Excluding a folder from AutoSandbox doesn't work when Embedded code detection on

Comodo Firewall still autosandboxes the Visual Studio project assemblies even after excluding the whole solutions folder. When Embedded code detection is OFF this doesn’t happen. I’ve also had many other problems with this embedded code detection. When the Avast SafeZone browser is run it gets crazy and continues to say that batch files are sandboxed. Please understand that from a user’s point of view you simply CANNOT autosandbox every single script a program runs. This will make and makes many software doesn’t work as expected, and makes your software unusable by default unless the settings are changed. Comodo team please fix this. At least don’t sandbox the scripts from files located in the excluded folders and from trusted files.

They were probably excited to serve such capability and rushed it. You should avoid posting feedback in Help section as it might not get enough attention. Do note that it’s a new feature.

But i don’t understand. Haven’t they tested the product? The test phase is before the release, not after it. Where can i report this, should i ask it on the site? It is important that they fix that bug as soon as possible. Since i installed Comodo Firewall 10 i have 186 batches in the temp folder, do users have to exclude each one via the unblock thingie? This is not possible as most users do not know about this and they will usually thing my pc is bad you crashed it… this is not the way you do things. The hell it even sandboxes Google Chrome scripts??? I tell you that Google and other software developers will sue you cause developers have the right to do so.

You could create a new topic in the Feedback section:
https://forums.comodo.com/news-announcements-feedback-cis-b129.0/

I wouldn’t call it a bug. It seems like unanticipated behavior which resulted in usability issue. You can disable it for now if you experience issues. This feature did not exist in previous version.

Comodo Firewall still autosandboxes the Visual Studio project assemblies even after excluding the whole solutions folder. When Embedded code detection is OFF this doesn’t happen. I’ve also had many other problems with this embedded code detection. When the Avast SafeZone browser is run it gets crazy and continues to say that batch files are sandboxed. Please understand that from a user’s point of view you simply CANNOT autosandbox every single script a program runs. This will make and makes many software doesn’t work as expected, and makes your software unusable by default unless the settings are changed. Comodo team please fix this. At least don’t sandbox the scripts from files located in the excluded folders and from trusted files. Since i installed Comodo Firewall 10 i have 186 batches in the temp folder, do users have to exclude each one via the unblock thingie? This is not possible as most users do not know about this and they will usually thing my pc is bad you crashed it… this is not the way you do things. The hell it even sandboxes Google Chrome scripts??? I tell you that Google and other software developers will sue you cause developers have the right to do so.

Some possible explanations :
a) design was incomplete; problem is not fully understood or/and it requires proactive approaches
b) tests were “non-standard” → it required tests with extensions, different issues appear with different browsers, etc
c) usability issues appear all the time and it’s probably handled by a different sub-team in the process; takes time, user input
d) they were aware of it and decided not to release internal update until fix is available

It’s not hard to see what could be done to fix it. And it’s not hard to do so. Simply don’t limit and/or sandbox trusted applications. And take care to reduce the false positives. Don’t you have some automated checks to check the files if they are safe? Comodo’s marketing says “Cloud based behavior analysis system detects zero-day malware INSTANTLY.” and “Cloud based whitelisting of trusted publisher easily identifies a safe file and vendor”. Does it really take you a month to analyze a simple 1kb batch file? Other vendors do this for 1-2 hours. Don’t be ■■■■■■■■. Can’t you analyze in real time?

I, personally, disagree with trusting the scripts (by AV lab). A much better solution (in my opinion) would be to restrict the feature to sandboxed files by default (aka monitoring only in Sandbox), if possible. There are some problems which are fixed with proposed solution. In addition, some (powerful, easy to use) exclusion capabilities should be added with current design (it could be available in proactive config).

Simply don’t limit the scripts of a known trusted program and ask the users before sandboxing unknown files. Say the OS or a 3rd party apps runs some action that will not run again by itself and there is no way to run it manually again, if it is sandboxed it is gone.

I do not see the need to use the comodo and avast together (comodo loses only in detection and yet is not such a big difference);

As for blocking secure files or scripts belonging to them, this is a behavior that every antivirus should have (optional or by default);

Scripts or malicious code can be inserted by malware into secure files or use scripts and applications to make modifications to secure files (images, text, system files …)

Comodo is a firewall and Avast is an antivirus… better not to discuss this.

Blocking secure files and scripts if it existed would be a bug and not a feature. Your job is not to block people from using their PC but block them from “using” malicious files.

Yeah, it’s the same as for EXEs and DLLs. Scripts are nothing more than some code which runs in an interpreter. If it is a standalone file (say *.js or *.vbs) then it can be treated like .DLLs and .EXEs. There are malicious .DLLs and malicious.EXEs. There are also clean (not malicious by design) .DLLs and .EXEs. Just as you cannot block safe .EXEs and .DLLs from executing, you cannot block safe scripts from executing. If it is a known safe program you will not block it, otherwise it is a False Positive. Haven’t you heard of FPs?
Saying that you should block all scripts whether they are safe or not is at least stupid. Your way of thinking is like this: “Hey, there are malicious .EXEs out there… why not block all .EXEs regardless of whether they are safe or malicious. Oh, also this: Hey, there are malicious .DLLs out there, we should block every .EXE from loading .DLLs. And: Hey, there are malicious scripts out there in the wild, on systems with out cool Comodo the users should not use scripts, we should block them.” Look, if Comodo pays the price of my PC + programs on it + amount of time to reinstall them on other PC, i would throw my PC from the window. But this is not your job. Saying that malicious code can be injected into apps doesn’t mean you have to stop using apps. And what if i tell you that Comodo Firewall has vulnerabilities as with any other software. Hey, malicious code can be injected into Comodo Firewall, let’s remove it and not use it because it is a potential attack vector. Do you know that Comodo uses SHA1 to see whether a file is safe? If some malicious code is injected the SHA1 will be different and the file will not be trusted again, so all of it’s scripts along with the file will get sandboxed. Doing injection into a running process is a different thing and there is a HIPS for this. Some products even have an automated IDS.

Again, your goal is to make money by satisfying the user’s needs(which in your branch means protecting them and not blocking them from their PCs).

Embedded code detection is supposed to protect you when a trusted application is exploited to run another trusted application with command line arguments. Take for example Poweliks that executes the following:

rundll32.exe javascript:“..\mshtml,RunHTMLApplication “;document.write(”\74script language=jscript.encode>”+(new%20ActiveXObject(“WScript.Shell)).RegRead(“HKCU\software\microsoft\windows\currentversion\run\”)+”\74/script>")

take note that rundll32.exe is a safe and trusted application that is being run to execute javascript code. Without embedded code detection, this will go unnoticed and poweliks is able to maintain a persistent infection. To see this feature in action open a command prompt and paste the above code, and notice it will get sandboxed and/or HIPS alert.

I assume you are writing scripts in VS and run and test them from the VS compiler. In that case activate the HIPS and give the VS executable the Installer/Updater policy.That way you will bypass the sandbox and the VS executable can start the scripts without being asked.