Shmu26's new security config

shmu26 · Oct 6, 2016

askmark said:
Thanks for pointing this out as I didn't realise there was a difference in the protection each of these sandboxes provides.
I will now be more cautious when using CCAV sandbox.

@yigido summed it up to me by saying that CCAV is for regular users, whereas CIS is for advanced users.
(CF is the same as CIS, but without the AV component.)

hjlbx · Oct 6, 2016

CCAV does not use:

Services (there is no executable or driver registered as service)
Filter Drivers (https://msdn.microsoft.com/en-us/library/windows/hardware/ff545890(v=vs.85).aspx)
Kernel Mode hooks (runs at a level beneath User Mode hooks)
Does not virtualize (replicate & run [emulate] inside the sandbox; they run on the real system) COM objects or services

Sandboxie doesn't user Kernel Mode hooks either; it employs User Mode hooks

Separate sandboxes are used to isolate processes from each other -- memory access, inter-process communication, etc

However, without full general technical infos, you never know precisely what that quoted passage above precisely means. I am quite familiar with COMODO and know from experience that what they state - and what they actually mean - can be different.

Not bashing, just pointing out a few things that are important to consider.

shmu26 · Oct 6, 2016

hjlbx said:
CCAV does not use:

Services (there is no executable or driver registered as service)

Filter Drivers (https://msdn.microsoft.com/en-us/library/windows/hardware/ff545890(v=vs.85).aspx)

Kernel Mode hooks (runs at a level beneath User Mode hooks)

Does not virtualize (replicate & run [emulate] inside the sandbox; they run on the real system) COM objects or services

Sandboxie doesn't user Kernel Mode hooks either; it employs User Mode hooks

Separate sandboxes are used to isolate processes from each other -- memory access, inter-process communication, etc

However, without full general technical infos, you never know precisely what that quoted passage above precisely means. I am quite familiar with COMODO and know from experience that what they state - and what they actually mean - can be different.

Not bashing, just pointing out a few things that are important to consider.

even if they meant what they stated, I can't claim that I understand everything.
bottom line: is sandbox of CIS significantly better than that of CCAV, in your opinion?

hjlbx · Oct 6, 2016

shmu26 said:
@yigido summed it up to me by saying that CCAV is for regular users, whereas CIS is for advanced users.
(CF is the same as CIS, but without the AV component.)

That is only because of all the additional features (HIPS, Viruscope, KillSwitch, CCE, Virtual Desktop, settings\configuration customization, etc) that is included in CIS.

Heavily hardened CIS customization ain't no joke...

CCAV is "plug-and-play"...

hjlbx · Oct 6, 2016

shmu26 said:
even if they meant what they stated, I can't claim that I understand everything.
bottom line: is sandbox of CIS significantly better than that of CCAV, in your opinion?

My understanding is that CIS employs User Mode hooking - unless COMODO switched to all kernel or a mix of kernel\user mode hooking since 2012.

http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/

Still, technically CIS sandbox\Virtual Desktop is more robust than CCAV sandbox.

CIS sandbox has years of vulnerability fixes built into it at this point, whereas CCAV isn't truly a stable release yet... LOL.

_CyberGhosT_ · Oct 6, 2016

shmu26 said:
I have tried them all, again and again: NVT ERP, Voodoo, ReHIPS.
They always end up blocking something I want to run, like a chrome update or a windows process or a print job.
Makes me nervous to have to keep an eye all the time on what is being blocked, and give it the right rules.
So I went back to traditional solutions.
Kaspersky+ZAM+HMPA.
I also have blocked the various processes of powershell and wscript and cscript , by means of Kaspersky Application Control.
My system runs smooth, feels pretty light. I am willing to pay that extra couple seconds at bootup.
I think it's a good balance for me between security and sanity.

As long as your happy, in the end it's you who
has to sit in front of it. Thanks for sharing.

shmu26 · Oct 6, 2016

hjlbx said:
My understanding is that CIS employs User Mode hooking - unless COMODO switched to all kernel or a mix of kernel\user mode hooking since 2012.

we need to weigh the likelihood that malware will bypass CIS sandbox against the likelihood that the user will make an impatient decision when a standard default/deny solution gets in his face.

hjlbx · Oct 6, 2016

shmu26 said:
we need to weigh the likelihood that malware will bypass CIS sandbox against the likelihood that the user will make an impatient decision when a standard default/deny solution gets in his face.

Impatient user will sink his\her own battleship every time...

_CyberGhosT_ · Oct 6, 2016

hjlbx said:
Impatient user will sink his\her own battleship every time...

Right, I am saving this for quote material later in life hjlbx

shmu26 · Oct 6, 2016

shmu26 said:
I switched to COMODO Firewall, with auto-sandbox enabled globally (proactive configuration), and browsers running sandboxed.

COMODO has its quirks, but the auto-sandbox function is great. It saves you all those agonizing decisions about whether you trust the file or not. You just run your file, and it gets sandboxed. If you like it, you can take it out of sandbox later.

hmmm, I am not so sure about COMODO anymore. I just installed a little program called Affixa, it makes gmail into your default email client on desktop.
I clicked on installer, I got one prompt from firewall that a .msi file wants to connect to the internet, and I said okay.
Then it installed like a little lamb without a single prompt or autosandbox or anything.
The vendor is not on my trusted list.
Can't figure out what went wrong here. COMODO is very good at blocking and sandboxing files that I want to run. But when it comes to installing a download...

SHvFl · Oct 6, 2016

Go in autosandbox settings. It has one that checks where the file is coming from. The default used to not sandbox stuff not coming from online(online tracking not accurate obviously in all situations). See if that is said to sandbox all. Not 100% on names becaused i haven't used it for months but go in autosandbox settings and you will figure it out.

shmu26 · Oct 6, 2016

SHvFl said:
Go in autosandbox settings. It has one that checks where the file is coming from. The default used to not sandbox stuff not coming from online(online tracking not accurate obviously in all situations). See if that is said to sandbox all. Not 100% on names becaused i haven't used it for months but go in autosandbox settings and you will figure it out.

there is a setting called "enable file source tracking". I have it enabled. Should I untick it?

SHvFl · Oct 6, 2016

shmu26 said:
there is a setting called "enable file source tracking". I have it enabled. Should I untick it?

Yes you should. That will disable the feature i mentioned above completely.

Enable file source tracking – If enabled, CIS will decide whether to sandbox a file based on file source, reputation and location. If disabled, sandbox decisions are based only on file reputation and location.

Also check the setting in the box below this setting by editing each action to see if all are ok based on what you want to achieve.

shmu26 · Oct 6, 2016

SHvFl said:
Yes you should. That will disable the feature i mentioned above completely.

Also check the setting in the box below this setting by editing each action to see if all are ok based on what you want to achieve.

I don't know. I unticked source tracking, and I can see the rule that all unknowns are supposed to be sandboxed.
I deleted the rules for affixa, and tried reinstalling it, but comodo did the same exact thing. one popup for firewall, then total silence.

SHvFl · Oct 6, 2016

shmu26 said:
I don't know. I unticked source tracking, and I can see the rule that all unknowns are supposed to be sandboxed.
I deleted the rules for affixa, and tried reinstalling it, but comodo did the same exact thing. one popup for firewall, then total silence.

Pm me the Afixa link you got and tell me what version of Comodo you use. I will start a VM and try it for you to confirm it's not something in your settings.

shmu26 · Oct 6, 2016

with all due respect to comodo, I think I am going back to ReHIPS+HMPA. It works.

SHvFl · Oct 6, 2016

shmu26 said:
with all due respect to comodo, I think I am going back to ReHIPS+HMPA. It works.

You know my opinion on that so no reason to mention it.

Will test the comodo thing though just so we know and i will tell you.

shmu26 · Oct 6, 2016

SHvFl said:
You know my opinion on that so no reason to mention it.
Will test the comodo thing though just so we know and i will tell you.

at least for now, HMPA is not interfering with ReHIPS.

hjlbx · Oct 6, 2016

shmu26 said:
I don't know. I unticked source tracking, and I can see the rule that all unknowns are supposed to be sandboxed.
I deleted the rules for affixa, and tried reinstalling it, but comodo did the same exact thing. one popup for firewall, then total silence.

You don't know why this is happening ?

It is because the Affixa installer is co-signed by COMODO...

shmu26 · Oct 6, 2016

hjlbx said:
You don't know why this is happening ?

It is because the Affixa installer is co-signed by COMODO...

but how do you know? when I right-click and check properties, it says signed by Notably Good, with no mention of COMODO

Search

Shmu26's new security config

shmu26

Level 85

hjlbx

shmu26

Level 85

hjlbx

hjlbx

_CyberGhosT_

Level 53

shmu26

Level 85

hjlbx

_CyberGhosT_

Level 53

shmu26

Level 85

SHvFl

Level 35

shmu26

Level 85

SHvFl

Level 35

shmu26

Level 85

SHvFl

Level 35

shmu26

Level 85

SHvFl

Level 35

shmu26

Level 85

hjlbx

shmu26

Level 85

Similar threads