I understand the reservation for the default deny system, because it involves the control over all the apps, files, etc running on the endpoints. The approach is whitelisting those files that are trusted, intelligent automatic decision, and adding the admins decision for those that are in the sandbox.
Regarding:
‘For example, I use another security product on my home PC at present that uses behavioural analysis to determine whether activity is legitimate or malicious.’
The files are categorized as good, bad and the unrecognized(sandbox).
The process is the following:
‘After an unknown application has been placed in the sandbox, CES also automatically queues it for submission to Comodo Cloud Scanners for automatic behavior analysis. Firstly, the files undergo another antivirus scan on our servers. If the scan discovers the file to be malicious, then it is designated as malware, the result is sent back to the local installation of CES and the local black-list is updated. If the scan does not detect that the file is malicious then its behavior will be monitored by running it in a virtual environment within Comodo’s Instant Malware Analysis (CIMA) servers and all its activities are recorded. If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list. If no malicious behavior is recorded then the file is placed into ‘Unrecognized Files’ (for execution within the sandbox) and will be submitted to our technicians for further checks.’
Regarding those alerts you can select like default answer for when the events happen on the endpoint, example if option in Sandbox ‘Detect programs which require elevated privileges’ it’s enabled and you disable the notification , so the user won’t have to do the decision for that unknwon program to
make changes to important areas from the computer, it will block it.
‘The issue I have is that on my home system I am able to make an informed decision. On my network, our staff are not IT literate, and if legitimate applications that are sandboxed are deemed malicious (in whatever degree), that is wasted time. If alerts are displayed they will be unsure how to react and will ask my advice, which for the most part will be a waste of my time. I understand I can use Comodo’s excellent support but it does not help when the program needs to be used immediately and work has to be completed within a deadline. There is the option to disable the software but that leaves the machine wide open to infection’.
What I would suggest would be the following, password protect the CES local GUI and disable the Computer administrator, so you deny access even to those users that have local admin rights, through the policy that is applied on the endpoint.
Make sure the endpoint is clean: do the update and the full scan.
Do the test on a template machine , most programs that are used in the company, check for your own what % of ‘legitimate’ programs, files are sandboxed.
Script created , those programs, files that aren’t signed need manual whitelisting, because they might be categorized as unrecognized.
Please see here the process for unknown files:
http://help.comodo.com/topic-84-1-604-7502-Unknown-Files---The--Scanning-Processes.html
If a legitimate program gets sandboxed and user is requesting the whitelisting, add it only through 2 clicks from the console in the trusted files list will be whitelisted for all endpoints using that policy.
If after doing your general whitelisting, for those other programs that run in the sandbox,if you aren’t sure, leave it to run in the sandbox.
Whitelist what you know.
Unrecognized option from ESM console will help you in your unknown file assessment.
http://help.comodo.com/topic-84-1-496-7903-Viewing-and-Managing-Unrecognized-Files.html
If you are thinking a rol out of Office 2013 ProPlus accross the network, would suggest a simulated rol out on one test machine, to see the result of install and after the install, like day to day use, prepare the policy before for the endpoints, like if the script needs whitelisting, then white listed it. Once it looks good, apply the updated policy, do another test same machine , or another and check how it goes.
If everything looks good, start the roll out in stages maybe.
Thank you for your posting and a suggestion to make the right decision is to trial first Comodo ESM.
https://www.comodo.com/business-enterprise/cesm3/index_v2.php
Yes, web filtering is something that will be integrated in ESM.
Hope this helps 