I want to install CFW on a Win 7 PC already running MS Security Essentials to improve the security significantly. I did some initial tests in Vrtualbox with MSE installed and I noticed that the default install of CFW is for HIPS switched on and Auto-Sandbox off.

I find HIPS too difficult / time-consuming to get my head around these days so I’ve turned it off and enabled auto-sandbox instead and run a few recent malware samples, all seemed to work OK.

But I worry if there might be a clash in the future between the default auto-sandbox settings and MSE, specifically with the auto-sandbox setting set to block all applications with a malicious rating? I think they may fight over the same piece of malware they both identify as malicious, or something may slip through as a result? I guess if that happens, other elements of the sandbox may kick in and isolate the malware? Even if that fails at least it may not communicate outwards with CFW blocking it, or does disabling that first rule have a knock-on effect throught the rest of the auto-sandbox?

I am considering simply disabling this furst rule of blocking all malicious applications and relying on MSE to deal with malicious ratings and actions, but not sure of the impact on the rest of the detection / isolation process if I do so, and I don’t have time to test these various combinations.

Are there recommended settings for this combination, or any suggestions from the experts here please?

The auto-sandbox is for applications that get executed whereas MSE will detect malware using its real-time scanner which means any new file that gets written to disk or any existing file is accessed will be scanned and dealt with by MSE accordingly. So if MSE detects malware before execution, then it will get removed/quarantined before the sandbox can kick in. In the case where MSE doesn’t detect an executable as malicious, but is executed, then during execution the executable will be lookup in comodo’s cloud and if found malicious will be blocked and quarantined by CIS. Therefore you won’t have any issues with using CIS sandbox and MSE as your real-time AV solution.

Futuretech, I really appreciated the very clear explanation, many thanks.