A request on behalf of those of us who block the unknown instead of containing

The container is all well and good, but some of us like to block all unknown files instead of letting them run contained.

As everyone here is probably well aware, the container can identify malware REALLY fast. Because if it’s malware, it’s going to try to access loads of stuff that triggers the recognizer, if it’s not malware, it just does its thing inside the sandbox and nothing of note happens.

The unknown sample is submitted to the cloud either way, but when the unknown file is only blocked the result from the cloud takes more than a week to come back…if it ever comes back at all before our own preferred second opinion scans detect it.

Give your users options, process unknown submissions that aren’t run in containment by the user with a higher priority than submissions that were sandboxed…Anyone who runs unknown files in the container can quickly figure out what’s good and what’s bad.

People who choose to block things unknown to comodo need a timely answer. I don’t know the inner workings of your company or what kinds of machines valkyrie is running on. But bitdefender is able to identify unknown malware from file submissions and add them to their database in a matter of seconds.

With a whitelisting application, it’s not as high of a priority, but it shouldn’t require more than a day for a file submission to get identified.

There is such an option for the user to choose whether the current file should be run in the container or not when the file is contained for the first time.
1

I don’t think that ANYONE has the knowledge to figure out whether a file is good or bad, let alone QUICKLY FIGURE OUT. This is why COMODO develops the advanced default-deny technology to protect the general users.

However, I really agree to improve the response of online analysis.

1 Like

The behaviour analysis in the container figures it out within that amount of time…most of the time. Especially if it’s ransomware.

Doesn’t that option just run it uncontained with no restrictions the next time it runs?

I’m talking about those of us who choose in the container settings to “block” instead of “run virtually”