Author Topic: For the moment I have abandoned CIS & CAV  (Read 1158 times)

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 384
For the moment I have abandoned CIS & CAV
« on: December 24, 2019, 09:11:49 AM »

Hello,

for the moment I have abandoned CIS and CAV(6882)

I did a test with a malware known as Virus Total to about 50 antivirus houses (the largest and also the smallest ones) that by COMODO was not detected among the definitions. This malware is placed in the sandbox and attempts connections to IP addresses which are obviously blocked by the firewall. Pero 'the application remains running and Viruscope does not intervene lets it run in the sandbox continuing to make attempts to connect to IP addresses (blocked by the firewall). Only if you reset the sandbox or restart your PC, will the application stop. Having the firewall is easy, although I expected that being a malicious app Viruscope should have stopped it. The problem arises in CAV or in CIS with firewall disabled, the app is run in sandbox (therefore it does not create problems for the operating system) but makes connections to IP addresses. So this thing I don't like that it connects to IP addresses without CAV OR CIS (without firewall) intervening to stop it.

 

I did a test with Kaspersky Security Cloud Free. I deactivated the file protection, otherwise it would have immediately deleted it (which CAV and CIS does not) and as soon as I ran the malware the app control system blocked it immediately after running it and then it was eliminated. I would say perfect execution of KSC.

So I decided to reinstall CIS (which still has many instability problems) and to switch to KSC Free with which I feel more protected.

Then possibly in the future, if the various problems with CIS are solved and the recognition is improved, I will be able to return to CIS which, however, at the level of the structure I like, but it must be much improved.

If I can recover the malware in question again, I will put it in the test section of the forum with the details.
Nunzio

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1129
  • 'Your best teacher, is your last mistake'
    • CIS Help
Re: For the moment I have abandoned CIS & CAV
« Reply #1 on: December 24, 2019, 09:29:08 AM »
You may as well disable everything and claim CIS doesn't work

You would have had several warnings as any of this occurred and you obviously do not understand the principle and working of Containment in CIS Containment
I did a test with a malware known as Virus Total to about 50 antivirus houses (the largest and also the smallest ones) that by COMODO was not detected among the definitions. This malware is placed in the sandbox and attempts connections to IP addresses which are obviously blocked by the firewall. Pero 'the application remains running and Viruscope does not intervene lets it run in the sandbox continuing to make attempts to connect to IP addresses (blocked by the firewall). Only if you reset the sandbox or restart your PC, will the application stop. Having the firewall is easy, although I expected that being a malicious app Viruscope should have stopped it. The problem arises in CAV or in CIS with firewall disabled, the app is run in sandbox (therefore it does not create problems for the operating system) but makes connections to IP addresses. So this thing I don't like that it connects to IP addresses without CAV OR CIS (without firewall) intervening to stop it.

I did a test with Kaspersky Security Cloud Free. I deactivated the file protection, otherwise it would have immediately deleted it (which CAV and CIS does not) and as soon as I ran the malware the app control system blocked it immediately after running it and then it was eliminated. I would say perfect execution of KSC.

So I decided to reinstall CIS (which still has many instability problems) and to switch to KSC Free with which I feel more protected.
Ploget
All Win10x64 Pro 1909 (18363.752) systems  /  CIS 2020 v.12.2.2.7036 RC
Comodo Forum Policy / CIS Help

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 384
Re: For the moment I have abandoned CIS & CAV
« Reply #2 on: December 24, 2019, 09:41:16 AM »
You may as well disable everything and claim CIS doesn't work

You would have had several warnings as any of this occurred and you obviously do not understand the principle and working of Containment in CIS Containment


Maybe perhaps the containment system is not very clear to me, but CIS with the firewall active works by blocking outgoing connections and therefore ok, but the malicious app continues to be always running by continuing to try outgoing connections and the firewall blocks them. Why doesn't Viruscope intervene by killing the malicious app?

CAV (CIS without firewall) even with active and functional content allows outgoing connections without Virscope intervening. What data are transmitted from my outgoing PC? Where's security?

maybe I'm not an expert and something escapes me, but sincermanete I like more the intervention of KSC Free that immediately blocks everything
Nunzio

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1129
  • 'Your best teacher, is your last mistake'
    • CIS Help
Re: For the moment I have abandoned CIS & CAV
« Reply #3 on: December 24, 2019, 09:54:17 AM »
Hi Nunzio . . . The 'virus' or unknown is not stopped by the firewall and is not contacting anyone - it is in containment

If you feel better using an AV that stops a chosen virus (assuming their engineers are updating the program to recognize the 200,000 + released every day!) then go right ahead, but until you can find and post anything / virus that can get actually breach CIS protection, it is advisable not to create posts to that effect and incorrectly state how it works
« Last Edit: December 24, 2019, 09:56:41 AM by Ploget »
Ploget
All Win10x64 Pro 1909 (18363.752) systems  /  CIS 2020 v.12.2.2.7036 RC
Comodo Forum Policy / CIS Help

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 384
Re: For the moment I have abandoned CIS & CAV
« Reply #4 on: December 24, 2019, 10:00:34 AM »
So a clarification, if it is in containment and makes connections to an output that are not blocked by the firewall in the case of CAV can I still feel comfortable?  Mine is a simple non-security question that noticed this behavior in CIS / CAV.  It is a clarification post with you that surely you are more experienced than me in terms of safety.  If this behavior is safe then I go back to CIS / CAV. ????
Nunzio

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1129
  • 'Your best teacher, is your last mistake'
    • CIS Help
Re: For the moment I have abandoned CIS & CAV
« Reply #5 on: December 24, 2019, 10:02:32 AM »
The link I sent you previously gives all the info you should need and explains everything. . . apart from that it is quite interesting   ;)
So a clarification, if it is in containment and makes connections to an output that are not blocked by the firewall in the case of CAV can I still feel comfortable?  Mine is a simple non-security question that noticed this behavior in CIS / CAV.  It is a clarification post with you that surely you are more experienced than me in terms of safety.  If this behavior is safe then I go back to CIS / CAV. ??? ?
Ploget
All Win10x64 Pro 1909 (18363.752) systems  /  CIS 2020 v.12.2.2.7036 RC
Comodo Forum Policy / CIS Help

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4589
Re: For the moment I have abandoned CIS & CAV
« Reply #6 on: December 24, 2019, 10:02:46 AM »
I split this discussion from the release topic as it is off topic.

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1103
Re: For the moment I have abandoned CIS & CAV
« Reply #7 on: December 24, 2019, 11:06:21 AM »
So a clarification, if it is in containment and makes connections to an output that are not blocked by the firewall in the case of CAV can I still feel comfortable?  Mine is a simple non-security question that noticed this behavior in CIS / CAV.  It is a clarification post with you that surely you are more experienced than me in terms of safety.  If this behavior is safe then I go back to CIS / CAV. ????
This was a very useful CCAV feature and I made a wish to implement it in CAV too
https://forums.comodo.com/wishlist-cis/add-network-traffic-control-over-apps-running-inside-the-container-t122202.0.html;msg877545#msg877545

Offline mmalheiros

  • Comodo Loves me
  • ****
  • Posts: 196
Re: For the moment I have abandoned CIS & CAV
« Reply #8 on: December 25, 2019, 03:41:55 AM »
Check the Run Virtually for all Unknowns Auto-Containment rule. Right click on it, Edit, Modify it to "Run Restricted" then Options. Set restriction level > Untrusted.

The Malware should not be able to connect in Untrusted level, due to being unable to access Windows Sockets Interface.

You may as well switch your Auto-Containment rule for Unknowns to Block, so you turn CIS/CAV into Anti-executable software. Anything that is not on the Whitelist is Blocked from executing in the first place. Kaspersky only offer such a feature similar to this (Block the execution of things not in the Whitelist) in its paid editions.
« Last Edit: December 25, 2019, 03:50:44 AM by mmalheiros »

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 384
Nunzio

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 384
Re: For the moment I have abandoned CIS & CAV
« Reply #10 on: December 25, 2019, 03:59:23 AM »
This was a very useful CCAV feature and I made a wish to implement it in CAV too
https://forums.comodo.com/wishlist-cis/add-network-traffic-control-over-apps-running-inside-the-container-t122202.0.html;msg877545#msg877545

Great!
Yes, I remember well this function in CCAV which also in my opinion was excellent and to be replicated in CAV.  ;)
Nunzio

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 384
Re: For the moment I have abandoned CIS & CAV
« Reply #11 on: December 26, 2019, 04:42:22 AM »

In conclusion, without making any particular changes in the containment settings, if the malware is running in the containment, the connections it makes outgoing to the IP addresses are dangerous due to a privacy problem or the exchange of information between my PC and these IP addresses?

Or be in containment even if it makes these outbound connections to these IP addresses harmless?

 

This is what is indicated in the guide:

 

"The files in the container are isolated from other processes, write to a virtual file system and registry, and cannot access user data."

 

Obviously assuming to disable the firewall in CIS or using CAV which does not have the firewall.

 

If this doubt is clarified, I return to CIS / CAV ;) :D

 

Thank you. :D
Nunzio

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1129
  • 'Your best teacher, is your last mistake'
    • CIS Help
Re: For the moment I have abandoned CIS & CAV
« Reply #12 on: December 26, 2019, 04:58:54 AM »
You gave been re-assured; explanations and the relevant links given to you several times now. All these questions have been answered . . . needless repetition isn't going to change them
In conclusion, without making any particular changes in the containment settings, if the malware is running in the containment, the connections it makes outgoing to the IP addresses are dangerous due to a privacy problem or the exchange of information between my PC and these IP addresses?

Or be in containment even if it makes these outbound connections to these IP addresses harmless?

This is what is indicated in the guide:

"The files in the container are isolated from other processes, write to a virtual file system and registry, and cannot access user data."

Obviously assuming to disable the firewall in CIS or using CAV which does not have the firewall.
If this doubt is clarified, I return to CIS / CAV ;) :D
Ploget
All Win10x64 Pro 1909 (18363.752) systems  /  CIS 2020 v.12.2.2.7036 RC
Comodo Forum Policy / CIS Help

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 384
Re: For the moment I have abandoned CIS & CAV
« Reply #13 on: December 26, 2019, 05:02:33 AM »
Ok so those outgoing connections are harmless.

Return to CIS / CAV. ;)

Thank you. :D
Nunzio

Offline kyl

  • Comodo Loves me
  • ****
  • Posts: 163
Re: For the moment I have abandoned CIS & CAV
« Reply #14 on: December 26, 2019, 05:03:09 AM »
 8) :P0l

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek