as: Restricted.
 

LaserWraith

Level 1
Feb 24, 2011
497
RE: NCLR need recommendation on improvements.

elliotcroft said:
It's the tab to the left of sandbox settings.

Execution Control settings. It seems similar enough to the sandbox that it should be in that tab. :p
 

LoftedAphid86

New Member
Feb 24, 2011
1,107
RE: NCLR need recommendation on improvements.

bogdan said:
He probably means Defense+ -> Defense+ Settings -> Execution Control Settings. Threat unrecognized files as: Restricted.
That's what I'm getting at.
 

LaserWraith

Level 1
Feb 24, 2011
497
RE: NCLR need recommendation on improvements.

bogdan said:
He probably means Defense+ -> Defense+ Settings -> Execution Control Settings -> Threat unrecognized files as: Restricted.

I was pretty sure that was it, but since it wasn't in the Sandbox tab, I wanted to make sure.
 

bogdan

Level 1
Jan 7, 2011
1,362
RE: NCLR need recommendation on improvements.

CIS is a complex app offering allot of settings. This is a good think for some users while others get confused. Another confusing issue: When you install CIS without the antivirus, it defaults to a different configuration than the one you get when you install it as a full suite.

I agree that you should give it a chance though. The numbers of pop-ups was reduced since you last used it.
 

Chiron

Level 1
Feb 24, 2011
250
RE: NCLR need recommendation on improvements.

The most important change is that the sandbox should be set to restricted or untrusted.

Otherwise there is some ransomware that can actually encrypt your files. (Although they will always be stopped from affecting system files, or other protected files)
 

bogdan

Level 1
Jan 7, 2011
1,362
RE: NCLR need recommendation on improvements.

Is the Sandbox (the "real one" Defense+ -> Run a program in the Sandbox) safe enough? If so, the auto-sandbox (the one limiting rights for a process) can be disabled and Unrecognized files treated as Blocked.
 

Chiron

Level 1
Feb 24, 2011
250
RE: NCLR need recommendation on improvements.

bogdan said:
Is the Sandbox (the "real one" Defense+ -> Run a program in the Sandbox) safe enough?
To manually sandbox programs it would probably be better to use Sandboxie. I haven't seen many tests of Comodo's manual sandbox.

bogdan said:
If so, the auto-sandbox (the one limiting rights for a process) can be disabled and Unrecognized files treated as Blocked.
If you leave the sandbox enabled and choose to treat unrecognized files as blocked then they will essentially be quarantined until you manually add them to your safe list. I believe the sandbox has to be enabled for this.

However, the problem with this is that if you treat them as blocked you won't get the popup telling you they've been blocked. This would give you the option to add them to your trusted files list so they won't be blocked again. For restricted or untrusted you will get that helpful popup.

That's why I don't recommend blocked for most users. Under blocked some programs may not work without any popup to tell you that Comodo is blocking them.

I hope that helps.
 

bogdan

Level 1
Jan 7, 2011
1,362
RE: NCLR need recommendation on improvements.

Got it. And you are right, disabling the auto sandbox and setting unrecognized files to Blocked gives you a permissions error (just like with Lua + Srp).

edit: I'm sorry for "stealing" this thread. I will stop now.
 

LaserWraith

Level 1
Feb 24, 2011
497
RE: NCLR need recommendation on improvements.

Thanks for that info, Chiron. I'm not too knowledgeable on the sandbox, since I don't use it. (That is partly because the pop-ups don't give you an option to restart it unsandboxed.)
 

bogdan

Level 1
Jan 7, 2011
1,362
RE: NCLR need recommendation on improvements.

That is partly because the pop-ups don't give you an option to restart it unsandboxed
That is actually a good thing. The User gets a few extra seconds to think about running a potentially malicious file. At least with a whitelist big enough to avoid false-positives.

I will stop...now.
 

nclr11111

Level 6
Thread author
Verified
Well-known
Feb 25, 2011
277
RE: NCLR need recommendation on improvements.

Ok. Just Dl the FW. Let´s install it and see what´s improver since last time. If not much you can expect me in support-forum :p
 

LoftedAphid86

New Member
Feb 24, 2011
1,107
RE: NCLR need recommendation on improvements.

nclr11111 said:
Ok. Just Dl the FW. Let´s install it and see what´s improver since last time. If not much you can expect me in support-forum :p
Hope it works better for you than last time. :)
 

nclr11111

Level 6
Thread author
Verified
Well-known
Feb 25, 2011
277
RE: NCLR need recommendation on improvements.

Yeah, well it did actually! But there was a couple of things i´m unsecure about.
First FW alerted me of DTLite.exe (Daemontools) performing an SQL-injection and something about exceeding memory!? Seems a bit odd that a so widely spread application should perform a SQL-injection!?!? (DL from their HP btw)

Second it warned me about nvvsvc trying to execute rundll32. Now thats my nvidia-driver. Also strange thats not in clouds whitelist??

Third: I´ve been warned a couple of times about computers trying to connect from outside. So far i have denied, but how do i know what types of connections they are? Is it possible there are some updatefunction??

Then a general question. At installation i was asked if i would use Comodo´s secure DNS.It sounds good but i´m using a VPN a great deal and don´t know the implications on connection to my VPN with this function activated. Suggestion??
 

LaserWraith

Level 1
Feb 24, 2011
497
RE: NCLR need recommendation on improvements.

nclr11111 said:
Yeah, well it did actually! But there was a couple of things i´m unsecure about.
First FW alerted me of DTLite.exe (Daemontools) performing an SQL-injection and something about exceeding memory!? Seems a bit odd that a so widely spread application should perform a SQL-injection!?!? (DL from their HP btw)

Second it warned me about nvvsvc trying to execute rundll32. Now thats my nvidia-driver. Also strange thats not in clouds whitelist??

Third: I´ve been warned a couple of times about computers trying to connect from outside. So far i have denied, but how do i know what types of connections they are? Is it possible there are some updatefunction??

Then a general question. At installation i was asked if i would use Comodo´s secure DNS.It sounds good but i´m using a VPN a great deal and don´t know the implications on connection to my VPN with this function activated. Suggestion??

DaemonTools is pretty well known. It may need to do some strange things, what with mounting drives and all that.

I guess you should allow nvvsvc. In the alert, did it say that nvvsvc was trusted?

Are you using any torrent software? I do, but I still block most incoming connections and don't have much trouble (unless it specifically states that uTorrent is trying to receive a connection or something). Most often, the program will initiate an outbound connection if it is checking for updates.

I doubt a DNS changes will mess up VPN connections. I think they are different enough so that it won't matter.
 

LoftedAphid86

New Member
Feb 24, 2011
1,107
RE: NCLR need recommendation on improvements.

After setting the sandbox to restricted, you should go to the firewall tab on the interface and click stealth ports wizard, then click the option that specifies to block all inbound connections. (Not if you run a server)
A lot of programs have bugs that make them execute shell codes. It's really annoying if that happens because CPU usage rockets.
 

nclr11111

Level 6
Thread author
Verified
Well-known
Feb 25, 2011
277
RE: NCLR need recommendation on improvements.

nvvsvc was NOT said to be trusted. But i accepted it anyway.
I UL a screenshot of incoming blocked connections: http://data.fuskbugg.se/skalman02/_denied.JPG
Now, this is in Swedish so i´ll translate:
- Avslagit=Denied
- Tillåtit=Accepted
- Frågat=Asked
- KällIP=SourceIP
- MålIP=TargetIP
All connections are to svchost and system but i don´t get from where??

@ellicroft: In my home we have 3 computers connected to one printer which is connected by wire to mine. Will it still be possible to do printouts from the other computers if i block all incoming or are they separated since they connect via the router??
 

LoftedAphid86

New Member
Feb 24, 2011
1,107
RE: NCLR need recommendation on improvements.

nclr11111 said:
nvvsvc was NOT said to be trusted. But i accepted it anyway.
I UL a screenshot of incoming blocked connections: http://data.fuskbugg.se/skalman02/_denied.JPG
Now, this is in Swedish so i´ll translate:
- Avslagit=Denied
- Tillåtit=Accepted
- Frågat=Asked
- KällIP=SourceIP
- MålIP=TargetIP
All connections are to svchost and system but i don´t get from where??
They could be coming from anywhere, including routers and P2P networks. (If you hosting files) If you are connected via network to an infected computer, than it could be malware trying to get into your computer.
Since you don't know where it's coming from, I would suggest that you leave it blocked.
Nvvsvc? What is that?
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top