Thanks for the feedback John, makes the effort well worthwhile!
Mouse
Hi mouse1.
As you might already know I have been trying to make CIS 5 work in my PC without any good results even though CIS 3 and 4 worked nicely in the past.
I am having trouble with a few files being sandboxed that I believed are the cause of my machine hanging when cold boot (first time of the day).
I have read the CIS 5 manual and your FAQs, and I thank you for them; However, I have a few questions, may be because English is not my native language or I am too old to learn, but I do not get it.
You said:
The Trusted Files and Trusted Applications policies are quite similar, however there are important differences:
•A Trusted File is not automatically sandboxed. A trusted file will be sandboxed unless it is also a safe file
When I add a file to the “Trusted Files”, it does not become a safe file? When it become a safe file? when Comodo adds it to its white list?
•Trusted Files can run Trusted Files, trusted applications cannot run trusted files or applications
Here you lost me. I know trusted files are the files in Defence+ > Trusted Files and Trusted Applications are the files in Defence+ > Computer Security Policy > Defence+ Rules, given Trusted Predefined Policy, so If I have HPqdirec.exe in trusted applications and it runs Hpqtra08.exe, which is in Trusted files, HPqtra08.exe will not run at all or will not run as a trusted file?
•The predefined policy for Trusted Applications can be changed in ‘Predefined Policies’ that for Trusted Files cannot.
Ok I got this one. No problem.
•Files can be given Trusted File status when if they are declared safe when looked up on the cloud safe list. They cannot be made Trusted Applications
So a trusted file can not be removed from “Trusted Files” and add to “Defence+ Rules” and given a Trusted Application rule, but you said here in # 5 to remove any trusted files in the Trusted File list and to add it to D+ Rules with and Installer/Updater Predefined rule:
or is it different with Installer/Updater rules?
•Signed files from Trusted Vendors are regarded as Trusted Files not Trusted Applications
OK I got this one too.
•Trusted Files by default are allowed outbound access to the internet, Trusted Applications are not (unless also made trusted using firewall settings).
and this one no problem.
Sorry to be a bother, but I am desperate for CIS 5 to work in my PC and I am trying to understand what is going on, and I thank you before hand.
I forgot. Is it better to let the files sandboxed and let Comodo to make them safe? or I can add the files to the Trusted files myself? However if I do this, the files are not declared safe until Comodo says so. According to what you said in point # 4 above.
First thanks for your comments which I very much appreciate. My responses below:
Apologies the last part of this was not updated properly to CIS 5 It should read:
•A Trusted File is not automatically sandboxed. A trusted application will be sandboxed unless it is also a trusted file
•Trusted Files can run Trusted Files, trusted applications cannot run trusted files or applicationsHere you lost me. I know trusted files are the files in Defence+ > Trusted Files and Trusted Applications are the files in Defence+ > Computer Security Policy > Defence+ Rules, given Trusted Predefined Policy, so If I have HPqdirec.exe in trusted applications and it runs Hpqtra08.exe, which is in Trusted files, HPqtra08.exe will not run at all or will not run as a trusted file?
The fuller version would be: “If you have a trusted application which is not a trusted file, then it cannot run another trusted file unless you allow an image execution alert”
•Files can be given Trusted File status when if they are declared safe when looked up on the cloud safe list. They cannot be made Trusted ApplicationsSo a trusted file can not be removed from “Trusted Files” and add to “Defence+ Rules” and given a Trusted Application rule, but you said here in # 5 to remove any trusted files in the Trusted File list and to add it to D+ Rules with and Installer/Updater Predefined rule:
A fuller version would be:
“Files can be given Trusted File status automatically by CIS if they are declared safe when looked up on the cloud safe list. They cannot be made Trusted Applications automatically by CIS”
Sorry to be a bother, but I am desperate for CIS 5 to work in my PC and I am trying to understand what is going on, and I thank you before hand.
I forgot. Is it better to let the files sandboxed and let Comodo to make them safe? or I can add the files to the Trusted files myself?It does not really matter. But do remember you may need to reboot afterwards
However if I do this, the files are not declared safe until Comodo says so. According to what you said in point # 4 above.Point 4 now corrected
Absolutely no problem to ask - it is what this topic is for. I’ve corrected the non-updated sentence already and will be considering how make the other explanations clearer. My apologies for the error.
Best wishes
Mouse
No apologies needed, I just thank you for your answer and the work you have done.
Regards.
That’s fine. Now amended the other entries too. Please do check and see if you think they are sufficiently clear.
H mouse.
Much, much better. Now I understand all of them. Nice job :-TU Thank you.
Hi Mouse,
First of all i would like say thanks for all of your hard work, this FAQ´s are very helpful.
But i would like to know if you could add something that could explain the process of the sandbox after the reboot.
1- After the reboot everything that is in the sandbox will be automatically terminated and won´t be able to execute (only after manually execution).
2- If my first post is right, then that means after the reboot you will not receive pop up´s from those programs (like com windows hooks, COM interfaces, etc).
3- Can an other program (trusted or not) start an application that was terminated in reboot (and of course is in untrusted files).
4- Manually terminate an application that is in the sandbox will have the same effect than rebooting ( the application won´t be able to automatically start).
5- what about dropped files
I hope this is not confusing, but only after reading a question in the forum i realized what happens when you reboot, and i am sure many others new to comodo will have the same difficulties.
Many Thanks
HI Peter
Just off on a week’s hols, and it may take a while to reply to this, so I’ll do that when I return if that’s OK.
(Other mods may reply between)
Meanwhile please read the introduction to the sandbox (see my signature) to understand it better, if you have time. Be assured that CIS offers very good protection, better than the big names in security.
Will reply on my return
Best wishes
Mouse
Many thanks Mouse
Please add to D+ FAQ:
-
Differences between Comodo Preset Configurations, but not this outdated text.
-
How to enable execution alerts when starting an application from Windows Explorer.
No it will run in the sandbox again after the reboot, unless removed from the sandbox in some way, for example by the user making it a trusted file. Because it is sandboxed it is unable to damage your system.
2- If my first post is right, then that means after the reboot you will not receive pop up´s from those programs (like com windows hooks, COM interfaces, etc).You will receive the same pop-ups, if the app is still sandboxed. Most sandboxed files don't generate COM, hook alerts, but some do.
3- Can an other program (trusted or not) start an application that was terminated in reboot (and of course is in untrusted files).If an unknown program is started again it is sandboxed and so unable to damage your system.
4- Manually terminate an application that is in the sandbox will have the same effect than rebooting ( the application won´t be able to automatically start).If an unknown program is started again, whether automatically or not, it is sandboxed and so unable to damage your system.
5- what about dropped filesSandboxed software is not allowed to drop files in protected directories.
Hope this answers your questions. Apologies for the delay.
Mouse
Good suggestions! Will do my best when I have time. Think differences between CIS and Proactive now small.
If you want to have a go do post here, and I will move to FAQ when ready!
Best wishes
Mike
Thanks for all the answers Mouse.
Draft comparison of Proactive and Internet Security Configs added: here.
Please do check if you agree if you have time.
Thanks! :-TU
Thanks for the guide; it was a big help.
However there was one item that I found a bit confusing, #5. “ignoring all except AV alerts”. I am well versed in Comodo (though by no means as expert as some), so if I found it confusing, others might too. Then again, no one else has posted a comment on this so it may only be me.
When you say, “all except AV alerts”, surely you don’t mean D+ alerts, of which I had quite a few, and the closest thing there to ‘ignore’ is ‘cancel’. Then of course the program won’t run. I chose the status I wanted for the program. But of course if you’re ‘choosing’ you’re not ‘ignoring’.
I may be totally missing something here, so can you please point me in a direction to find an explanation to this confusion.
I mean just literally ignore them they’ll time out or not before the next reboot. It does not matter if they don’t time out before your reboot. The reason for this policy is to avoid the risk of creating confusing additional rules, which will happen if people answer and tick remember my answer.
Okay. Thanks for the reply.
From [url=https://forums.comodo.com/defense-sandbox-faq-cis/file-specification-inc-using-wildcards-in-cis-draft-v5-t77245.0.html] https://forums.comodo.com/defense-sandbox-faq-cis/file-specification-inc-using-wildcards-in-cis-draft-v5-t77245.0.html[/url]:
However there appears to be no simple way to get round this when defining block and allow lists for a specific file or file spec. Block lists under 'customise' in a D+ rule don't over-ride more general allow lists for example, and you cannot define multiple rulesets for the same file or set of files (specified the same way) in D+. However in D+ rules defining the file path once using a string, and the second time an environment variable, does seem to be accepted by D+ and priority ordering may therefore work.
One can get around this by using multiple file groups, with each file group including the same file or file spec.
Good thought :). So then priority ordering would potentially work.
Best wishes
Mouse