The Sandboxing and Scanning Process

Status
Not open for further replies.
bogdan

bogdan

Level 1
Thread author
Jan 7, 2011
1,362
44
32
40
Bucharest, RO
malwaretips.com
As long as you can interpret the pop-ups correctly you are protected. The auto-sandbox is there to reduce the number of HIPS pop-ups and to provide a certain degree of automated protection. One thing I do not like about the auto-sandbox: clicking don't sandbox again puts the file in Trusted, if I am not wrong. A user runs a malicious file. Signatures and the blacklist fail to protect him. The auto-sandbox limits the right of the process and the program appears not to run properly because of this. He clicks the Do not sandbox again link. Now he only has CIMA to protect him (if not disabled in settings).
 
RE: HeffeD's Setup

bogdan said:
As long as you can interpret the pop-ups correctly you are protected. The auto-sandbox is there to reduce the number of HIPS pop-ups and to provide a certain degree of automated protection. One thing I do not like about the auto-sandbox: clicking don't sandbox again puts the file in Trusted, if I am not wrong. A user runs a malicious file. Signatures and the blacklist fail to protect him. The auto-sandbox limits the right of the process and the program appears not to run properly because of this. He clicks the Do not sandbox again link. Now he only has CIMA to protect him (if not disabled in settings).
Click to expand...

I just tested it and apparently you're right. Any files in the trusted files list won't be caught with signatures. I doubt CIMA would be allowed to catch it either.
 
RE: HeffeD's Setup

From the help file (The Sandboxing and Scanning Process) it appears that this is what happens:
Code: 
file.exe --> antivirus and heuristics -->/--> auto-sandbox --> user clicks do not sandbox again --> Trusted files --> user opens the file again.
                                         \--> unrecognized files --> cloud (whitelist/blacklist + CIMA (might take some time to get results back)
What happens next? I know this is a theoretical question since real malware might trigger HIPS pop-ups, even if sandboxed, asking for admin privileges, for example. The user might reconsider and Block it.
Also the halp file states:
Automatically sandboxed applications cannot be viewed or modified in the interface. Applications that were automatically sandboxed can only be removed if they become recognized as 'safe' by CIS
Click to expand...
But I see files automatically jumping to trusted after clicking do not sandbox again. I doubt that a hash exists since I created the file and I doubt that CIMA has time to analyze it since the process idles for 5 min. Anyway even with the cloud feature turned off or without Internet access the file gets into trusted list.

Again, this is not a typical behavior of real malware. But since I've now enabled the sandbox (mainly used Defense+ before) I started noticing its behavior and I am also looking for a setup.

The easy recommended (at least in my opinion) solution: Close the auto-sandboxed program and upload it to VirusTotal.com
 
What people can do to prevent malware that have a valid safe digital is to report to comodo and also to go to CIS --> d+ --> d+ settings --> Sandbox Settings and uncheck 3rd and 4th option.

Could you give it to comodohelper@gmail.com Thanks :)
 
The above settings help only if the file is recognized as an installer. And the also second one helps keeping the Trusted Files much cleaner.
The first one:
Automatically detect the installers / updaters and run them outside the Sandbox - On execution of an Installer or an Updater, the application is run outside the Sandbox. Select this option only if you are going to run installers / updaters from trusted vendors (Default=Enabled).
Click to expand...
What should I understand from its description? An installer won't be sanboxed but HIPS will show pop-ups if the installer is not from a trusted vendor. Or an installer won't be sandboxed and HIPS will not monitor it? The warning makes me think that the second option is what happens. If so, it should be disabled. Probably these questions have been answered on Comodo forums but... :s
 
bogdan said:
What should I understand from its description? An installer won't be sanboxed but HIPS will show pop-ups if the installer is not from a trusted vendor. Or an installer won't be sandboxed and HIPS will not monitor it? The warning makes me think that the second option is what happens. If so, it should be disabled. Probably these questions have been answered on Comodo forums but... :s
Click to expand...

It's monitored, which is what the following option is all about. People often misunderstand this as something to do with the trusted vendor list, but that isn't the case. It's basically the new Installation Mode.

If an installer is trusted (either by the TVL or by the user) any child processes spawned by the installer will not give you an alert.

I personally leave both of these options selected.
 
Oh, thanks for clarifying that...the help file seems a bit confusing to me though. It should end with: "This option reduces the number of D+ pop-ups if you use installers from trusted vendors."
 
Status
Not open for further replies.

You may also like...