Author Topic: Specific FW rules for s'boxed processes ? (Technical FAQ) [v6]  (Read 12463 times)

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Okay, I made a group pertaining to C:\Vtroot* and then went to the Firewall Application Rules and made a rule for that group to be a Blocked Application. I then clicked on the option to open Comodo Dragon as FV from the widget. However, it is able to connect to the internet. Shouldn't it be blocked?

Does the HIPS have to be turned on for this to work, have I set it up incorrectly, or am I still confused about exactly what this rule is supposed to do. Is there any way to make CD running as FV not be able to connect to the internet?

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Okay, I made a group pertaining to C:\Vtroot* and then went to the Firewall Application Rules and made a rule for that group to be a Blocked Application. I then clicked on the option to open Comodo Dragon as FV from the widget. However, it is able to connect to the internet. Shouldn't it be blocked?

Does the HIPS have to be turned on for this to work, have I set it up incorrectly, or am I still confused about exactly what this rule is supposed to do. Is there any way to make CD running as FV not be able to connect to the internet?
By default Dragon is not installed into (stored in) the sandbox. This only works for executable stored in the sandbox. If you install it, you may have to use the shortcut re-direction wangle (referenced above) to ensure the right instance is run.

As it's a trusted file, you'll need to be in custom mode, and use the rule sequence I suggest above and treefrogs seems to have successfully tested.

Hope this helps.

Mike

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Ok I can confirm this works for known app's I'm still to test with unknown app's
If the rule is block no connection is allowed - if ask an alert is issued  :-TU
I can also confirm that the file will obey this rule if it's only "stored" in the sandbox -  in the context of unknown app's this could be a good thing... if the BB is set to FV the unknown app will/can only be running in the sandbox hence a FW alert - if my understanding of this is correct ??
« Last Edit: February 25, 2013, 12:12:41 PM by treefrogs »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Ok I can confirm this works for known app's I'm still to test with unknown app's
If the rule is block no connection is allowed - if ask an alert is issued  :-TU
I can also confirm that the file will only obey this rule if it's only "stored" in the sandbox -  in the context of unknown app's this could be a good thing... if the BB is set to FV the unknown app will/can only be running in the sandbox hence a FW alert - if my understanding of this is correct ??
Yes barring bugs and shared space, that is correct. But Chiron is trying to deal with hybrid FV/NVirt issues too, also autovirtualisation, which means the executable may not be stored in the sandbox.

Personally I think a solution to the browser Leakout problem  may be able to be evolved, Chiron. Make the default browser for FV the stored instance maybe? You can have a different default browser in Kiosk, not sure if it applies to all browsers invoked by FV processes though. Hopefully it does.

This may bring us closer to a general solution, hopefully

« Last Edit: February 25, 2013, 12:24:38 PM by mouse1 »

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
There's a drawback here that a rule is created around an app that's only installed in the sandbox
when the sandbox is reset the app is deleted and the rule fails

I'm in the process of testing the leakout test here - https://forums.comodo.com/leak-testingattacksvulnerability-research/kiosk-vulnerable-to-simple-simple-leaktest-t91731.0.html
I have run this once and it seems the data leaked - no alert I need to retest this though...
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
There's a drawback here that a rule is created around an app that's only installed in the sandbox
when the sandbox is reset the app is deleted and the rule fails

I'm in the process of testing the leakout test here - https://forums.comodo.com/leak-testingattacksvulnerability-research/kiosk-vulnerable-to-simple-simple-leaktest-t91731.0.html
I have run this once and it seems the data leaked - no alert I need to retest this though...
It's a difficult one. It uses the default browser, so not virtualised. stored, unless you change this. You need to start with the browser closed.

I agree re the drawback. But you could just keep copying portable browser installations across at each reset. However you can automate the reset - I have a batch file. Not sure about the default browser registration, that might be complex.

That's why I said evolved...

But it may be simpler to wait for Comodo to sort it out. Use the above facility as a bit of extra security meanwhile.

Mouse
« Last Edit: February 25, 2013, 12:53:16 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Remember with leakout it's the browser that does the leaking, the browser that needs the rule, so the broser that needs to be stored.

So it's not really a direct test of 'unknowns'

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
So it's not really a direct test of 'unknowns'

OK got it... I think  :)
I installed SRWIron as the stored app then made it default and then ran the test -  so there is no alert as SRWIron is trusted ?

Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
OK got it... I think  :)
I installed SRWIron as the stored app then made it default and then ran the test -  so there is no alert as SRWIron is trusted ?
Yes, you need to be in custom mode with your two rules for this.

You also need to ensure that SW iron is not installed outside the sandbox.

If it is installed outside the sandbox you either need the shortcut trick and the sandbox exemption in place to make sure you run the right instance (or you need to start it from explorer by double clicking on the right executable, but - care needed - check file creation dates/times)

And that SWIron is closed I think as well (debatable)

Give all this you should get an alert/block


Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
But after the first time you allow a firewall alert to allow your default browser to access the internet in the FV environment wouldn't' that therefore create a rule such that if I ran the leak-test it would be allowed to access the internet, as I had already allowed Dragon?

Therefore, unless you want the FV environment to always be blocked I don't see how this solves the problem.

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
But after the first time you allow a firewall alert to allow your default browser to access the internet in the FV environment wouldn't' that therefore create a rule such that if I ran the leak-test it would be allowed to access the internet, as I had already allowed Dragon?

Therefore, unless you want the FV environment to always be blocked I don't see how this solves the problem.
It blocks just those stored in the sandbox. So you can use a non-default, non-stored FV browser [edit: for other things]

You can separately set what browser is used for a range of things incidentally

Inconvenient though

Mouse
« Last Edit: February 25, 2013, 04:38:00 PM by mouse1 »

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Ok I don't use SW Iron this is why I'm using it as the stored app
I first installed it in and set to default as a FV app
created the rule to block
closed SW Iron and ran leakout.....
no data leak the rule blocked it
I then edited the rule to ask and repeated the test....
SW Iron opened but I got an connection alert

I repeated the whole thing but whilst in the kiosk - I know it's the same as running FV but figured I'd still check  :)
I get the exact same results
CIS either blocks or asks (dependant on the rule) before leakout can connect to the net

As Mouse1 states the browser needs to be closed for this to function correctly

I'm happy I could replicate this and although this is an involved process it shows that CIS can defend against this leak whilst in a FV environment

Thanks for your patience whilst I stumbled through this  :)

Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Ok I don't use SW Iron this is why I'm using it as the stored app
I first installed it in and set to default as a FV app
created the rule to block
closed SW Iron and ran leakout.....
no data leak the rule blocked it
I then edited the rule to ask and repeated the test....
SW Iron opened but I got an connection alert

I repeated the whole thing but whilst in the kiosk - I know it's the same as running FV but figured I'd still check  :)
I get the exact same results
CIS either blocks or asks (dependant on the rule) before leakout can connect to the net

As Mouse1 states the browser needs to be closed for this to function correctly

I'm happy I could replicate this and although this is an involved process it shows that CIS can defend against this leak whilst in a FV environment

Thanks for your patience whilst I stumbled through this  :)
No problem, your testing is really helpful - you know you need to be careful which many people don't.

Just to make sure all is OK would you mind testing direct web access by an unknown file? You should only need FW safe mode (without extra FW rules), but with all precautions above, to get an alert.

BTW did you run SWIron fom a desktop shortcut? If so where did the desktop shortcut point? (You will probably need to navigate into FTRoot to check this)

Best wishes

Mouse

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Ok I have retested this with an unknown file with FW in safe mode
When FW set to block web access was denied
with FW rule set to ask an alert was issued asking for web access
I have only managed to test this with one unknown file though at present

I have created a custom folder for SWIron then ran the installer virtualised
I did create a shortcut, it installed in VTRoot/Harddiskvolume1/SRWareIronTest/SRWareIron

I also got the same results by running the installer sandboxed then creating the rule
then entering the kiosk - because SWIron was installed virtually it creates a shortcut in the kiosk

Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
I have noticed that the sandbox has failed to reset after this last test
I hit the reset sandbox button and get the error message -An error occurred while resetting the sandbox-
CIS task manager shows one task running- resetting sandbox
screen attached

I'm going to retest with more/different unknown files as I appear to be getting inconsistent results

Edit: attached screen



[attachment deleted by admin]
« Last Edit: February 27, 2013, 03:09:31 AM by treefrogs »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek