Defense+ - No HIPS alerts - Sandbox to Trusted List

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
#1

Hello,

First off thanks to members and developpers who take time to answer to everyone on this board, I could have read sometime people screaming for issues they encounter, forgetting that comodo is free (the one I’m using) and people take free time to answer…Thanksfully it doesn’t open quite much :slight_smile:

Well, I’m wondering if I’ve set things correctly. I’m using CIS since 6 months now, I’ve set everything to custom rules, I’ve made my own rules for the firewall, same for D+. Sandox is activated and I’ve set all unknown applications to be run with restricted rights, this works as expected, no problem with it.

So I run an unknow program, D+ alert me that the apps is in the sandbox and have restricted rights, this is what I want, the unknow program is then fully harmless according to me. In the D+ altert popup, I can add this program to the trusted list if I want to run it properly and If I decide that the file is safe. which I do. Just a remark though, sometimes installers run sandboxed in spite of “running installers and update outside the sandbox” is ticked (maybe a bug?).

My main question is below :

Let’s say I have a program unknow to Comodo, safe according to me but that I want to have a control over with D+.

If I run it for the first time :

  • Comodo runs it sandboxed and add it to unknown list (expected)
  • Comodo ask me through the pop up if I want to add it in trusted files (expected)
  • If I do, the apps can do whatever it wants (modifiy registry, run explorer, install hook etc) without poping any alerts (not expected)
  • If I don’t, the apps stucks in sandbox and does not work (expected)

I run D+ into secure mode (below paranoia).

Execution control is turned on and everything is ticked in Execution Control TAB
Sandbox is turned on and everything is ticked in Sandbox TAB
Everyhting is ticked into monitoring TAB

As far as an application goes from the unknown list to the trusted list, I lose control over. If I disable the sandbox, I can allow actions for the specific app.

Does trusted list means no alerts at all ?

Thank you for enlightments. I may have misconfigured something.

#2

Hi,

If you want to have control of the trusted/safe files, you must set Defense+ in parano mode and the FW in Custom policy mode. You’ll receive alerts for every move. When you are sure, you answer with the remember my answer checked. This way, you’ll customize what is allowed or not from the trusted files.
In the FW, you should also set the frequency alert to very high to get more information on the requests made.

#3

create a rule ahead of time . add the application to computer security policy and add your rules for it . even if it’s a trusted app it will follow the rules in the computer security policy. you have to understand the rules you want to apply of coarse . if you want play by play alerts then refer to the former post :-TU