This is a very good suggestion.
A practical example of how this would be useful: Do you access your email and see a message containing malware or keystroke capture screen, it contains the email of a parent or friends, you download the file and run. So without realizing you access your bank account or other email, and there are ancient methods used by malware writers to easily pass through the firewall without a single warning.
Any malicious program that is able to use legitimate programs to access the internet will send their data to the criminal if using the browser, messenger fully virtualized.
Okay, let me try to wrap my head around what is really going on with this configuration. Is the issue, which causes the bypasses, due to the leaktest actually being able to leak information, meaning a true bypass, or due to the Behavioarl Blocker component making it think it has been able to leak information.
From what I have been told it is the second, meaning that there is no danger here. This has been reported many times, and the best information I have gotten is that the leaktest was meant to test a HIPS (meaning if it is not automatically blocked it is marked as a failure). Therefore, as the HIPS in that configuration is meant to supplement the BB, some actions will technically not be blocked, but instead run at the level of the BB, hence the lowered score. However, this does not mean that you are actually that much less secure. It is just a different way of protecting your computer.
If anyone believes I have misunderstood the issue, or perhaps downplayed the danger, please feel free to respond. I am absolutely willing to have a discussion about this, and if I believe there is any danger against real malware forward this as a wish.
With HIPS in safe mode and no custom rules made, HIPS will alert that the leaktest is trying to access the Protected COM Interface C:\Program Files (x86)\Internet Explorer\iexplore.exe and if you allow it then it is able to send the data and the fail page shows, if you block it then it isn’t able to send the data and the pass page shows.
When b152, said he wants to interact when the HIPS module performs some fully virtualized file. If I understand he may be unsure as to not filter leaks firewall (comodo firewall is unable to recognize malware or secure files that use other files recognized by the CIS database).
The firewall comodo five versions became dependent on the HIPS module and injectors passed easily through the firewall.
If users do not want to listen to at least give a little more attention to the firewall module, which has with HIPS disabled or a fully virtualized and running malicious file with HIPS enabled, comodo firewall will fail.
As I show in the print and video because comodo firewall pro 2.xxx is able to intercept leaks connections, and comodo firewall 7 failure?
[at] lionsant, if I am not misunderstanding, are those not different situations from that which the OP is describing? There are issues with Fully Virtualized and firewall leaks and the default configuration and firewall leaks. However, I am not aware of any for just the HIPS, with the BB disabled and nothing sandboxed.
[at] everyone, I think the issue with having the BB enabled and the HIPS also enabled is that some things will not be blocked as they will be allowed to run in the BB. However, this is the intended behavior. If users do not want anything to be run without their permission they should just use the HIPS.
Am I correct in my interpretations?
However, b152, I do not understand why you believe it is run outside of the sandbox. Can you please explain this?
In this situation is for testing only, but i can write a litte example:
Timmy want SoftX but this is so expensive 500$ and doesn’t have test period.
Timmy decides to test the program using a keygen.
But comodo sandbox block it (some programs fail in sandbox)
And timmy deicdes tun ot of sanbox, the keygen give a key, but surprice keygen infect computer with a file (¿Invasion: FileDrop?) and make it autorun (¿Hijacking: StartupPrograms?) and Timmy is f**
Jon want SoftX but this is so expensive 500$ and doesn’t have test period.
Jon decides to test the program using a keygen.
Comodo alert Jon from badKeygen (Invasion: FileDrop, Hijacking: StartupPrograms)
Now Jon can block this and get secured. Jon is happy with comodo
Yes, Jon can miss Comodo alerts and get infected, but is HIS mistake, not comodo mistake.
BB is a good layer of protection, but would not have to interfere to another layers…
BB=/=HIPS. Are two distinct layers, there would have to be affected with each other
If you are talking about an execution of a program you want to use or know better , yes .
If you are talking about running the browser on the virtual desktop to access your email or bank safely , download acidentalmene an email containing malware capture and use the browser itself to leak your information the firewall will fail .
b152, it’s best not to think of the BB and the HIPS as two completely different security systems. The Behavioral Blocker (BB) is best thought of as an automated HIPS. Essentially, each level of the BB will load certain rules which will automatically allow certain types of actions while allowing others. Essentially, it is answering the HIPS alerts for you. Obviously, the higher the level the more often it will restrict these actions (essentially answer no on your behalf).
Using the BB with the HIPS will give the user a little more control, but as the BB is being used some actions will of course be allowed. If you didn’t want that you would just be using the HIPS or have the BB set to Blocked.
Does this explanation help make a little more sense as to how these two work together? Let me know if you have any questions.