I did a test with a malware known as Virus Total to about 50 antivirus houses (the largest and also the smallest ones) that by COMODO was not detected among the definitions. This malware is placed in the sandbox and attempts connections to IP addresses which are obviously blocked by the firewall. Pero 'the application remains running and Viruscope does not intervene lets it run in the sandbox continuing to make attempts to connect to IP addresses (blocked by the firewall). Only if you reset the sandbox or restart your PC, will the application stop. Having the firewall is easy, although I expected that being a malicious app Viruscope should have stopped it. The problem arises in CAV or in CIS with firewall disabled, the app is run in sandbox (therefore it does not create problems for the operating system) but makes connections to IP addresses. So this thing I don’t like that it connects to IP addresses without CAV OR CIS (without firewall) intervening to stop it.
I did a test with Kaspersky Security Cloud Free. I deactivated the file protection, otherwise it would have immediately deleted it (which CAV and CIS does not) and as soon as I ran the malware the app control system blocked it immediately after running it and then it was eliminated. I would say perfect execution of KSC.
So I decided to reinstall CIS (which still has many instability problems) and to switch to KSC Free with which I feel more protected.
Then possibly in the future, if the various problems with CIS are solved and the recognition is improved, I will be able to return to CIS which, however, at the level of the structure I like, but it must be much improved.
If I can recover the malware in question again, I will put it in the test section of the forum with the details.
You may as well disable everything and claim CIS doesn’t work
You would have had several warnings as any of this occurred and you obviously do not understand the principle and working of Containment in CIS Containment
Maybe perhaps the containment system is not very clear to me, but CIS with the firewall active works by blocking outgoing connections and therefore ok, but the malicious app continues to be always running by continuing to try outgoing connections and the firewall blocks them. Why doesn’t Viruscope intervene by killing the malicious app?
CAV (CIS without firewall) even with active and functional content allows outgoing connections without Virscope intervening. What data are transmitted from my outgoing PC? Where’s security?
maybe I’m not an expert and something escapes me, but sincermanete I like more the intervention of KSC Free that immediately blocks everything
Hi Nunzio . . . The ‘virus’ or unknown is not stopped by the firewall and is not contacting anyone - it is in containment
If you feel better using an AV that stops a chosen virus (assuming their engineers are updating the program to recognize the 200,000 + released every day!) then go right ahead, but until you can find and post anything / virus that can get actually breach CIS protection, it is advisable not to create posts to that effect and incorrectly state how it works
So a clarification, if it is in containment and makes connections to an output that are not blocked by the firewall in the case of CAV can I still feel comfortable? Mine is a simple non-security question that noticed this behavior in CIS / CAV. It is a clarification post with you that surely you are more experienced than me in terms of safety. If this behavior is safe then I go back to CIS / CAV. ???
Check the Run Virtually for all Unknowns Auto-Containment rule. Right click on it, Edit, Modify it to “Run Restricted” then Options. Set restriction level > Untrusted.
The Malware should not be able to connect in Untrusted level, due to being unable to access Windows Sockets Interface.
You may as well switch your Auto-Containment rule for Unknowns to Block, so you turn CIS/CAV into Anti-executable software. Anything that is not on the Whitelist is Blocked from executing in the first place. Kaspersky only offer such a feature similar to this (Block the execution of things not in the Whitelist) in its paid editions.
In conclusion, without making any particular changes in the containment settings, if the malware is running in the containment, the connections it makes outgoing to the IP addresses are dangerous due to a privacy problem or the exchange of information between my PC and these IP addresses?
Or be in containment even if it makes these outbound connections to these IP addresses harmless?
This is what is indicated in the guide:
“The files in the container are isolated from other processes, write to a virtual file system and registry, and cannot access user data.”
Obviously assuming to disable the firewall in CIS or using CAV which does not have the firewall.
You gave been re-assured; explanations and the relevant links given to you several times now. All these questions have been answered . . . needless repetition isn’t going to change them
N- Remember that data stealing malware MUST be able to do 2 things- it must be able to harvest data on your system AND be able to transmit that data out to the bad guys. Having just an AV in place would stop the malware IF the AV has a definition for it, but what if that malware is a true zero day file that NOBODY detects?
The beauty of Comodo is that it protects against these true zero day baddies.
If it helps, for a quick demonstration see a video here:
Thank you cruelsister, however I follow your YouTube channel.
One question, does this also work with CAV (no firewall), ie setting only the containment restriction level to “untrusted”? Since there is no firewall in CAV?
Can this change in containment settings cause problems with some applications?
