Which Behaviour Blocker setting(s) is the most secure, people seem to have different ideas etc.,
Partially limited
Limited
Restricted
Untrusted
Blocked
Fully Virtualised
I am currently using fully virtualised? :P0l
http://www.testmypcsecurity.com/securitytests/regtest.html
The test2 can terminate the explorer.exe in “fully virtualized”.
Wouldn’t “Blocked” per definition be the most secure against malware? (Yes this is a question)
I think blocked would be more secure than fully virtualized.I would sooner stop it at the door rather than letting it run even virtualized and remember the comodo virtualization is relatively young and we dont know how truly virtual it is. :o
I used to run “Blocked” but in that setting it doesn’t generate an alert when something is blocked, it just blocks it silently. I along with a very few other people have requested to have alerts when something is blocked but doesn’t seem like Comodo likes that idea. =/
It’s as virtual as the manual sandbox has always been…
I think alerts can be turned on in the GUI.personally i would choose out of 3 options which are untrusted,blocked and fully virtualized.I find the above test strange because how could a test malware close down explorer.exe in a virtualized environment?
No the previous manual sandboxes were not virtual by any means.They enforced limitations and restrictions but it was not truly virtual.
Virtualbox and vmware are true virtualization products but the comodo sandbox was not.
In version 6 this has been to a degree implemented but not in version 5.
No, the manual sandbox has always been virtualized. It is only the automatic sandbox in the previous versions that was restriction based.
Hmm well with all due good respect to you i would tend to differ here.Version 6 is the only comodo suite that has FULL virtualization abilities.
Previous versions were purely restriction (drop my rights) sort of sandboxes.
There is a huge difference between a restriction policy and true virtualization. >:-D
Nope, sorry… There were two sandboxes in previous versions. (Starting with version 4, when the sandbox was introduced) The manual sandbox which was a fully virtualized environment, and the automatic sandbox, which was restriction based.
You can read the Sandbox FAQ if you don’t believe me.
Trusted malware can easily bypass Blocked setting.
How has malware become trusted.?
Wouldn’t trusted malware bypass any BB at the moment? Since BB only act upon unrecognized/unknown files?
Like i have mentioned before in another thread the power of any security suite is in the white and blacklisting.
The BB and HIPS are nothing without a solid and accurate whitelist.
Although one of the previous comments in regard to malware being trusted hardly incurs a lot of faith in the comodo whitelists.
It actually gets quite worrying to think that malware could be sitting in the whitelist and the end users are unknowingly allowing malware to be installed based on the comodo whitelist.
Whether we like it or not the end users security is based upon the credibility of the whitelists and trusted vendors.
How do we know the vendors in that list can be trusted and upon whose authority is this based.?
Until the white and black lists are in some trustful order then the security components are redundant.
Please explain to me why HIPS is dependent on a good whitelist? I use it to control trusted applications all the time. Basically when BB fails, HIPS (provided you’ve set it up in such a way) will still be there and you can allow or block the actions of the malware.
Never trust a security application to do everything, you need to apply common sense too.
Hmm please explain to me why trusted applications need to be controlled.?Prior to using a HIPS how did you control them then?
In an internet full of billions of files have you the intuition to distinguish good from bad?
Of course not and that is where the power of whitelisting comes in.
The BB acts upon a whitelist…it has to otherwise how does it distinguish what is good or bad ?
I haven’t tested this myself, but if this is true I’d really appreciate it if you could make a bug report about this. I’m certain it’s not intended behavior.
Trusted applications, on my computer, needs to be controlled because I don’t want certain programs to be able to do certain things. I also like to be in control of what is actually running. Another reason is, as explained before, when a malware has been trusted.
I personally don’t trust all the software that I use, but I still need to use them, and I also like to be in control of what happens (monitor what happens).
When there is a program that I trust myself, then I will add it to the trusted files list. But I don’t trust Comodo to know what’s best for me through a whitelist that my computer follows blindly, I’d like to have their opinion but in the end also be notified and act upon it. See it as recommendation rather than a rule.
Prior to using HIPS (prior to using CIS over all since I have used HIPS since I installed CIS) I got a malware that wasn’t blocked by my security system and I couldn’t get it away hence I had to re-install windows and I lost all my files since I couldn’t access them at all (They were encrypted).
With HIPS disabled in CIS and if the malware would have been trusted, then the results would have been the same.
I can distinguish the good from the bad first by reading what process is trying to do what and then see “Yeah I installed that” or “Hey wait I second I haven’t seen that applications before” and then also look at what they are trying to do (you never get to see this with HIPS disabled) And thirdly look up the applications. - Common sense.
I never said the BB didn’t act upon a whitelist, it should act upon a whitelist, but you should also have something as a back-up when BB doesn’t kick in.
That seems quite an issue.I thought the idea of virtualization was so contained files could not touch or alter the real system?