Author Topic: Specific FW rules for s'boxed processes ? (Technical FAQ) [v6]  (Read 11888 times)

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
Specific FW rules for s'boxed processes ? (Technical FAQ) [v6]
« on: February 24, 2013, 04:17:10 AM »
You can create a firewall rule requiring all executables installed or stored in the sandbox to ask for access, using the path C:\VTRoot* or C:\VTroot\* to define such apps. You can also create a rule for specific executable if you wish to.

To create such a rule for unknown files:
  • Ensure the FW is in safe mode.
  • Go to Advanced Settings ~ D+ ~ HIPS ~ File Protection ~ Arrow ~ Groups, and add a file group comprising the folder C:\VTroot\*, or your executable's path and name
  • Go to Advanced Settings ~ FW ~ Application Rules ~ Sandbox add a custom firewall rule, specifying that the firewall should ask for all in- and out-bound connections, or whatever else you like
  • More this rule to the top of the list

To create such a rule for all files:

  • Ensure the FW is in custom mode.
  • Go to Advanced Settings ~ D+ ~ HIPS ~ File Protection ~ Arrow ~ Groups, and add a file group comprising the folder C:\VTroot\*, or your executable's path and name
  • Go to Advanced Settings ~ FW ~ Application Rules ~ Sandbox add a custom firewall rule, specifying that the firewall should ask for all in- and out-bound connections, or whatever else you like
  • More this rule to the top of the list
  • If you don't want outbound alerts for files which are not stored in the sandbox, go to Advanced Settings ~ FW ~ Application Rules ~ Sandbox add a rule for the 'all applications' group, using the ruleset 'Allowed Application'. Place this rule below the first rule.
  • If you are using the (default) Internet Security Configuration, ensure that Advanced Settings ~ FW 'do not show pop-up alerts' is unticked.

Notes
  • If you have the same program installed outside the sandbox you will only get alerts when the one stored inside the sandbox is run. To ensure you run the installed version, take a look at this FAQ here.
  • Apps stored in the sandbox are not necessarily sandboxed (virtualised) when run - they will be only if you specifically ask them to be, or if run from the Kiosk. However, given that C:\VTRoot is hidden from non-sandboxed processes, it is most likely they will always be run sandboxed.
  • There appears to be no way of setting a firewall rules for sandboxed processes that don't depend on whether they are stored in the sandbox.


Special thanks are due to TreeFrogs for all his work in assisting the development of this FAQ.
« Last Edit: February 28, 2013, 12:53:50 PM by mouse1 »

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
You can create a firewall rule requiring all executables stored in the sandbox to ask for access, using the path C:\VTRoot* to define such apps. (This should give alerts for all unknown stored apps in safe mode, all stored apps in custom mode).

This is something I have been looking at, an option in the GUI to enable this would be good.
How have you created this rule ? I have been unable to  ???
Thanks TF
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
This is something I have been looking at, an option in the GUI to enable this would be good.
How have you created this rule ? I have been unable to  ???
Thanks TF
Sorry should have said - use groups

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Sorry should have said - use groups


Thanks and no worries
Although I still am struggling  :-[
I will try again later with fresh eyes and mind
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
At what stage do you have a problem?

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
I have created a rule to always ask for any connection in or out but I'm struggling to "see" how to apply it to C:\VTRoot*
I'm going in circles but still missing a whole step somewhere   :-\

Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
Just re-checked and it's working here.

You need to be careful you are actually running a program instance stored in the sandbox.

If you install a program inside and outside on the same path, CIS runs the one outside, if they are the same version.

To test I created the VTRoot rule, then an all apps rule beneath is set to always allow outbound.

When executing a trusted VTroot executable, with FW in custom mode you get an alert. When executing a executable not store in the sandbox you don't.

Mike

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
OK I'll move this to feedback later, but for now lets do it here.

1. Go to Advanced settings (AS) ~ D+ ~ HIPS ~ File protection. Click the arrow, and click on groups
2. Click the arrow ~ choose add. Navigate to an executable in the sandbox, add it. Now right click, choose edit. Edit the path down to C:\Vtroot*. Now name your group say FV apps.
3. OK out of that right back to the CIS main interface or  advanced settings will do
4. Now go into firewall rules, choose add ~ Groups. Now create your rule. Choose custom and set it to ask in/out. OK out of that.

Now you are set. To test it's easiest to use an installed trusted file for now - there's something complex going on with unknown files I've not yet bottomed. So you need custom mode, which means everything gets alerted. So you make this a valid test, and to make this approach meaningful you need an allow all apps outbound rule below the Fv apps rule. Now it should alert for stored-in-sandbox apps outbound but not nonstored ones

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
This does not seem to work. At least I believe I set it up correctly.

However, when I tested it against the leaktest discussed in this topic it was able to leak information without causing a firewall alert. Also, Comodo Dragon was able to connect, when opened by the automatically FV sandboxed leaktest without triggering an alert.

Am I misunderstanding how this works or have I set it up wrong? Can someone else please test?

Thanks.
« Last Edit: February 24, 2013, 11:47:30 AM by Chiron »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
This does not seem to work. At least I believe I set it up correctly.

However, when I tested it against the leaktest discussed in this topic it was able to leak information without causing a firewall alert. Also, Comodo Dragon was able to connect, when opened by the automatically FV sandboxed leaktest without triggering an alert.

Am I misunderstanding how this works or have I set it up wrong? Can someone else please test?

Thanks.
You may be misunderstanding. The browser instance would need to be stored in the sandbox. Leakout runs the default browser which connects. To make it easy, install an unusual browser on an unusual path, and make it the default, if the sandbox allows. If it has a choice, CIS virtualiser will run the instance that is not stored in the sandbox for preference.

For it to work with trusted files FW has to be in custom mode - see experiment steps above for the rest.

You have to be very very careful to set this up right, but it worked at Beta, and again this PM on my machine. (I'm re-testing as promised).

Oh also browser may need to start closed
« Last Edit: February 24, 2013, 12:58:09 PM by mouse1 »

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
You may be misunderstanding. The browser instance would need to be stored in the sandbox. Leakout runs the default browser which connects. To make it easy, install an unusual browser on an unusual path, and make it the default, if the sandbox allows. If it has a choice, CIS virtualiser will run the instance that is not stored in the sandbox for preference.

For it to work with trusted files FW has to be in custom mode - see experiment steps above for the rest.

You have to be very very careful to set this up right, but it worked at Beta, and again this PM on my machine. (I'm re-testing as promised).

Oh also browser may need to start closed
Okay, I was misunderstanding you. I suppose this will not work the way I would like it to.

Oh well, thank you anyway.

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
Also note from the above:

Quote
To run the instance of the executable which is stored in the sandbox, you may need to create a direct shortcut to it. I explain how to do this [insert xref]

https://forums.comodo.com/defense-sandbox-faq-cis/running-an-executable-store-in-the-sandbox-from-a-kiosk-shortcut-draft-t92113.0.html

Offline clockwork

  • Comodo's Hero
  • *****
  • Posts: 2217
  • Oxygen requires Chuck Norris to live
......
but isnt it the most necessary place to activate firewall questions when something is running in a sandbox?

We remember:
"Unknown things run in sandbox so can not do harm to your computer (more or less)."
Why should especially these potential dangerous things get permission to phone without question?

Sometimes i really wonder.
"If there is a problem, it`s something interesting. Try to circumvent or fix it.
In the old ages there has been no support. That`s why we got the brain we have today.
Otherwise we would only be able to call a number and listen.
But there wasnt a phone...."

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Ok I created the rule correctly...i think  :)
I get alerts for most sandboxed processes - all the ones I have created shortcuts for
I have to leave for work now but will look at unknown app's this evening

If anyone has time to post a step by step guide then this can be recreated faithfully
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11852
Ok I created the rule correctly...i think  :)
I get alerts for most sandboxed processes - all the ones I have created shortcuts for
I have to leave for work now but will look at unknown app's this evening

If anyone has time to post a step by step guide then this can be recreated faithfully

Thanks Treefrogs, good to know.

You should get alerts for all apps stored in the sandbox, the complexity is that CIS will often run a version stored outside the sandbox fro preference when it's installed on the same path, unless you use my fix. Say you have a link to C:\Program Files\Comodo\IceDragon\IceDragon.exe. The order of execution priority seems to be:
- most recent version number
- non-sandboxed
- sandboxed

But this is just an impression.

After further experiment I think my problems with unknown files were a bug - got a Kiosk crash soon after. So hopefully this should work with FW in safe mode, without the special firewall rules, for unknown files. It did in Beta :)

See if you can confirm.

If you can I will document the steps in the first post.

Best wishes

Mouse

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek