Back here… at 5am dealing with sandbox (so dont expect much from me :-[).
First of all my impresion (I’ve never used comodo sandbox before, always had it disabled and used other software, but now I wanted to give comodo a shot…). “Fully virtualised” environment, looks like the weakest-less restricted one right? (this is somewhat unclear to me probably because of the name, I understand Restricted environments = fully+restrictions, I’ve read both the “official” FAQ and some technical guides here, but they tend to go too detailed into concrete vulnerabilities rather than permissions and such)…
Right now I have them [at] untrusted/restricted (when untrusted does not work, however the ones which concerns me the most, which is one which runs dynamic web code…, works on untrusted). ¿Are those the most restrictive/“safest” levels? I assume/tested that they will be able to read my files anyways (is there a way to prevent which files they MAY read?, maybe Defense+? never got that far into it :P).
I assume this is impossible because of obvious reasons, but… is there any protection levels which prevents this apps from reading “most” of my filesystem/registry?.
Thanks beforehand :),
PS: Let’s say that this applications are a must for “me” (not me, but “my” PC) so I have to find a most-secure-as-possible-and-automatic way to make them work :'(. (without going into full virtual machines, they have to work as if you just executed the program normally), in case any1 has some idea :).
From my experience I’m not as worried about just whether an application can read files or not. What’s truly important is whether information can be transmitted from the computer. In that way I can tell you that under Untrusted I do not know of a way in which an untrusted app can transmit any information it may have been able to collect (which should be little to none) unless the user manually allows the popup. However, there is a minor vulnerability in Fully Virtualized through which an app could theoretically (although I have not seen reports of an actual malware exploiting this) transmit small amounts of information bypassing the Firewall component.
If anyone knows of a situation which proves me wrong please let me know.
These applications are basically stream services, so denying them at firewall is not an option (I mean, it kills the application completely), thats why I’m looking at disallowing reads rather than preventing network messages to be sent/received.
PS: Off to sleep, back 2morrow :), thanks for fast answer.
If you are looking at that type of granular configuration I’m afraid I won’t be much help. However, I’m sure that others will have much better suggestions. All I can think of off the type of my head is that it may be better to enable the HIPS component, in addition to the Auto-Sandbox, and to use that to create specific rules for these. However, as I have not tried this myself I’m not sure if this will work or not. I’m sure someone else will be able to help.
(I mean, it kills the application completely), thats why I’m looking at disallowing reads rather than preventing network messages to be sent/received.