COMODO Internet Security 8 vs Malware Tests

Hello Everyone,

Since we released CIS 8, more and more fellow testers are testing it against malware. It is always great to see results, from testing organizations as well as independent reviewers.
It is a new product with some new features so i wanted to post a few tips here for anyone who would like to understand the security architecture and design the test methodology accordingly.

CIS 8 has multiple layer of security and while combating with malware each has its own purpose:

1 - URL filtering: Block a malicious URL during browsing and stop malware before entering the PC.
2 - Antivirus: Detect a malicious file before being executed on the PC
3 - Viruscope: Detect a malicious file after being executed on the PC
4 - Auto-Sandbox: Block unknown files from damaging the PC white it is being executed

Fellow testers already know about these layers from previous versions as well. However with CIS 8, we have introduced a few improvements:

Auto-sandboxing is now more intelligent. By default, CIS 8 sandbox automatically sandboxes unknown files that are coming from the Internet or run from removable, network drives. Realistically almost all consumer infections are now because of the files coming from the Internet. You can download an infected file or receive it as an email attachment etc. This behavior can easily be changed by making a simple change as explained in
https://forums.comodo.com/news-announcements-feedback-cis/how-to-automatically-sandbox-all-unknown-files-in-cis-8-like-cis-7-and-cis-6-t108576.0.html

The test setup should consider these facts and be realistic. For example:

1 - Are you testing CIS for protecting a clean PC? IF so, having a folder full of malware before installing CIS is not a realistic case because the PC is not clean. Or copying files from a host computer to a test virtual machine. In such cases, you should configure CIS accordingly so that it automatically sandboxes all unknown files including existing unknown files. See link above on how to do this.

2- Are you setting up a consumer PC and testing real life scenarios such as infection from a web site, through email attachments, USB drives etc? Default configuration is enough. Go for it. Torture CIS with all such scenarios such as downloading active malware, opening an attachment, downloading a zip file, extracting malware and running it etc.

Let us know if we can help you understand the scenarios better.

Thanks,
Egemen

What’s about sandboxed applications which still can access keyboard/screen? Are these actions restricted?

keep improving!

well… I love cis and i in tend to keep using it aslong as its free but i have to admit for myself that nobody cares anymore about comodo as a security suite. atleast no company/reviewers consider cis as a security suite to be tested. this can be seen from the moment cis 8 was released until now that we dont have almost any review from enterprise testers or important sites.

anyway, I intend to keep running cis on my machines, my family and my friends because I know the value of this security suite. and its huge… and free…

i agree with ‘Autosandbox is great idea’. but, the developers have lacked that care the user.
the CIS users are fixed at idea that CIS should treat “all unknown files is sandboxed”.

This idea is bad?

i think ‘No’. It is only uncomfortable.

the selective treatment rule of autosandbox is giving to user the safe and comfortable.

so, i suggest.

1. after CIS setup - CIS defult (setup) cofnig is “Sandbox all unknown files”

2. and CIS give other default config is “Sandbox new unknown files” ===> Add submenu in ‘Set to the default’ item
   a. Sandbox all unknown files
   b. Sandbox new unknown files

[attachment deleted by admin]

Very good idea, savit !

If a trusted program downloads an unknown file, and that trusted program is neither a web browser, pseudo file downloader, or email client, is that unknown file sandboxed?

It depends on the trusted file, how that trusted file itself came to your PC etc.

The sandbox protection is stupid, since Comodo has a lot of false positives. In fact I recently did a real world testing scenario and downloaded 50 lesser known software, 35 of which Comodo sandboxed as unknown.

I then visited some malware websites(real world scenario if you are downloading lesser known programs, its likely one of those websites/programs to be malware) and while it did sandbox 19 out 20, one was I believe script or text file which got through, but since I now had real programs and malware running at the virtual machine at the same time, it made the operation of the system really slow and bad.

When I cleaned the virtual machine, it removed all legitimate programs.

You can understand why your average user might not think Comodo is good.

Can you point me that 1 case that got through? It doesn’t matter if it is a script or something else. It should have been sandboxed as well.

I’m noticing that CIS is isolating files that are SAFE, after CIS completes it’s cloud lookup on the file it doesn’t sandbox it again. That I’m saying is that CIS is not allowed enough time to validate that the file is safe from the cloud before isolating it, and as a result many programs that I run are being sandboxed. Is this bug or intended feature? I have attached a screenshot of logs.

You’ll notice the file is run virtually and that after it is run again a few seconds later it is not isolated.

[attachment deleted by admin]

Whats your OS? Windows 8?

Yes, Windows 8.1 x64

I’ve found the same thing but with HIPS, I receive a few alerts and then no more alerts because it’s then scanned and found trusted, I’d assume it’s the same underlying issue as with the sandbox issue however I would argue that the issue is more severe with Sandboxing.

@egemen, I’m only experiencing this with files relevant to the discussion we had earlier in regards to bug 1379, I’m guessing this may be “intended”?

Yes. Seems like the same scenario.

at egemen,in default sandbox Action~Run Virtually After clicking on Opiton ~the set Restriction and selecting partially limited and i was tested on the executable file Comodo not blocked anything Compared with option Action~Restriction~the set Restriction>partially limited

@up
becuase these restrictions applied block access to various system resources on REAL system. Virtualized app can still do whatever it wants in virtual enviroment. (so no difference e.g. in CLT)

Applying restrictions to virtualized app means that it will be restricted in accessing some things in real system (yes, it still can access some things when virtualized - I don’t mean files but e.g. keyboard or screen).

But shouldn’t using partially limited in fully virtualized sandbox provide better or equal restriction than when only using partially limited? If I’m not misunderstanding then that’s the issue here, that partially limited in FV doesn’t give the same protection as normal partially limited.

HIPS is useless. It is useful only for Hardcore users.
(Hardcore user= Only a very small minority of people…)
And auto-sandbox is uncomfortable and useless like HIPS, too.
Most of users need that impoved Viruscope (+ Anti-exploits)

“Anti-exploits” is very simple,very easy and enough(but not strong…).

If want improve the Comodo. Give up the HIPS and Sandbox.
Most people don’t know that how use them.

Improve Viruscope(&anti-exploits) and Cloud scan.
Also, Make the Reputation Detection.

I know Comodo is very stong but very very very very Difficult…

Hi, first of all thank you very much for your feedback. We would like to know why you think that HIPS or Auto-sandbox is useless. Please let us know the difficulty you ve faced . Do you think that these features are useless OR these features are very difficult to use & configure. We would be happy to help you about how to use them.

Kind Regards
Buket