A simple question on the auto-Sandbox.
I have set the auto-Sandbox to full virtualization. All is fine. But as I dont know much about these sandboxes -
What is the difference between Fully Virt & partially limited? What do i gain & lose?
thanks
AaLF
(top FW BTW)
Please see this page in the help files. Essentially, Fully Virtualized will completely isolate any unknown files from the rest of the operating system. With Partially Limited it will be run with the rest of the programs on your computer, but most potentially dangerous actions will be blocked. The other options are also briefly explained on that page.
Let me know if you have any questions.
Thanks.
What am I missing out on by going full Virt?
i.e. One I’ll want to this something & it wont work because the Fully Virt has stopped it. Is that a scenario and if yes, what non-working function may hassle me due to Full virt?
For one, I would not recommend using Partially Limited. I would use Limited or above. The reason for that is that Partially Limited will not protect you from some ransomware.
However, you really need to use Untrusted to protect yourself from all malware. However, at the Untrusted level, most unknown applications which are run will fail to work correctly. Thus, this isn’t too far away from just blocking nearly all unknown applications.
Fully Virtualized will allow many applications to run, and is almost as safe as Untrusted. Some applications will fail to run, but the majority will. I think you’re fine to stay with Fully Virtualized. The only issues I really see with Fully Virtualized are that keyloggers can log data from the real computer. However, the Firewall should stop them from transmitting this for nearly all situations. There are a few other issues with using Fully Virtualized, but in my opinion they are much more rare to encounter.
In short, I think you’re fine with going with Fully Virtualized. By the way, every time you restart your computer any application which was running as fully virtualized will not automatically start.
Let me know if you have any other questions.
Thanks.
If using virtual kiosk will the firewall also stop keyloggers from capturing data?
Some keyloggers may be able to bypass the built-in restrictions. However, they will be blocked from transmitting any information they capture by the firewall component. Only if you allow the firewall alert would the data be transmitted.
Ok thanks i do want to give the kiosk a try out.
The only problem i have with fully virtualized is that the comodo av does not detect malware within it or has this changed.?
It should now detect malware within it as well.
I have not seen this behavior, I downloaded some leak test files earlier after installing CIS 6.3 and they were not detected, just wouldn’t run, once moved out of the shared space they would be detected. However that wasn’t what I was testing and hence I didn’t pay much attention to it, just figured it was how CIS worked, I will look into it some more when I have the time.
In that case I’m not sure. Can someone confirm whether it does detect malware in the Kiosk or not?
Perhaps it just detects malware when you right-click on it and select the option to run in sandbox. That’s what I’ve noticed the detection for, although I don’t use the Kiosk otherwise.
I just did some testing (I don’t use virtual kiosk btw so I don’t know what happens there) by opening Comodo Dragon as Fully Virtualized, I then downloaded eicar.com to a NON-excluded folder, I didn’t get any CIS pop-up however nothing happens when trying to execute it, opening explorer.exe sandboxed and trying to execute the file is futile, nothing happens.
Next I downloaded the file to Shared Space and it was again not detected (except by dragon when trying to download it) and I was not able to execute it neither from Dragon nor explorer, however when right-clicking it and choosing to run as sandboxed, it is detected by CIS. It is also detected if moved to another folder.
I think to the average user it sounds very confusing as to if you are protected or not in certain situations.