Bunch of Questions

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

Just trying to understand how this thing works.

  1. There is an option in the settings of firewall and D+ “Create rules for trusted programs” (unchecked by default), I know that CIS has a white list of trusted programs, but how does it chack files against it? (By name, checksum, digital signature?)

  2. Is it possible for malware \ virus to aquire or fake digital signature in order to fool CIS into thinking it’s trusted?

  3. Let’s say I have unrecognized file in auto-sandbox, and it caused D+ alert let’s say “Access to protected reg key” if I click Allow (remember my choice checked) it creates a rule for that app where everything is allowed?? how does that work? I mean shouldn’t it just allow Reg access for that program and when it tries to acces something else protected? Same with deny … it’s about the same with firewall rules.

  4. On averege, how much does it take to recognize a file as safe or not? a day? a week? a month? Is there anything I can do to speed it up? (Let’s say I don’t know if the file is safe)

  5. I have Left 4 dead 2 game (Steam version), When I start Steam client everything’s fine, I guess it’s trusted, when I start the game however (I Have Russian version, if that matters) it says “Unrecognized program has been put in sandbox as partially limited”… well fine, It starts to load but then exists. I check the status of the program in unrecognized list it says unknown. Well I bought it so I guess I can trust it, I put it in trusted and it wofrks fine, but I’m curious, when this file will be recognized by comodo? It is still working on it after I transfered it to trusted right? So how can I check if the file s recognized yet, is it in que or what?

  6. If the file is recognized as malware \ virus by D+ can I somehow learn why exactly? I have a game file that D+ detects as dangerous, but CAMAS.comodo.com detect as suspicous just becourse it creates C:\WINDOWS\system32\d3d8caps.dat even there is no such file in that directory when the game runs (I have show hidden and protected files on)

  7. Is there a way to look at current d+ white list? Cuz it seems most of my games are unrecognized (is that normal?)

2

Did you take a look at Defense+/Sandbox FAQ on top of this page? I think you’ll find there most answers to your questions.

3

Read the faq. Questions 1, 2 and maybe 6 remains.

4

Question 1 : safe application = valid digital certificate
trusted file = recognized safe after cloud analizis
set in the trusted files by user

Question 2 : Comodo says no, certain forum’s members have doubts

Question6 : file couldn’t be recognized safe by Def+ if no valid certificate or potentially dangerous behavior detected by heuristic or cloud. Even with “hidden and protected files” turned on you won’t see hidden files like rootkits for example. You should submit the file to comodo labs for analysis (Def+ > Unrecognized Files > submit).
What is your AV, how does it flagged this file?

5

Comodo AV

Heur.Suspicious[at]19872852

6

Try to submit the file to Virus Total http://www.virustotal.com/ to check if it is’nt a FP. If Virus Total finds the file safe, report it as a FP here on the forum so it’ll be add to CIS whitelist.