Nothing to “understand” here:
Why shoul;d anyone run anything on a sandbox. Just start the freaking .exe again. Is it too hard?
I know right? Still the only option is autosanbox or disable.
But don’t worry I don’t expect you to understand it, it might be beyond your comprehension.
Turned on the sandbox especially for you. Here’s what I see. What’s the problem?
Fantastic, now read the 1 post of this thread.
And now for your information that popup only appears in the application require elevated privileges.
Ok, tested with another file. You’re right.
Still, your attitude is something to work on. ;D
I know, sorry for that
NP :-TU
I agree with this wish completely. I had to disable auto-sandbox because sometimes parts of Windows or other software updates get auto-sandboxed with some messed up consequences since only part of update really gets applied.
I’d like to be able to allow an execution through non-sandboxed at my discretion.
My idea how the ask and Elevated privileges promt should be like.
Add Ask to Action menu inside the Sandbox Rule. (i think comodo was gonna do it like this anyway.)
Allow user to enable:
[ ] Enable to trigger Ask alert for Elevated privileges e.g. installers or updaters when detected.
So user can enable it or disable for every rule individually.
and remove the:
[X] Detect programs wich require elevated privileges e.g. installer or updaters
[X] Do not show privilege elevation alerts: Run inside the container
from Containment Settings window.
Added 1 Picture
https://imgur.com/a/sZZBg
My idea how the ask and Elevated privileges promt should be like.Add Ask to Action menu inside the Sandbox Rule. (i think comodo was gonna do it like this anyway.)
Allow user to enable:
[ ] Enable to trigger Ask alert for Elevated privileges e.g. installers or updaters when detected.So user can enable it or disable for every rule individually.
To make sure I understand…if Comodo detects the installer, it allows the installation to use elevated privileges?
OK so Comodo:
Allows the detected installer or updater to run unrestricted
- If Comodo detects the installer or updater
- If the executable is “Unrecognized” (is NOT “Trusted” via TVL or Cloud Lookup)
- If the proposed style of Containment alert rule (check box etc.) is set/selected for the executalbe to be allowed to do so
- The executable is run unrestricted out of the container and may elevate as it requires
- The choice on the alert means a Containment rule is created if one does not already exist that contains the choice to run this file elevated
Got some questions about this. This is an installer/updater right? And also it’s “Unrecognized”. What about all the work to develop the TVL and Cloud Lookup? idk, but maybe I am completely misunderstanding. Honestly, I think the best solution is to block “Unrecognized” installers with no option to install, except to unblock via “Unblock Applications”. I am kind of convinced it’s the only way to save users from making convenient mistakes.
I think requiring the use of “Unblock Applications” is good policy for Comodo. Also, I do think there can be give and take and the cloud can sort of set the record straight if there is a problem with a file or installer. Over time the cloud can come to the rescue and maybe achieve a higher prominence (Valkyrie allows?).
Even though users might see more installer blocks, there is another view for me. I mean, I really do personally like the idea that I find out that a program wants to elevate. Yet and still and for whatever reason, if I were to focus on anything, I think it would be to make sure that the user is only unblocking from “Unblock Applications” (if that were the only choice for “Unrecognized”). And then I would makes sure the user gets a full fledged warning about unblocking from containment and then a full dose of HIPS alerts (with an auto monitor rule created for the unblocked file) for his/her trouble. Also, I would make sure that the file stays “Unrecognized”. Actually, I guess this might be enough for HIPS to stay active.
It’s better to start with good policy when it comes to computer security. OK, add the possibility for cleverness or maybe some convenience as an option. However, even then, the user’s data safety should come first every time. In the end, if someone said it’s tough to run an “Unrecognized” but not impossible…I think that would be the best thing to hear personally.
I really hope I didn’t completely misunderstand. Pls correct me if I am way off on this…
If you configure the rule to Ask, then i will ask for any unknown program that try to start.
If you configure it to Run Virtually and
[ ] Enable to trigger Ask alert for Elevated privileges e.g. installers or updaters when detected. (left unchecked)
it will sandbox any unknown automatically.
If you configure it to Run Virtually and
[X] Enable to trigger Ask alert for Elevated privileges e.g. installers or updaters when detected. (left checked)
it will trigger ask alert for unknown programs that try to run as installers/updaters or unknown that requres elevated privileges.
normal unknown will be sandboxed automatically.
when they add this wish “Ask”. and if the current Elevated privileges e.g. installers or updaters option is left as the current version, then it will apply to all the sandbox rules,
but if they add my idea then the user can configure this for every sandbox rules individually.
I may have misunderstood. What about this as a way to do this. Kind of a compromise:
OK so like this. If the user chooses “Trust this File or Application and Run Under Current System Restrictions Only”, the rule is an Ignore rule and trust in the “File List”. However, user immediately gets a prompt center screen with a red border in red writing that says, “This file or application is unknown to Comodo and could be malware. Running under system restrictions could be dangerous and is not recommended. Are you sure?”
Now, this is where I could see Valkyrie step in if it were all things internet and the Comodo Cloud. Valkyrie uploads the file to Comodo, where it is analyzed. Some kind of spinning Valkyrie wheel or somethiing appears near the system tray that says file being analyzed by Cloud Lookup. If the file appears to be risky to run, Valkyrie explains that it uses potentially dangerous script or installs to an unusual location or modifies user files or system files in an unusual way, etc.
So for me if Valkyrie replace Internet Security Essentials and handled this role and roles like monitoring what is on the PC from the internet and all other Cloud Lookup issues, it would become an important part of Comodo. Valkyrie also for browser monitoring and page blocking.
Then Viruscope could be there to sort of chronicle the activity of files that are allowed to run. For example, VS might attach meaning to the fact that the above uploaded file was unknown and allowed to run. Then it might make note of whether the application uses command line or if part of it was installed into a context menu or something otherwise allowed normally only via HIPs. Another might be associations of the file. Does it use/want to use potentially dangerous Windows based tools or change system settings, for example, system restore or startup. When VS senses enough evidence of danger, based on an algorithm centered around the behaviors of malware, it can step in and advise the user. It can also ask Valkyrie for help uploading a .tmp file associated with the file or application or any element of an application, etc…or anything else I guess…
So as long as it’s an option to turn this alert off, I guess I wouldn’t see a problem with this. However, I don’t think it’s a long term solution for one thing. That is that I feel that Trust in the Comodo “File List” should be in every case Comodo’s view of trust, not ever the user’s. So I don’t think any of this should create trust in that list. That way when user looks over or scans the list there is no question in their mind that it’s Comodo’s opinions. Anyway, rules can be set up for any application of any trust level to run in any element of Comodo.
With the above said and in place, I don’t think this alert should even offer the opportunity to “Trust this File or Application and Allow it to Under Current System Restrictions”. As things are now though, OK, maybe I would make it a further setting of the “Detect programs which require elevated privileges…” and the “Do no show privilege elevation alerts”.
So something like this in the Containment settings order:
“Detect programs which require elevated privileges e.g. installers or updaters”
Now in the settings comes:
“Do not show privilege elevation alerts”
->while above is not checked->option appears for “Show the option to ‘Trust this File or Application and Allow it to Under Current System Restrictions’ on Privilege Elevation alerts” .
Let me know if this makes any sense or just doesn’t make sense at all. Thx…
Apologies. A couple of edits
Yes having an option to enable advanced options would be nice
and to have it inside the sandbox rule specifically so you can enable or disable it individually for every sandbox rule.
1, I would have a rule which are configured to: Action Ask + Restricted
for my steam folder.
(if i select: Run inside Sandbox then it would be running inside the Sandbox with my pre configured settings Restricted)
2, And configure: Run Virtually + Restricted + Enable Elevated piviliges Ask Alert + Show additional advanced options for Ask alert. for any unknown inside my download folder.
3, Configure: Run Virtually + Restricted for any folder (the main sandbox rule)
If you configure the rule to: Action Ask, then the trigger ask alert for elvated priviliges woud be greyed out. since this option wouldent do any thing.
Show additional options for the Ask alert would still be selecteble.
If you configure the rule to: Action Run Virtually then the Show additional options for the Ask alert would greyed out.
If you configure the rule to: Action Run Virtually + Enable to trigger Ask alert for elevated priviliges.
Then the Show additional options for the Ask alert would be selecteble.
This alert would give you the option to select how you would like to run the file/application each time it is open. I think it would accomplish close to the same thing as including an ask to the default containment handler options.
There seems to me to be a subtle difference. However, if you choose default, it will open every time by default settings. If you choose “Run Using Another Restriction Level”, app will run every time at that level if the setting is remembered. If you don’t remember the setting, you can choose each time the file application opens, anyway. So I think (could be wrong) that its functionally the same.
The last setting is the one I would specifically want the option to have removed from the alert. Actually, probably shouldn’t be there by default. But, if you allow this alert to appear, no matter whether that option is on the alert or not, you will be able to choose for every application that wants to elevate which restriction should apply.
Again, the first choice in theory would auto-create an ignore rule, but you could still choose the same restriction from the 2nd option and not remember->no rule.
Thx once again for the input. I liked this when I finished unlike some ideas I throw around in my head, because I think this alert clears the users head (or at least mine anyway) about what will actually happen after the alert.
I’d like to hear if Comodo has anything they might find objectionable to this alert. Personally, I would definitely like to see something done with this alert.
There are quite a few Polls and topics requesting this feature.
Is Comodo going to add this feature? And when?