What is your D+ and sandbox level set to? Are you saying D+ allowed the malware to run, but the firewall stopped it from accessing the internet? It looks like the firewall stopped it by default because it is not in the safe list.
The default setting for the firewall is to not show alerts and allow all outgoing requests. The first post is giving a reason to change the default settings because outgoing requests can be used to send stolen information back to hackers.
I agree that the firewall shouldn’t allow all outgoing requests by default.
No, the default setting is to allow applications in the safe list to access the internet and ask for any unknown application.
There was no breach because Comodo asked if the program could connect. Unless you select allow, it won’t. If the sandbox was set properly, the malware would not have been allowed to do anything either.
(1)firewall allows “unsandboxed applications” to access the internet.
(2)firewall allows “sandboxed applications” trusted in the network security policy to access the internet.
for example, Windows Updater Applications and Windows System Applications
(3)firewall asks for any “sandboxed application”.
Conclusion:
If the user enable “partially limited”, the applications in the application rules of network security policy must be removed, so that CIS can popup alert windows for all sandboxed processes.
For example:
trojan Carberp
2011-11-06 22:06:26 C:\Documents and Settings\Roger\桌面\virus\calc\info.exe Sandboxed As Partially Limited
2011-11-06 22:06:33 C:\WINDOWS\system32\svchost.exe Sandboxed As Partially Limited
2011-11-06 22:06:34 C:\WINDOWS\system32\svchost.exe Sandboxed As Partially Limited
2011-11-06 22:06:34 C:\WINDOWS\explorer.exe Sandboxed As Partially Limited
2011-11-06 22:06:38 C:\Documents and Settings\Roger\桌面\virus\calc\info.exe Scanned Online and Found Malicious
2011-11-06 22:06:42 C:\Documents and Settings\Roger\桌面\virus\calc\info.exe Direct Memory Access
It shows how Comodo firewall is important and how bad idea was to disable filtering by default.
I wonder how many private data malware has stolen so far cause of a disabled firewall by default? ???
I think that this is comodo problem to give the best security, without exposing users’ identity to be stolen.
What is a point of having a firewall when all request are allowed?
Its a one way firewall per default.
People dont have a good chance to learn to do the right thing, when they allready dont know what they got.
Useabillity, … if people had failed with two way firewalls in the past, they would use the windows firewall today. As they choose things like comodo, they choose something else. So why making comodo behaving like the windows firewall suddenly?
Is there any user out there who would say: “Thank you for making this software so userfriendly that i even dont have to have control over what is been sent to the internet! Imagine, i would have to press allow or block otherwise when some malware would want to send to the internet, but with comodo this is (allready allowed) finally obsolete!”
Are you asking me? As you quoted my post.
Then, what is your question pointing to?
If you ask me, i would say, replacing questions of the firewall with questions from defense is not
a) saving from making decisions
b) protecting from sending files (first of all, if the user expects a firewall layer later which would ask for the outgoing traffic)
The Firewall alert for svchost.exe shows that when an application is sandboxed the firewall will not allow outgoing traffic by default; it will alert the user. That contradicts your thesis that Application Rules take precedence over the fact that the file is sandboxed.
Most of this hinges on that ridiculous firewall setting - Do not show popup alerts - enabled by default during installation. It also makes a difference which setting you use for unrecognised files.
From what I can see, with the ‘Do not show popup alerts’ enabled and ‘Treat unrecognised files as’ set to partially Limited, an unrecognised application is allowed to access the Internet, albeit with a sandbox alert. if the ‘Treat unrecognised files as’ is set to Untusted or the ‘Do not show popup alerts’ is unchecked, the file is either blocked or a firewall alert is generated. I guess it comes down to how useful the sandbox alert is in first situation.
