CPF Sandbox: discussions

Hello there,

I’d like to discuss here the best approach for the Sandbox module. Strict sandbox discussion or related. The HIPS will come first. So we’ve got time to discuss it, and share our thoughts for the developers and Melih.

How would you like to see it implemented?

I posted on another thread (https://forums.comodo.com/index.php/topic,4883.15.html) how i would like it. I’m not sure about the best course of action:

The way i see it as of now, it would be great to act like GeSWall (or DefenseWall), that implement policies and allow “normal” use, with the option to drop everything from a session (when closing the browser, for instance), except what is saved by the user (either as untrusted, or trusted, defined by the user per download).
The problem is how would this interact with the HIPS? Integrate it in the same “module”?

When saving as untrusted, pop-ups from the HIPs; saving as trusted, meant as added to HIPS whitelist. Functionality and total security!!

Also, i’m thinking about “Save as trusted”, or “Save as untrusted”, and wondering if alternatively it would be ideal to virtualize the sandbox. Like everything virtualized (SandboxIE alike), but when saving, “Save to Sandbox” (or whatever) / “Save to disk”. Save to sandbox would do just that, and on closing the browser session, pop-up - clear session? (would clear this file too). Saving to disk, and when clearing the session, this file would be kept (saved outside the sandbox).

Thinking about these two approaches and the HIPS part makes me confused as in how to integrate it, but at the same time, seems a perfect match.

Any thoughts?

As the person who started the original post, I want to be included in recieving any replies so I’m responding to this new thread. I don’t care how they do it, as long as Sandbox and HIPS are explained in the help section of the new version in a SIMPLE easy for morons like myself to understand way. ;D


(Edited by mod to erase the unused empty spaces)

Sorry, i didn’t mean to go over your thread. I assume you asked for definite answers as to how they (HIPS and Sandbox) are going to be implemented.
Melih said the sandbox is not in the works, just HIPS, and that the sandbox could be discussed in more specific terms, since its model isn’t final. (my English argh, what’s wrong :frowning: i know better)

I thought a separate thread could be handy, not messing yours… so we can discuss this here, and how they turn out together there with more concrete answers from Comodo/ Melih. :stuck_out_tongue:
Picturing how the final product would turn out in yours, and specificaly sandbox here, to settle points of view (possible consensus utopia :D) regarding this feature.

We can pick examples like i did, SandboxIE, GeSWall, DW, Greenborder, …

:THNK was i wrong to open this one?

I’ve been kind of hesitant to use any sandbox or other virtual type environment. It seems to me to be one more thing to provide a load on the system, and cause user complexities. I fully understand the rationale behind it, and as a security thing, probably just can’t really be beat.

My boss does use a VM, which allows him to run a virtual Windows environment on his Mac. I helped him get it set up, and it seemed to me quite complex to set up and use. My just my moronicity… ???

In usage, it reminds me of being in a remote-access/desktop environment, where everything moves so slowly, like you’re underwater.

All that said, however Comodo chooses to build/implement a sandbox, I would like it to be optional, or a separate program alltogether, rather than combined automatically with the firewall.

There! Now I’m part of the discussion too. ;D


I understand your reservations Little Mac. But Melih kind of assured us that we get an option from the get-go: Download FW or FW+Sand., etc.
It’s like this: whatever the site your’re visiting “sends” you, won’t do sh**. Either it’s going to another place (virtual…), or doesn’t have enough rights to do harm in the 1st place (policy…)

I must say, i’m tendind towards virtualization. Seems more secure, and if we could “save to disk”, funtional at the same time.

Someone - I have no problem with your new thread. The more discussion the better.


I hope Comodo’s sandbox will minimize the potential cons described.

Cons Sandboxing can be too restrictive, and sandboxed programs might fail to run. Sandboxes can spring leaks, for example it might erronously allow behaviors that on the surface seem innocent, but might actually allow the program to breakout of the sandbox to cause damage.”

Good link soyabeaner. It seems too vague, but i think it serves the purpose. Virtualization could be better, because it doesn’t depend on policies (these could have bigger holes, maybe easier to miss something when programing). It redirects to a fake “system”, fooling everything. Not bulletproof of course.

The “too restrictive” part could be overcome if we have the option to save to disk as i mentioned before. For those downloads we know to be safe, like Foxit Reader that i got the other day (threw Adobe out the window by the way; hope i won’t regret it). And an easy way to search through the sandbox, if we want to.

Don’t understand the “sandboxed programs might fail to run” part though.

I scrolled down and there’s another part that covers virtualisation. They separate the two:

[i]"Pros You can allow untrusted apps to make changes, and if such changes are deemed to be malicious, they can be cleared easily restoring you to the clean state.

Cons Technically complicated, memory heavy. Virtualization is similar to a form of backup, but some malware can hurt you even if it is removed later. For example, a keylogger that worked during the period it was running could still hurt you, even if it was virtualized. That is why restriction of privileges to prevent this I.E Sandboxing is still necessary together with virtualization. "[/i]

Memory heavy? I have to test SandboxIE to check that out. I don’t see complaints in Wilders.
The keylogger part could be true, though temporary as they say.

So another adition: besides virtualisation, prevent keyloggers by restricting policies too.

Since that site separates sandbox from virtualization, Sandboxie would be belong to the former group and therefore it’s not a resource hog?

It gets confusing. They place SandboxIE in “Sandboxing with file system virtualization” AND “Virtualization + Sandboxing”.

So it’s the best of both breeds then: utilizing both worlds without being a hog :smiley:

Yes, i think so. The common critic to SandboxIE seems to be the difficulty in recovering the files from the sandbox, in case you want to. Otherwise, it’s hard to beat this.

I came through a GeSWall fase, lol, and now i’m leaning towards DefenseWall, because it allows rollback, but SandboxIE, well, is GREAT. I tried to install it before GeSWall, but i had problems. Probably some conflict, i think one has to shut down some apps in order to install it correctly (because of hooks and such). I didn’t trust it back then, but i see nothing but praise in Wilders. Only that functionality issue, which can be overcome, again, with the “save to disk” and easy search inside the sandbox. Talk is cheap, i know…

Another reference, Coreforce (not the way for Comodo imo, but…) (http://force.coresecurity.com/index.php?module=base&page=download).
A great concept IMO. But the opposite of Comodo. Coreforce is rule based, where the user has to configure everything himself. You can import rules from the community, rules that are open to peer-review, and are rated i think. It’s free and of course community based. Comodo is user-friendly, and with these aditions, almost as tight, but easier and safe too. Our community works differently.

“CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD’s PF firewall, granular file system and registry access control and programs’ integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.”

I’ve been thinking… And got to this “conclusion”: Virtualisation is great for browser, IM, and such, not so good for P2P. Maybe you would say the contrary, or only one is good for all purposes. But in my present stage of thinking (…), it led me to think there are two options, different from my original post. There could be more, feel free to add.

  1. No sandbox module! HIPS would just be able to “sandbox” an application, through a wizard. It would work policy based, restricting rights, and tagging downloaded files from a sandboxed session (so why this sandbox funtion? - no pop-ups, the rules are set through the wizard). Those tagged files would still be under the same policies (or pop-up, “bla bla bla, run sandboxed?”; maybe another word), or simply not tagged, but under the HIPS normal operation, where we could add it to the whitelist. My brain goes on vacation here, with all the senarios, HELP!
    This way we could still use SandboxIE (in an advanced stage of development IMO, and free), to run browser sessions, and the HIPS would be there for a more general use, system wide protection, preserving functionality, by being able to keep downloaded files with no complications.

  2. With virtualisation, in this case we could run it virtualised or with the HIPS function of “sandboxing” an application. The user has the option of running the application the way he pleases. The only benefit over no.1 would be only one security program, ComodoPF. The downside, complicated to develop all this, and not eate all the memory there is, and then some!

So the download options (or installation options, in the same installer) would be:

a) CPF

b) CPF with HIPS module

c) CPF with Virtualization module

d) CPF with HIPS and Virtualisation modules

Both c) and d) assume the adoption of the virtualisation module.

Although i’ve changed my mind twice, there’s a trend here. What do you think?

Oh, and stay tuned for next week… for all you 5 guys (or so) reading this

Oh, it’s more than five; that’s only the number currently posting… As of this post, there were 191 views of the thread.

Never fear, someone’s reading it, Someone. ;D Oh, I just crack myself up. :smiley:


Thanks Little Mac, maybe 8 guys reading over and over :P.

soyabeaner: it’s not technical, my english wasn’t very good, that’s all. I can write and read fine, but organizing my thoughts on “paper” is my problem, when i don’t know the exact words for something, and have to work around coming up with words that probably don’t apply.
In other words, by not being technical (this is a hobby), i get confusing.

I can try and rephrase it, if you want. What did you not understand fully?

Soyabeaner - I have the same learning problem as you. I need pictures and simple instructions. It’s getting even worse as I get older. At 67 I can’t remember why I have entered a room sometimes. :stuck_out_tongue:
It’s hard for me to visualize HIPS and sandbox, having never seen it. The more I read from this great forum and thread, the clearer it’s becoming. I think when I finally see the CPF with the new version, a light will come on in my head. I hope I remember what the light is for. ;D


Indeed, everything is alien talk if we don’t see it with our own eyes. Two sites explain very well what this is all about: http://www.sandboxie.com/ , the home of sandboxIE, they explain very well what their concept is all about, if something is missing, the FAQ is excellent; and http://www.gentlesecurity.com/index.html , from GeSWall, where they give an overview ( http://www.gentlesecurity.com/overview.html ), and they detail the features ( http://www.gentlesecurity.com/features.html ).

Like i said, GeSWall enforces policies, SandboxIE virtualises (everything in the sandbox won’t touch the disk).

I myself am limited, of course, to the products i’ve tested. From these two, i only didn’t try SandboxIE. But i understand it, because their site explains it very well.

Have a read, GeSWall’s site is quick to read, and their manual also (but not necessary to get the point imo), SandboxIE is more extensive, naturally, but it’s possible you won’t want to stop reading.

Someone - Thanks for those illustrations. The sandboxie.com did the trick for me.

That’s great :slight_smile:

One thing that was probably confusing is when i say SandboxIE doesn’t allow write to disk. I’m not refering to the physical disk, since it has to write there, but that it’s not writing to where it was meant to. So, if you open a pdf for instance, it would go to some temp folder, but SandboxIE redirects it to the sandbox folder, where it won’t do anything. And when you close it, you delete everything except what you recovered from the sandbox.

If there are SandboxIE users here, please correct me when i’m wrong. I still have to use it to understand some things better.