Advice Request What makes CF so special and should I use it + an issue with it and some other questions

[vertigo]

I'm confused about how exactly CF works to protect the system and am looking for some clarification. I've watched CS's video regarding her setup and read numerous threads about it, but I'm still not quite understanding what makes it so great. I've seen mention of it being default-deny, but I'm not seeing that. AFAICT, the only protections it provides are cloud scanning and containment, the latter being what CS seems to praise it for and what seems to be what makes it so special, unless I'm missing something. And if I'm understanding that correctly, the benefit it provides is that apps that aren't known to be malicious, and therefore wouldn't be blocked by a traditional AV, but are also unknown and therefore may be malicous, will be contained. If that's the case, I can definitely see the appeal, and it seems that would make it worth using it even if just for that feature, with the other stuff, including the firewall, disabled in order to use better alternatives. But I want to be sure I'm understanding it correctly, as I don't want to be using it if it's not actually providing any added protection.

I plan to run VoodooShield and/or SecureAPlus + OSArmor + SysHardener and possibly a third-party AV (I'm leaning toward Emsisoft paid or Bitdefender free/paid or possibly FortiClient free) since I absolutely don't want to use WD, though SAP might be enough, especially combined with CF. VS/SAP would provide a significant level of protection as anti-exes, not to mention VS's VoodooAI and cloud scanner and SAP's cloud scanner and local AV, and OSArmor and SysHardener would of course add more layers, and the third-party AV would basically be an extra level of protection in case the user simply clicks allow on those for something that's malicious, as an added layer for human error. And while there's a lot of conflicting opinions about WD, I personally don't think it's very good based on test results and I've had mixed results myself with it (testing with a malware file, sometimes it will flag it and cause UAC to not allow the file to be run even after adding it as an exception, sometimes it will flag it and the file will run fine after allowing it, and sometimes it won't block it at all, so it's wildly inconsistent and ranges from WAY overly authoritative to a complete miss, both of which are unacceptable to me). Even so, I think it would probably be good enough as just a backup layer, but between the crappy interface and usability, the fact it starts scans when I'm doing stuff, dragging the system down, and I can't stop them, the inconsistency and UAC-related issues, and the poor performance measurements/ratings it's received in testing, which I'm starting to think are the cause of some of the issues I experience, I intend to replace it. Since this setup would protect against known threats, exploits, and stuff running that wasn't explicitly run by the user, that only leaves two concerns: zero-days, which CF would in theory protect against and even without it isn't a big concern for me, and compromised certificates, which is the main threat I'm trying to find a way to protect against. Granted, such a situation is very rare, but it's also potentially devastating. I'm talking about instances like what happened with CCleaner a while back, and in fact that file is what I'm primarily using for testing, though it's known malware now so it's caught by signatures. But even if it wasn't, I can't figure out any way to protect against it, since AV software would automatically trust it due to the certificate. I was hoping a BB would still recognize that it was acting maliciously and block it, but I can't test that since almost all AV software comes with signatures. EAM is the only one that you can get without them, and when I tried that it didn't block it, which made sense since there wasn't a signature for it but was also disconcerting because the certificate was explicitly revoked by its issuer, which should have been a red flag. Anyways, unless I'm missing something, it seems this is a situation that can't really be protected against.

One BIG problem I have with CF is that even if I'm right about its benefit for unknowns, it sucks for software it considers malicious. For example, if it quarantines something, but you think it's safe and therefore want to run it anyway, you would still want to do so with extra precautions, such as containment. Unfortunately, once you restore the file from the quarantine and click yes when it asks if you want to add an allow containment rule, it sets the containment module to ignore it. This means you have to know, and remember, to go to the containment rules and edit it to partially limited or restricted (and of course there's the whole issue of restricted not working in W10 unless UAC is completely disabled, though CS says that can be done safely and also says it's not necessary because PL is good enough). This just seems crazy to me, that they would default to having it make an allow/ignore rule. It would make much more sense to have it default to a PL or restricted rule or, better yet, allow the default to be configured in settings or, better still, allow you to choose in the pop-up when removing an item from the quarantine, with it defaulting to whatever you choose in settings to have it default to. But having it default to allow for an item that was quarantined, which it should assume was for good reason, just seems irresponsible. And the same exact thing happens if you click the "Don't Isolate It Again" button on the notification when it's quarantined. This is bypassing the (AFAICT) best protection feature of CF. I suppose the "fix" for this would be to change the auto-containment rule for malicious items from block to run virtualized or run restricted*, but then it would always let them run. I'd prefer to have it quarantined, so it takes more thought, effort, and knowledge to actually run it. For example, if my mom were to try and run something that CF perceived as malicious, I'd prefer to not have it go ahead and run it, even restricted or virtualized, and instead quarantine it so that myself or my dad would have to take a look and make a much more informed decision as to whether it should be run or not.

*I'm not really clear on the difference between virtualization and restricted in CF. According to Umbra's myths & facts thread, they're basically the same thing, but when I installed a malware program restricted it's folder was located in program files, whereas when I installed it with virtualization it was under a CF virtualization folder. And in the first case, I was able to remove the restriction and essentially make it a normal app, whereas the virtualized install I can't seem to do this.

I'm also curious how you would be able to tell that an unknown app is malicious when it's running restricted, in order to know it's safe to remove the restrictions, because the whole point of them is to prevent it from being able to do anything malicious, and so you wouldn't be able to observe that behavior, which would make them appear innocuous.

 

[imuade]

CF main strength is the sandbox, a virtual environment to run unknown files so that they can't harm the real system.
If you run a malware in the sandbox, it can't damage your OS and you just need to reset the sandbox to get rid of it.
CF main problem is that it can cause compatibility issues, especially on Windows 10. Plus, Comodo is quite slow in addressing bugs.
So, it's your choice, you can have the same great protection level with other free SWs, but you have to use more than one of them

 

[Arequire]

I'm confused about how exactly CF works to protect the system and am looking for some clarification. I've watched CS's video regarding her setup and read numerous threads about it, but I'm still not quite understanding what makes it so great. I've seen mention of it being default-deny, but I'm not seeing that. AFAICT, the only protections it provides are cloud scanning and containment, the latter being what CS seems to praise it for and what seems to be what makes it so special, unless I'm missing something. And if I'm understanding that correctly, the benefit it provides is that apps that aren't known to be malicious, and therefore wouldn't be blocked by a traditional AV, but are also unknown and therefore may be malicous, will be contained. If that's the case, I can definitely see the appeal, and it seems that would make it worth using it even if just for that feature, with the other stuff, including the firewall, disabled in order to use better alternatives. But I want to be sure I'm understanding it correctly, as I don't want to be using it if it's not actually providing any added protection.

Comodo products include a list of software vendors that are considered trusted. Software created by these vendors will usually be digitally signed with a code signing certificate, which is used to verify its authenticity. Any piece of software sporting a certificate by one of these trusted vendors will be assumed safe and will be allowed to run without any kind of restriction. As you can imagine, sometimes blackhats get their hands on these certificates and slap them on their malware, which adds legitimacy and helps it evade detection. These certificates are issued by certificate authorities and can be revoked at any time if they're found to be being used by malware.

Comodo also has their own cloud database of files and each file is given a trust rating: Trusted, Unknown or Malicious. Anything with a trusted rating is allowed to run, anything with an unknown rating will run inside the sandbox, and anything with a malicious rating will be quarantined.

Then there's Viruscope, which analyses the behaviour of each application and any application that exhibits malicious behaviour will be quarantined. This applies to all files and doesn't distinguish between files that are considered trusted or not.

I plan to run VoodooShield and/or SecureAPlus + OSArmor + SysHardener and possibly a third-party AV (I'm leaning toward Emsisoft paid or Bitdefender free/paid or possibly FortiClient free) since I absolutely don't want to use WD, though SAP might be enough, especially combined with CF

CF and SAP aren't compatible. @Evjl's Rain attempted to run this combo in 2017 and ended up with Windows freezing during the boot process.

and compromised certificates, which is the main threat I'm trying to find a way to protect against.

Comodo has three protection layers against this:

1. If the certificate is revoked by the certificate authority that issued it then CF will treat the application as unknown and it will be run inside the sandbox
2. If the application has a malicious rating on Comodo's cloud database then the file will be quarantined regardless of the certificate
3. Viruscope performs behavioural analysis on all applications and will quarantine any that exhibit malicious behaviour

If you're running CF alongside a companion AV then it also has the opportunity to detect the malware as well, either through signatures or its post-execution protections.

For example, if my mom were to try and run something that CF perceived as malicious, I'd prefer to not have it go ahead and run it, even restricted or virtualized, and instead quarantine it so that myself or my dad would have to take a look and make a much more informed decision as to whether it should be run or not.

If an application were perceived as malicious it'd be quarantined.
If the application is unknown and is requesting administrator rights then there's an option to have CF block the application's execution instead of sandboxing it.

*I'm not really clear on the difference between virtualization and restricted in CF. According to Umbra's myths & facts thread, they're basically the same thing, but when I installed a malware program restricted it's folder was located in program files, whereas when I installed it with virtualization it was under a CF virtualization folder. And in the first case, I was able to remove the restriction and essentially make it a normal app, whereas the virtualized install I can't seem to do this.

• Fully Virtualized - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.
• Untrusted -The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Please note, some applications that require user interaction may not work properly under this setting.
• Restricted -The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Please note, applications like computer games may not work properly under this setting.
• Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is not allowed to execute actions that require Administrator account privileges. Access to many system resources, like the clipboard, are also prohibited.
• Partially Limited (Default) - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.

I'm also curious how you would be able to tell that an unknown app is malicious when it's running restricted, in order to know it's safe to remove the restrictions, because the whole point of them is to prevent it from being able to do anything malicious, and so you wouldn't be able to observe that behavior, which would make them appear innocuous.

Comodo's cloud database and trusted vendor list is massive; unless you're running a lot of unsigned applications with small userbases then chances are it's not going to be a problem.
Treat everything that gets placed inside the sandbox as malicious, unless you're 110% sure that it isn't.

Hope my explanations helped.

 

[kylprq]

simply comodo doesnt allow to run unknown/ malicious files if properly configured ı mean blocked not sandboxed other solitions like blacklisting or behavioral detection for known malicious activities only applicable for malwares that have signatures or ı already say known malware behaviours comodo doesnt need these ı think it just blocks/sandbox vey well

 

[Deleted member 178]

Fan of Comodo from v3 to v8, knew it from head to toes, ditching it for good until they care to fix the disappearing rules bug...

 

[codswollip]

I plan to run VoodooShield and/or SecureAPlus + OSArmor + SysHardener and possibly a third-party AV

I'm not sure those are sufficient... I'd add HMPA, KTS, MBAM, and CrystalMeth.

 

[oldschool]

I'm not sure those are sufficient... I'd add HMPA, KTS, MBAM, and CrystalMeth.

!

 

[vertigo]

@imuade - Thanks. As I mentioned, I suspected the sandboxing was it, but while it appears great in theory for unknowns (I say in theory due to the UAC/PL bug as well as who knows what other ones since, as you said, they have a reputation for being slow to fix them), it's awful dealing with files it deems as malware that the user wants to run anyway, suspecting them to be clean but not being sure, and therefore wanting to run them sandboxed as a precaution. The reason is, as detailed in the OP, when removing an item from the quarantine, the rule it creates for it is an ignore/allow rule, NOT a limited/restricted one. I consider this to be a very dangerous default, which is even worse considering there's no option (that I could find anyway) to change it. What other software is there that could accomplish the same thing? Sandboxie runs things virtualized, which is different and, while certainly great for some things, isn't as good as limited containment for others. Shadow Defender would sort of do it, but on a system-wide level, and I didn't care for it at all when I tested it. Is there something that will do containment like CF vs full virtualization?

@Arequire - Thanks. I understand certificates, my point was that I was hoping heuristics/BBs would detect malicious activity despite a software being certified and warn about it, but it appears they all just completely ignore it due to the certificate, which certainly makes sense, and prevents lots of FPs no doubt, but can be an issue when the certificate is compromised. And I don't have to imagine a case where black hats do this; as I mentioned in my OP, my test file is the CCleaner file that exactly this happened with, which is why I'm using it, because it allows me to at least somewhat test that type of situation. And as much as I like EAM from my testing, the fact it didn't block it based on the revoked certificate simply because it wasn't in the signatures (as I said, I installed it without them intentionally to test this) is one of the big issues I have with that software. And I'm aware that it will quarantine applications perceived to be malicious, but that's my point. This makes it very poor at dealing with suspected malicious files that may or may not actually be malicious. The reason is, as detailed in the OP, when removing an item from the quarantine, the rule it creates for it is an ignore/allow rule, NOT a limited/restricted one. I consider this to be a very dangerous default, which is even worse considering there's no option (that I could find anyway) to change it. Thanks for the explanation of the various containment levels. I find it interesting that CS considers PL, the lowest level, to be enough. Based on their descriptions, I certainly wouldn't think it would be, but I guess I'd just have to trust her on that one, and it would at least be better than nothing. Still, it would be nice if the UAC bug would be fixed. As for treating everything that gets sandboxed as malicious (and inversely, assuming everything that doesn't is NOT malicious), the problem is that I worry apps may not be able to run 100% properly in that state, so if they're sandboxed and I trust them but am not absolutely sure, which you can never really be without auditing the code, then I'm wondering how I could determine if they are safe or malicious if they might be acting safe since they're sandboxed. And with regard to running CF and SAP together, I'm not sure which one I'd rather go without (I actually mostly like SAP, though they haven't responded to an email I sent about a month ago), but I tested them together in a VM just now and there were no immediate problems, so maybe the issue's been fixed.

@Umbra - This rings a bell, and I'm sure I read it somewhere around these forums. Do you mean they just disappear randomly, or during updates, or something else? Is it firewall, containment, or all rules? I'm assuming Settings > General Settings > Configuration > Import/Export allows you to back them up and restore them, so that's something at least, but I'm guessing you don't even know it happened without either checking periodically or finding out a program was able to do something it shouldn't? I agree, though, any program, but especially a security software, needs to be reliable. Reports of CF's bugs and concerns of Comodo at a minimum continuing to ignore them and worse completely dropping the product make me wary of using it, as good as it might otherwise be. Frankly, I'd rather not use it, since I'd use something else for firewall management anyway and I don't want to deal with random compatibiility issues which it's apparently known for, but if it's the only/best protection against unknowns, I don't want to dismiss it out of hand.

 

[Deleted member 178]

@vertigo yes disappearing anytime without notice, you realize it because suddenly you get rain of prompts about rules you previously allowed.

This is an 11 years bug-by-design, generated when you implement a large amount of rules. Comodo can't handle all of them.

Of course, saving your config and importing it when the bug occurs works, but it is a workaround and a serious flaw to me.