about the private data

I double clicked on the malware.

It copies all document files in the local drive and then pastes to the folder.


It is trying to connect to the Internet.

I think that the firewall should not allow requests by default, so that the private data
can not be transmitted to the Internet.

FVS report:

CIMA report:

What is your D+ and sandbox level set to? Are you saying D+ allowed the malware to run, but the firewall stopped it from accessing the internet? It looks like the firewall stopped it by default because it is not in the safe list.

The default setting for the firewall is to not show alerts and allow all outgoing requests. The first post is giving a reason to change the default settings because outgoing requests can be used to send stolen information back to hackers.

I agree that the firewall shouldn’t allow all outgoing requests by default.

Comodo should have a read out protection like other HIPSes.

No, the default setting is to allow applications in the safe list to access the internet and ask for any unknown application.

There was no breach because Comodo asked if the program could connect. Unless you select allow, it won’t. If the sandbox was set properly, the malware would not have been allowed to do anything either.

[attachment deleted by admin]

In the auto mode, this one is checked by default.

In the safe mode,

(1)firewall allows “unsandboxed applications” to access the internet.

(2)firewall allows “sandboxed applications” trusted in the network security policy to access the internet.
for example, Windows Updater Applications and Windows System Applications

(3)firewall asks for any “sandboxed application”.

If the user enable “partially limited”, the applications in the application rules of network security policy must be removed, so that CIS can popup alert windows for all sandboxed processes.

For example:
trojan Carberp

2011-11-06 22:06:26 C:\Documents and Settings\Roger\桌面\virus\calc\info.exe Sandboxed As Partially Limited

2011-11-06 22:06:33 C:\WINDOWS\system32\svchost.exe Sandboxed As Partially Limited

2011-11-06 22:06:34 C:\WINDOWS\system32\svchost.exe Sandboxed As Partially Limited

2011-11-06 22:06:34 C:\WINDOWS\explorer.exe Sandboxed As Partially Limited

2011-11-06 22:06:38 C:\Documents and Settings\Roger\桌面\virus\calc\info.exe Scanned Online and Found Malicious

2011-11-06 22:06:42 C:\Documents and Settings\Roger\桌面\virus\calc\info.exe Direct Memory Access

2011-11-06 22:06:42 C:\WINDOWS\system32\svchost.exe Modify Key HKUS\S-1-5-21-1004336348-1383384898-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup

2011-11-06 22:06:55 C:\WINDOWS\system32\svchost.exe Sandboxed As Partially Limited

2011-11-06 22:07:00 C:\WINDOWS\explorer.exe Access Memory C:\WINDOWS\explorer.exe

2011-11-06 22:07:00 C:\WINDOWS\explorer.exe Modify Key HKUS\S-1-5-21-1004336348-1383384898-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup

2011-11-06 22:07:00 C:\WINDOWS\explorer.exe Modify File C:\Documents and Settings\Roger\「開始」功能表\程式集\啟動\igfxtray.exe

2011-11-06 22:07:00 C:\WINDOWS\explorer.exe Modify Key HKUS\S-1-5-21-1004336348-1383384898-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609

It shows how Comodo firewall is important and how bad idea was to disable filtering by default.
I wonder how many private data malware has stolen so far cause of a disabled firewall by default? ???

We have to educate people to use Proactive Security setting until Comodo fixes the problem. :wink:

I think that this is comodo problem to give the best security, without exposing users’ identity to be stolen.
What is a point of having a firewall when all request are allowed?


Its a one way firewall per default.
People dont have a good chance to learn to do the right thing, when they allready dont know what they got.

Useabillity, … if people had failed with two way firewalls in the past, they would use the windows firewall today. As they choose things like comodo, they choose something else. So why making comodo behaving like the windows firewall suddenly?

Is there any user out there who would say: “Thank you for making this software so userfriendly that i even dont have to have control over what is been sent to the internet! Imagine, i would have to press allow or block otherwise when some malware would want to send to the internet, but with comodo this is (allready allowed) finally obsolete!”

Doesnt make sense.

Why does CIS popup some “defense+ alert windows” for sandboxed processes by default?

For example: install global hooks, access COM interface.

Are you asking me? As you quoted my post.
Then, what is your question pointing to?

If you ask me, i would say, replacing questions of the firewall with questions from defense is not
a) saving from making decisions
b) protecting from sending files (first of all, if the user expects a firewall layer later which would ask for the outgoing traffic)

The Firewall alert for svchost.exe shows that when an application is sandboxed the firewall will not allow outgoing traffic by default; it will alert the user. That contradicts your thesis that Application Rules take precedence over the fact that the file is sandboxed.

Most of this hinges on that ridiculous firewall setting - Do not show popup alerts - enabled by default during installation. It also makes a difference which setting you use for unrecognised files.

From what I can see, with the ‘Do not show popup alerts’ enabled and ‘Treat unrecognised files as’ set to partially Limited, an unrecognised application is allowed to access the Internet, albeit with a sandbox alert. if the ‘Treat unrecognised files as’ is set to Untusted or the ‘Do not show popup alerts’ is unchecked, the file is either blocked or a firewall alert is generated. I guess it comes down to how useful the sandbox alert is in first situation.

[attachment deleted by admin]

sandbox security level


1.partially limited





1.partially limited





These are from killswitch, I think and if so only give the job restrictions, as I explain: https://forums.comodo.com/defense-sandbox-help-cis/what-is-the-difference-between-limited-and-restricted-for-sandbox-t78217.0.html;msg559531#msg559531

In addition there are the D+ - not av in killswitch, security (eg SeDebug etc) - av in killswitch, and FW restrictions - not av in killswitch.

Interesting the Win7 differences though. Is this part of enhanced protection?