- Dec 29, 2014
- 1,716
You guys using CCAV or CIS can post here too, since the programs are all similar with regards to the sandbox. Please just take a look and comment on anything that looks interesting or that you have a question about. No need to try to tackle all of this. It's only for a discussion. If anything jumps at you with easy scanning, great, but that's all.
OK, experimenting with the settings, I think I hit a nirvana sweet spot with Comodo 10. Here's the basics:
1. Proactive
2. Firewall-Custom->see at least once every app's attempt to connect and I think local separately from outside connections
3. HIPs-On->Safe Mode->all defaults
4. Sandbox-Default
5. Auto-Sandbox-Enabled (see this rule)->Target->All Applications->Reputation->Unrecognized->Action->Run Restricted (Not virtualized)
Best I can understand, if the All Apps sandbox rule is set to full restriction (I think so), the app just won't run if it's unrecognized and tries anything malware would need to try to make changes to the system or files. If there is any chance it could do damage, I will be virtualizing for this setting, so I appreciate any input here.
Compared to CruelSister's settings, some things I didn't do the same, that I would deploy 100% in an office environment:
1. Enable "Show desktop widget" (CruelSister setting is off but I like the widget)
2. Enable "Play sound when an alert is shown" (same as above)
3. Firewall settings->Disable "Do NOT show popups" (CS is checked and auto-block). I do not disable pop ups for internet connections (I want to see what is trying to contact out (not 100% CruelSister does this differently, just don't know but she does it differently in her 1.28.17 CFW video))
3. I use HIPs->Enabled
4. HIPs->Protected Objects->Set HIPs to protect file locations and secondary drives via "Protected Data Folders"
5. Sandbox settings-Enable "Do not virtualize access to [the specified folders]" (CS disables rule I think to protect downloads from ransomware but this one I am not sure about for myself yet)
6. Sandbox settings->Enable "Detect programs which require elevated privileges" but disable "Do NOT show privilege elevation alerts" (CS enables both using the Block option for the second rule)
7. Sandbox settings->Aforementioned All Applications->Run Restricted rule change. CruelSister runs Virtually all Unrecognized and then goes further by choosing the from Options for the rule the Block option. This is not available for "Run Restricted", only "Run Virtually".
Questions:
1. By recognizing MAC to MAC connections, it seems Comodo 10 firewall alerts by default separately for MAC to MAC and for other connections. This means an easy allow always for MAC to MAC and then anything over the internet will receive a separate alert. IP is on the alert so MAC to MAC is easy to spot. Can anyone verify this? I like to see which apps want to contact the outside world and when. I am basing this on the understanding that MAC to MAC will always be local on a Home network.
2. In Sandbox settings, what does "Do not virtualize access to [the specified folders] do? I think this means downloads are placed in the actual downloads folder if browser is sandboxed. That's good, but CS says there is a way to protect the folder from ransomware. I couldn't see how she was doing this, and maybe this is the way. I think I understand. She did uncheck the "Do not virtualize..." setting, where I still have it checked for now, even though I don't virtualize anyway, instead for now use restricted.
3. In Auto-Sandbox is setting a rule to run "Restricted" the same as forcing unrecognized to run fully restricted, or is it run partially restricted? Can malware do damage potentially outside virtually?
4. Sandbox settings->Enable "Detect programs which require elevated privileges but disable "Do NOT show privilege elevation alerts" (CS enables both using the Block option for the second rule). OK this is a tricky question so maybe noone knows, but it's deep, and I think it is important. If I allow unrecognized to run fully unrestricted from an alert that comes from this second rule being disabled, would Comodo still Auto-sandbox this unrecognized by the Auto-Sandbox rule? I have seen the answer a time or two for this, but I can't remember. I think it's no it won't.
5. Any good aspects to Virtual Desktop? I hear it's not very good compared to CIS Secure Desktop.
I may well end up virtualizing like CruelSister for the sandbox settings. This will be the case if ransomware can possibly bypass the simple change to All Apps->Unrecognized rule from Virtually to Restricted.
I would 100% do it CS' way in an enterprise environment, but not exactly this way at home, because I want to know what's happening. The restriction pop ups are an example. They are dangerous, but they are also a good indicator of a problem software and also the alert is red, which gets my attention. I believe after 5 years of PF pop ups, I am prepared for anything Comodo can dish out. I wasn't using a trust list in PF, so it's easy to imagine what I did for 5 years. 75+ pop ups to install Blue Stacks, I can say I experienced that LOL.
Again, please don't believe I expect a response to all of this or even to read all of it. If anything is interesting or you like some setting (maybe a different one you use), maybe you feel it would be appropriate to say so. I don't expect all the answers here honestly. Maybe some concepts could help some out there or some of us with a question.
What I like about this:
-Allowing the Restriction request alerts places a new understanding of the purpose of the "Unblock Applications" option on the widget. This alert really pins a user down to make a choice. I like this better than having to wait for the sandbox or worry about what might be in there if I empty it.
-Auto-Sandbox rule->Run All Apps->Unrecognized->Restricted (instead of virtual). Same as above unless I am wrong about the restriction. If it allows full access to the local account, no good, and I will use virtualize and send all the data to the sandbox.
-Firewall->Disable "Do not show Pop ups". This is a control thing. If you want to know what's doing what on the net, try this.
-The sequence of pop ups. It's very good with this.
-The frequency of pop ups. Not bad, honestly, unless you really hate HIPs alerts during installations, etc. I like them again because I like to know what's happening and what I am installing, especially considering only unrecognized bring the alerts.
OK, experimenting with the settings, I think I hit a nirvana sweet spot with Comodo 10. Here's the basics:
1. Proactive
2. Firewall-Custom->see at least once every app's attempt to connect and I think local separately from outside connections
3. HIPs-On->Safe Mode->all defaults
4. Sandbox-Default
5. Auto-Sandbox-Enabled (see this rule)->Target->All Applications->Reputation->Unrecognized->Action->Run Restricted (Not virtualized)
Best I can understand, if the All Apps sandbox rule is set to full restriction (I think so), the app just won't run if it's unrecognized and tries anything malware would need to try to make changes to the system or files. If there is any chance it could do damage, I will be virtualizing for this setting, so I appreciate any input here.
Compared to CruelSister's settings, some things I didn't do the same, that I would deploy 100% in an office environment:
1. Enable "Show desktop widget" (CruelSister setting is off but I like the widget)
2. Enable "Play sound when an alert is shown" (same as above)
3. Firewall settings->Disable "Do NOT show popups" (CS is checked and auto-block). I do not disable pop ups for internet connections (I want to see what is trying to contact out (not 100% CruelSister does this differently, just don't know but she does it differently in her 1.28.17 CFW video))
3. I use HIPs->Enabled
4. HIPs->Protected Objects->Set HIPs to protect file locations and secondary drives via "Protected Data Folders"
5. Sandbox settings-Enable "Do not virtualize access to [the specified folders]" (CS disables rule I think to protect downloads from ransomware but this one I am not sure about for myself yet)
6. Sandbox settings->Enable "Detect programs which require elevated privileges" but disable "Do NOT show privilege elevation alerts" (CS enables both using the Block option for the second rule)
7. Sandbox settings->Aforementioned All Applications->Run Restricted rule change. CruelSister runs Virtually all Unrecognized and then goes further by choosing the from Options for the rule the Block option. This is not available for "Run Restricted", only "Run Virtually".
Questions:
1. By recognizing MAC to MAC connections, it seems Comodo 10 firewall alerts by default separately for MAC to MAC and for other connections. This means an easy allow always for MAC to MAC and then anything over the internet will receive a separate alert. IP is on the alert so MAC to MAC is easy to spot. Can anyone verify this? I like to see which apps want to contact the outside world and when. I am basing this on the understanding that MAC to MAC will always be local on a Home network.
2. In Sandbox settings, what does "Do not virtualize access to [the specified folders] do? I think this means downloads are placed in the actual downloads folder if browser is sandboxed. That's good, but CS says there is a way to protect the folder from ransomware. I couldn't see how she was doing this, and maybe this is the way. I think I understand. She did uncheck the "Do not virtualize..." setting, where I still have it checked for now, even though I don't virtualize anyway, instead for now use restricted.
3. In Auto-Sandbox is setting a rule to run "Restricted" the same as forcing unrecognized to run fully restricted, or is it run partially restricted? Can malware do damage potentially outside virtually?
4. Sandbox settings->Enable "Detect programs which require elevated privileges but disable "Do NOT show privilege elevation alerts" (CS enables both using the Block option for the second rule). OK this is a tricky question so maybe noone knows, but it's deep, and I think it is important. If I allow unrecognized to run fully unrestricted from an alert that comes from this second rule being disabled, would Comodo still Auto-sandbox this unrecognized by the Auto-Sandbox rule? I have seen the answer a time or two for this, but I can't remember. I think it's no it won't.
5. Any good aspects to Virtual Desktop? I hear it's not very good compared to CIS Secure Desktop.
I may well end up virtualizing like CruelSister for the sandbox settings. This will be the case if ransomware can possibly bypass the simple change to All Apps->Unrecognized rule from Virtually to Restricted.
I would 100% do it CS' way in an enterprise environment, but not exactly this way at home, because I want to know what's happening. The restriction pop ups are an example. They are dangerous, but they are also a good indicator of a problem software and also the alert is red, which gets my attention. I believe after 5 years of PF pop ups, I am prepared for anything Comodo can dish out. I wasn't using a trust list in PF, so it's easy to imagine what I did for 5 years. 75+ pop ups to install Blue Stacks, I can say I experienced that LOL.
Again, please don't believe I expect a response to all of this or even to read all of it. If anything is interesting or you like some setting (maybe a different one you use), maybe you feel it would be appropriate to say so. I don't expect all the answers here honestly. Maybe some concepts could help some out there or some of us with a question.
What I like about this:
-Allowing the Restriction request alerts places a new understanding of the purpose of the "Unblock Applications" option on the widget. This alert really pins a user down to make a choice. I like this better than having to wait for the sandbox or worry about what might be in there if I empty it.
-Auto-Sandbox rule->Run All Apps->Unrecognized->Restricted (instead of virtual). Same as above unless I am wrong about the restriction. If it allows full access to the local account, no good, and I will use virtualize and send all the data to the sandbox.
-Firewall->Disable "Do not show Pop ups". This is a control thing. If you want to know what's doing what on the net, try this.
-The sequence of pop ups. It's very good with this.
-The frequency of pop ups. Not bad, honestly, unless you really hate HIPs alerts during installations, etc. I like them again because I like to know what's happening and what I am installing, especially considering only unrecognized bring the alerts.
Last edited:
