Author Topic: Auto Containment: 'Any' vs Selecting all options in 'Files Created by Process'  (Read 338 times)

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 272
  • Paranoid B#st#rd - CIA
Hi,

I was wondering if there is any advantage of changing the 'Auto Containment' rule that lists all available options in the 'Files Created by Process(es)'.



Instead of having all options selected under 'Files Created by process(es), would there be any advantage to changing this to 'Any'?



Kind regards,

Reece
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

Offline kyl

  • Comodo Loves me
  • ****
  • Posts: 123
all applications *.* that may be usefull for run virtually unknown file extensions that not belong to any of these groups but ı dont know just ı m guessing

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 272
  • Paranoid B#st#rd - CIA
Yeah I agree kyl.

I'm then just wondering why 'Any' is not the default option.

Just seems like a potential loophole to me.
« Last Edit: September 13, 2018, 10:33:49 PM by ReeceN »
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4333
The default auto-containment rules are set up to only contain unknowns that are introduced to the system after CIS is installed. While currently unknowns that are present before CIS install will run without issue, but when you switch to proactive config all unknowns are contained. It is assumed that the system is clean or you trust what you already have installed prior to installing CIS.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 272
  • Paranoid B#st#rd - CIA
Thanks futuretech for your knowledgeable input :).

I hear what you saying.

What are your thoughts regarding new malware being introduced via methods not defined in the default 'file groups' listed in the default 'auto containment' rules?

For example lets take a hypothetical file called malware.exe that I saved onto a drive from another system. Say a Linux dual boot for example (Linux/Windows), or possibly even by saving a file directly into a VM's (Windows installed in VM) storage space from outside the VM.

Let's also say I didn't run the file on the Windows system for 3 days.

What I am trying to do here is evade the default containment rules.

So, we end up with a file that was put onto the disk by an application not listed, a source not internet, intranet or removable media, and is older than 3 days.

If I then booted up the Windows system I would expect the file to now evade containment as it does not meet the rules (at least until it is uploaded and then blocked when it's found to be malware). Never the less, this should give me a window of opportunity for the malware to execute. At least in theory anyway.

So really what I am wondering here is, if such a loophole can be made, why not just change the settings to sandbox all unknown files (I accept that these will just be new files blocked)?

Is there some sort of compatibility reasons Comodo is trying to get round by specifying only specific files types to be contained after the 3 days?

Would really love to know the logic behind it. :)

Thanks as always!

Reece
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4333
That is such a small and unlikely use case, but the default is a balance between usability and security, if you want the most protection you should switch to proactive configuration as that is what it is used for.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek