Ok, I have a feature request/ suggestion that is very important in my opinion.
Think of a scenario. I am using CIS with AV, Defence plus, FireWall and Sandbox Turned ON with default settings. For some reason I turned off defence plus temporarily, I went to some web sites and got hit by a zero day malware that was not detected by comodo AV( it got installed on system, put it in windows autorun and started running in memory as defence plus was off).
Now I turned ON defence Plsu after a while. I am completely unaware that a malware is running in my system.
In spite of a great security suite, I wil not get any alert about this malware just because there was a window period during which Defence Plus was off.
I will like to have a feature in Defence plus where it will monitor running processes for it White List. If it finds a process that is not in white list and had no Allowed rules in DefencePlus policy, it will give an alert or more better will immediately Sandbox this process to isolate it from rest of`system or just terminate it.
The Process Monitoring by Defence Plus may be:
Continuous/ Real Time: though it may use lot of CPU spikes, may be they can use technology of BOclean for it, if it,s still there. OR
Intermittent: like say every 5 or 10 seconds thought it will give less protection OR
Event Related: like say Defence Plus will rapidly monitor all running processes just once each time it,s turned ON from Turned Off state( to see if there are any processes without white list or without rules). This will use least system resources.
Such a feature was there is System Safety Monitor. It used to give an alert if you turn it off, run an application that has no rules is SSM,s policy( rules) and then turn it ON again. See the pic.
I will like to know what Comodo developers think about this feature. Thanks a lot. Pls forum memebers! give your feedback too.
Actually that malware process would immediately be sandboxed after you turn the sandbox back on.
I’ve tested this sort of thing in VMPlayer. I infected the system and then installed CIS. It immediately sandboxed the running files. Of course whatever damage was done was done, but at least the files would be sandboxed again.
No, it does not do this at all. Rather, non-white listed process remains un-sandboxed in this case. You can test this with a non-malicious software which is not yet white listed by Comodo.
Switch off defence plus, run the file xyz.exe, let it run in the memory. Now switch on defence plus and check in CIS process explorer, xyz.exe will be running unsandboxed.
I thought if Defense+ is in Safe Mode the process will be sandboxed. Clean PC is another story though…
Can you confirm that this same behavior happens in Safe Mode. Why would rules have been made for it and why would they have been made? I see no other reason it would not have been sandboxed unless this is a bug.