Use Comodo Firewall against Ransomeware/HIPs Settings

[AtlBo]

First, I will likely be moving from outdated Private Firewall to Comodo Firewall. I am aware of cruelsister's video for this, and thanks to her for that. However, I have so many questions regarding strategies for using Comodo Firewall. I would like to start with ransomeware protection and then build around this protection.

cruelsister's technique for autosanboxing will work for this I see. However, I would like to go further with the settings. What about HIPs? What if anything do they add? Can I use HIPs to have better knowledge of system activity and better control. I will be turning off the a-v this I know.

I have a graphic I prepared to try to understand even my questions about CF. Obviously, they make no sense probably. I'm not asking anyone to answer my questions in the graphic, but, if someone would care to look, maybe you would have a comment on CF and something you may have noticed. I know my problems with disappearing files are not "common" to "many" users. I have read some comments of this issue. I am prepared to deal with this, since I have .bat files on the desktop and located in AppData folders and also on attached drives. I don't believe this is the source of the problem, because I wouldn't mind a quarantine if I could find log verfication and something in the quarantine. This has been my biggest issue. No way I will be able to clean up the system in a quick fashion. Ideally, I guess I would turn off HIPs until I have Sandbox settings in place to protect against ransomeware/malware and then I could set up HIPs with some trusted locations.

Still don't know why desktop icons disappeared with CF for me sometimes. I thought I had everything covered. Good HIPs settings should cover me from this I would think.

Please don't think of this as a crazy attempt by myself to solve my problems with CF. Just thought that maybe the graphic and my questions here would help someone think of something about CF that they liked or tried and seemed effective, etc.

 

[shmu26]

HIPS is basically redundant, as long as you keep your unrecognized files in the autosandbox. It is kind of over-kill to use both, unless you want the HIPS to serve as a second reminder about the potentially dangerous file you are about to run.

FYI: CruelSister's autosandbox-based strategy is good not just against ransomware. It protects against all kinds of executables. It will protect you from all file-based malware.

more about HIPS: if the file is trusted, you won't get HIPS prompts for it.
If it is not trusted, you will first get autosandbox, and if you opt to run it out of sandbox, then you will start to get HIPS prompts for it. This is all assuming that you did not mark it as trusted, when you saw the sandbox prompt. Because if you trusted it, then you won't get HIPS prompts, or firewall prompts either.

my setup is with HIPS and without autosandbox. This is because I run my browser in the sandbox, and I don't want to let my browser play in the same sandbox with all the potential malware that I might download. Of course, I could empty the sandbox frequently, but I am too lazy. Also, I don't want to lose the data that is backed up in the sandbox by gmail offline and google docs offline.

 

[cruelsister]

Hi Atlbo!- First off, your graphic is OUTSTANDING (I've printed it out and will shove it under the nose of my assistant tomorrow as an example of how things should be done)! Anyway I can attempt to answer some of the issues-

1). The Whitelist- I did a video on modifying it on July 12th (Comodo and Trusted Vendors List ). Here is the link (not live as I don't want to fill the space overmuch): youtube.com/watch?v=TetSy5vn7_M

2). About the HIPS- there are only very rare cases when the HIPS will be of value in conjunction with an elevated sandbox setting, and never for ransomware.

3). Disappearing files- That one is curious and I think I would look elsewhere for the issue. CF is a passive application and will not on its own scan your system. I routinely have assorted nastiness on my production system in various folders and have not lost anything yet. Have you checked either the Qihoo or, if you have it active, the Windows Defender logs? Under Win10 (if you are using it) Defender stays active unless you go out of your way to deactivate it and has the nasty habit of scanning the system to delete malware (the nerve!!!).

4). If you want to be informed of outbound connections by everything (including stuff running in the sandbox), just don't use the firewall setting to block outbound connections by sandboxed items (leaving it at default) and change the Firewall from Safe Mode to Custom.

Hope this helped!

 

[AtlBo]

shmu26...really great information thankyou very much.

more about HIPS: if the file is trusted, you won't get HIPS prompts for it.
If it is not trusted, you will first get autosandbox, and if you opt to run it out of sandbox, then you will start to get HIPS prompts for it. This is all assuming that you did not mark it as trusted, when you saw the sandbox prompt. Because if you trusted it, then you won't get HIPS prompts, or firewall prompts either.

This information addresses one of my deepest lacks of understanding concerning CF. The default protection sequence in CF for some reason has confused the h3ll out of me the last few times I installed the program. I want to be very aggressive to separate internet controls from HIPs and sandbox controls, and Private Firewall has done the best I could find to present them in this way. I can see that I can't go on with PF. CF looked like an option for me and better protection (by far these days with ransomeware, etc.), but strange issues (that admittedly 100% are my problem) kept me from staying for very long with CF.

The sequence you mention seems good. The one exception (this is my problem too) is the case where I get up and walk away for a few moments and return not realizing that something has been auto-sandboxed. Not sure what happens in the case. Yes, the file runs from the sandbox or is accessed there, but resetting the sandbox I assume means the alert will reappear. In that case, I guess it's not a problem. Much better than bye bye file and where are you now, in quarantine, etc.? This is a case I want to avoid...the case where I miss an alert and file is quarantined.

Am I correct that autosandbox will overcome this with the default settings of autosandbox and HIPs?

my setup is with HIPS and without autosandbox. This is because I run my browser in the sandbox, and I don't want to let my browser play in the same sandbox with all the potential malware that I might download. Of course, I could empty the sandbox frequently, but I am too lazy. Also, I don't want to lose the data that is backed up in the sandbox by gmail offline and google docs offline.

OK, this makes really good sense, thanks. By the way, this brings up the issue of controlling connections in the sandbox. If malware can connect from the sandbox what can it achieve? I assume if a process wishes to connect, even from sandbox, I will be prompted under default sandbox settings. If I miss a prompt, I want to make sure the connection is blocked. Ideally, I would know of the connection attempt.

Is there a persistent alert setting in CF? By this I mean, no choice is made automatically. Actually, I do think I recall one, but I think I might be best off using this setting, even with numerous pop ups that will surely appear at first. I like to be fully aware of what is happening on the system.

Thanks especially for the information on HIPs and how it kicks in if I run out of sandbox. That's great information. One main question just for clairity. If I let CF choose whether to auto-sandbox (alert timer), the process which produced the prompt will continue to run in the sandbox by default? This is acceptable to me. I prefer no timer, but I may change my mind later if the default behavior is always auto-sandbox (for unknowns). Helpful to know in case I decide to change to the timed alerts later. Also, some I may prefer to monitor with HIPs.

I know I will have a question about how to create a trust list using alerts or in some other way. Reading that the Comodo trust list is too large, I know will cause me to ask. I guess I will save this for another thread.

 

[shmu26]

shmu26...really great information thankyou very much.



This information addresses one of my deepest lacks of understanding concerning CF. The default protection sequence in CF for some reason has confused the h3ll out of me the last few times I installed the program. I want to be very aggressive to separate internet controls from HIPs and sandbox controls, and Private Firewall has done the best I could find to present them in this way. I can see that I can't go on with PF. CF looked like an option for me and better protection (by far these days with ransomeware, etc.), but strange issues (that admittedly 100% are my problem) kept me from staying for very long with CF.

The sequence you mention seems good. The one exception (this is my problem too) is the case where I get up and walk away for a few moments and return not realizing that something has been auto-sandboxed. Not sure what happens in the case. Yes, the file runs from the sandbox or is accessed there, but resetting the sandbox I assume means the alert will reappear. In that case, I guess it's not a problem. Much better than bye bye file and where are you now, in quarantine, etc.? This is a case I want to avoid...the case where I miss an alert and fine is quarantined.

Am I correct that autosandbox will overcome this with the default settings of autosandbox and HIPs?



OK, this makes really good sense, thanks. By the way, this brings up the issue of controlling connections in the sandbox. If malware can connect from the sandbox what can it achieve? I assume if a process wishes to connect, even from sandbox, I will be prompted under default sandbox settings. If I miss a prompt, I want to make sure the connection is blocked. Ideally, I would know of the connection attempt.

Is there a persistent alert setting in CF? By this I mean, no choice is made automatically. Actually, I do think I recall one, but I think I might be best off using this setting, even with numerous pop ups that will surely appear at first. I like to be fully aware of what is happening on the system.

Thanks especially for the information on HIPs and how it kicks in if I run out of sandbox. That's great information. One main question just for clairity. If I let CF choose whether to auto-sandbox (alert timer), the process which produced the prompt will continue to run in the sandbox by default? This is acceptable to me. I prefer no timer, but I may change my mind later if the default behavior is always auto-sandbox (for unknowns). Helpful to know in case I decide to change to the timed alerts later. Also, some I may prefer to monitor with HIPs.

I know I will have a question about how to create a trust list using alerts or in some other way. Reading that the Comodo trust list is too large, I know will cause me to ask. I guess I will save this for another thread.

Hi, if you miss an alert and a file gets sandboxed, then the next time you execute it, it will be like the first time. Because you did not make a rule for it yet.

that is the general rule with COMODO. Until you make a rule otherwise, it will keep doing the same thing over and over again. So it's no big deal to miss an alert.

About firewall alerts for sandboxed processes -- I must admit I don't know. I never really got into firewalls so much, it sounds like you know more than me about them. But CS gave you some info on that issue.

It's late in my time zone, so good night!

 

[AtlBo]

Got it on cruelsister. Thankyou for the compliment on the graphic. No exaggeration, I was really just attempting to unscramble my mind from looking deeper into the settings of CF last time I installed the program (single HIPs rules and so on).

1). The Whitelist- I did a video on modifying it on July 12th (Comodo and Trusted Vendors List ). Here is the link (not live as I don't want to fill the space overmuch): youtube.com/watch?v=TetSy5vn7_M

Thankyou, and I will look at this. Extremely helpful, I know.

2). About the HIPS- there are only very rare cases when the HIPS will be of value in conjunction with an elevated sandbox setting, and never for ransomware.

Great, thankyou. I'll be rolling out your auto-sandbox setup probably tonight, and I will try to build on that, although I do want to get to the bottom of what I can potentially HIPs protect and trust list issues. The main reason for this I guess is similar to what shmu26 has mentioned. For me, I just prefer not to lose settings changes and so on that could be associated with emptying the sandbox. Default trust seems OK to me, yet, I may look into coming up with a trust list at some point.

3). Disappearing files-

It's curious, and I have no verification of this, even with myself. If anything is missing, I can't determine what and cannot even say. I just noticed a hole in the desktop where an icon had been. I did notice some settings files being mysteriously emptied of their contents with CF on the system. Not sure, because this has been an issue with some programs too having the problem natively. Mostly, I am almost certain that I am probably simply spooked by the security sequence employed by CF. I hope noone puts too much into what I am saying as I feel I am really mostly genuinely intimidated by CFs settings and the default sequence of protection. The only thing I can say is that I feel I have been unlucky somehow with the program in the past. Makes no sense I know, but all the things that have spooked me that could or not be real, seem only to have happened with CF running. I have much more confidence this time, though, thanks to you and the others here.

4). If you want to be informed of outbound connections by everything (including stuff running in the sandbox), just don't use the firewall setting to block outbound connections by sandboxed items (leaving it at default) and change the Firewall from Safe Mode to Custom.

This is great. I just would mention how confused I get about the settings of CF. I would interpret that unselecting that setting to mean that there would be no alert and no block whatsover, not that there would be an alert. It's gruesome to me when I think about how the language of Comodo just completely leaves me unable to choose sometimes.

Really appreciate you help and assistance on this cruelsister. I'll be moving to your setup tonight and begin a list of questions on CF for later sometime.

 

[shmu26]

although I do want to get to the bottom of what I can potentially HIPs protect and trust list issues.

HIPS will sometimes alert you when process A wants to run process B. This can help you identify a fileless exploit brewing up, if you know which Windows processes are vulnerable.

trust list issues, this is touchy. First of all, the cloud lookup sometimes pushes your manually trusted files back into unrecognized, or vice versa.
second of all, the trusted vendors list is absolutely vast. You never saw such a long list in your life. There is room for error, and error has happened (although very rare, to the best of my knowledge).

Relying on the trust list is a matter of gaining convenience, at the expense of taking a slight risk. Most malware is unsigned anyway, so perforce, the risk is pretty small, because COMODO will never trust an unsigned file, unless you specifically tell it to.
I am sure that the more expert COMODO users will have something to say about this touchy subject.

 

[AtlBo]

I can begin to see this will be an interesting transition. I guess I could be weeks before 100% committing to Comodo. Installed the firewall download, which installs CIS, and it seems the settings dialog is not exactly the same as in cruelsister's video. After working with the program for a few hours, I decided to remove it using Comodo Programs Manager and reset my thinking about developing a strategy.

Key to me is achieving a high degree of control over what is in the sandbox. For whatever reason, literally almost nothing was running in the sandbox. LOL, while I was removing CIS, I opened Insomnia from MS Powertools, which blocks standby, and it opened in the sandbox. It was the first thing that did so, and CIS was about 90% removed. If that hadn't happened I wouldn't have believed I had learned anything and then have blamed my settings choices. I had created a sandbox rule to run executables as Restricted, which I believed cruelsister recommends, so I thought this rule would override the trust list and more things run sandboxed. Seems it did not do so. By the way, is there a way to turn off trust in Comodo other than emptying the list (I see your comment about cloud lookup)? I would be very interested in creating my own trust list, but I was just curious about this.

I keep coming back to direct control of internet connections and then to overcoming concerns of mitigation/injection type attacks. With no HIPs in place, this worries me. No executable for Comodo to recognize as unknown or malicious. I put to Notepad several questions about mitigations and would mitigation exploits tend to get by the sandbox by virtue of being disguised as trusted. Yes, the sandbox may block unknown or malicious, but what about the worst of the worst? Not sure about this, but it is a concern I have, since the browser runs outside the box by default with this setup. You do have me started about the prospects of running key Windows elements in the sandbox. Not sure how practical this would be, when considering emptying the box and the possible consequences for the system. Also, what about adding .dlls to the sandbox in order to restore .dlls if there is an injection attack? Stands to reason the system might bork I suppose if the sandbox were ever emptied, idk.

You mentioned that knowing which Windows processes are vulnerable can be a big help. I have seen this with Private Firewall. This has caused me to ask myself why the thread that initialized an "in-memory" sequence could not be somehow reported as having performed an unusual action, i.e. "unknown thread has begun interaction in an unusual way with a known vulnerable Windows process and has been blocked." I think I see a little bit about why this is. A malicious thread must associate itself onto the system via something if it doesn't come from an executable on the system. This will always be a trusted process by design so it just doesn't get noticed.

What does experience say are the most vulnerable Windows OS processes? I am guessing in Windows 7 they would be for starters IE (I have locked the door on IE11 in probably 5 ways in Private Firewall) and WMP (not even a UDP connection...OFF) and then dllhost, svchost, vssvc (volume shadow copy), taskeng, taskhost, winlogon, explorer.exe. Guesses.

Well, straight up, the Comodo firewall test 100% bypasses Private Firewall in 4 of the categories, including .dll injection. I will be putting the ax to the wheel to try to come up with something. BTW, I don't rule out using virtual desktop. Could it be useful for installing and testing programs? There are so many tools in this program. Feel like I'm trying to make a jet boat from a barge. Plenty of material to work with...

 

[AtlBo]

If anyone is having a time with HIPs, this helps somewhat:

Comodo Internet Security's auto-Sandbox (BB) & HIPS interaction explanation

According to Umbra (if I understand), HIPs is on even when it's set to disabled.

 

[shmu26]

the most vulnerable processes in Windows are powershell and powershell_ISE, and wscript and cscript, and cmd.
They live in two places: System32, and SysWow64. You will find them in both.
There is a much longer list of vulnerable processes, but these are the biggest offenders, because they are sort of like the Queen in a chess game. They can do almost anything.

 

[shmu26]

If anyone is having a time with HIPs, this helps somewhat:

Comodo Internet Security's auto-Sandbox (BB) & HIPS interaction explanation

According to Umbra (if I understand), HIPs is on even when it's set to disabled.

I am not sure that info is so up to date. It's from 4 years ago, and I think some things have changed.

 

[HarborFront]

Hi

I read somewhere that Sandboxie is superior than CFW's sandbox

So if I set CFW with HIPS only, disable its sandbox and use Sandboxie instead wouldn't that be better?

Thanks

 

[shmu26]

sandboxie is definitely more convenient to use than CFW sandbox.
it supports drag-and-drop of files to and from a sandboxed browser window, and it allows you to print from a webpage, and it is much more customizable and tweakable in a lot of ways, for instance, you can make separate sandboxes for different apps. (However, browser starts slower in SBIE, and that might be very annoying, depending on your usage habits.)

Nonetheless, CFW sandbox is pretty secure! Unless you can pinpoint a specific security concern that is keeping you up at night, you don't need to install SBIE just for that.

 

[HarborFront]

sandboxie is definitely more convenient to use than CFW sandbox.
it supports drag-and-drop of files to and from a sandboxed browser window, and it allows you to print from a webpage, and it is much more customizable and tweakable in a lot of ways, for instance, you can make separate sandboxes for different apps. (However, browser starts slower in SBIE, and that might be very annoying, depending on your usage habits.)

Nonetheless, CFW sandbox is pretty secure! Unless you can pinpoint a specific security concern that is keeping you up at night, you don't need to install SBIE just for that.

Thanks for that

 

[Davidov]

Hi Atlbo!- First off, your graphic is OUTSTANDING (I've printed it out and will shove it under the nose of my assistant tomorrow as an example of how things should be done)! Anyway I can attempt to answer some of the issues-

1). The Whitelist- I did a video on modifying it on July 12th (Comodo and Trusted Vendors List ). Here is the link (not live as I don't want to fill the space overmuch): youtube.com/watch?v=TetSy5vn7_M

2). About the HIPS- there are only very rare cases when the HIPS will be of value in conjunction with an elevated sandbox setting, and never for ransomware.

3). Disappearing files- That one is curious and I think I would look elsewhere for the issue. CF is a passive application and will not on its own scan your system. I routinely have assorted nastiness on my production system in various folders and have not lost anything yet. Have you checked either the Qihoo or, if you have it active, the Windows Defender logs? Under Windows 10 (if you are using it) Defender stays active unless you go out of your way to deactivate it and has the nasty habit of scanning the system to delete malware (the nerve!!!).

4). If you want to be informed of outbound connections by everything (including stuff running in the sandbox), just don't use the firewall setting to block outbound connections by sandboxed items (leaving it at default) and change the Firewall from Safe Mode to Custom.

Hope this helped!

Hi cruelsister how it can be applied now in version 10 beta when upon writing as Microsoft vsecny other vendors disappear? Among the many vendors do not want me to look after one, thanks.already it does not work as it should hruza now what they made. all now I do not know how to get rid of untrustworthy suppliers and leave only a select few.When they uncheck par (10 or 20) uncheck all eventually.Maybe it's a mistake, perhaps only beta.

 

[shmu26]

the easiest way to edit your list of trusted vendors:
1 temporarily disable autosandbox and HIPS
2 put a check at the very top of vendors list, to select everything
3 delete the whole list
4 add your own trusted vendors manually, either from running processes or from file location
5 disable cloud lookup (because cloud also includes a trusted vendors list, which you cannot edit)
6 re-enable autosandbox (and HIPS, if you wish)