CIS10 Sandboxing It's Own Files

Protected_PC · March 3, 2017, 11:27pm

In the picture, why is CIS sandboxing it’s own files?

BlueTesta · March 3, 2017, 11:35pm

https://forums.comodo.com/news-announcements-feedback-cis/why-are-all-these-comodocreated-batch-files-getting-sandboxed-t117693.0.html
mouse1:
This is new technology to protect you from file-less scripts as Egemen explains here.

To prevent these scripts getting sandboxed, so long as you are sure they are safe, you just add the batch files to trusted files.

https://forums.comodo.com/news-announcements-feedback-cis/brand-new-comodo-internet-security-10-with-secure-shopping-is-released-t117514.0.html;msg847406#msg847406

egemen:
Oh yes. This is a new feature we have introduced to catch fileless malware. Fileless malware uses script interpreters such as powershell.exe to execute code through commandline. There are various ways. What CIS 10 does is it catches embedded commandlines and sandboxed them.

But while sandboxing them, we create a file out of them i.e. convert file-less scripts into files in C:\ProgramData\Comodo\Cis\tempscrpt. If is the command-line interpreter. What you can do is

1-You can trust them just like any other file
2- Or you can disable cmd.exe from commandline parsing from Settings->HIPS->Do Heuristics commandline analysis(Certain applications)

It is a new feature.

qmarius · March 4, 2017, 11:22am

Assumption based on path is a bit wrong. Upon file contents inspection, you will notice it’s not really triggered by CIS.

shmu26 · March 8, 2017, 11:25am

How to make these randomly named files trusted, when a new one is generated every time?

Ploget · March 8, 2017, 2:43pm

This worked for me in the Specified Files/ Folders setting in Sandbox settings

shmu26 · March 8, 2017, 3:14pm

I am looking for a more pinpointed solution, such as making a HIPS rule for the process spawning the command line.
In my case, Google Chrome is involved, so I don’t know how to do that.
I will paste the command line string, if anyone has an idea for me, please share it:

C:\WINDOWS\system32\cmd.exe /c “C:\Program Files (x86)\Norton Family\Engine\3.6.3.41\coNatHstNF.exe” chrome-extension://napjheenlliimoedooldaalpjfidlidp/ --parent-window=0 < \.\pipe\chrome.nativeMessaging.in.c7742736b6507c43 > \.\pipe\chrome.nativeMessaging.out.c7742736b6507c43