Author Topic: Auto-Containment 3 days rule  (Read 106 times)

Offline Lonely Office Chair 3.0

  • Newbie
  • *
  • Posts: 14
Auto-Containment 3 days rule
« on: June 24, 2019, 07:42:49 AM »
Hi there,

I have a question regarding the rule to contain unknown applications that are more than 3 days old.

This rule was added with CIS 10 if I'm correct. Before that, Comodo used to ignore everything that was already on the system regardless of age.
I remember this being an issue with some tests on Youtube (and probably other tests like av-test.org) back in the day, where people would drag and drop malware files directly into their virtual machines which were then not sandboxed and counted as a miss.

I, however, found the old ruleset much more userfriendly and seamless when it came to less known games from Steam for example.

So if I were to disable the file age rule and just use the remaining ones (downloaded from internet, external drive etc.), would that realistically reduce the security?

In other words: Was this rule added for any other reason than to improve testing scores? Is it possible that malware could be dropped (word macro or something) in a way that it would be ignored by all the rules except the file age one? I mean, Comodo does have exploit protection through command line analysis, right?

Looking forward to hearing from a developer or maybe a hobbyist who tested this extensively ;-)

Cheers,
Lonely Office Chair 3.0

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4285
Re: Auto-Containment 3 days rule
« Reply #1 on: June 25, 2019, 10:57:35 AM »
*less than 3 days old. The rule is mostly used to auto-contain scripts created from the embedded code detection feature, the ones that get saved into ProgramData\Comodo\Cis\tempscrpt folder. And it should also deal with downloaded executables and scripts that are downloaded through office macros as you mentioned.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek