Full Virtualized Application Logging Tool

Comodo Internet Security - CIS Added/Rejected Wishes - CIS
1

Hi.

Maybe it’s too much to ask at this point, but I’d like to see some application activity log inside sandbox for a specific application.

Scenario example.
1: Double click on suspiciousprogram.exe [obviously program name can be anything]
2: We get CIS Alert that suspiciousprogram.exe is unknown and sandboxed as fully virtualized.
3: We then have special small popup [Similar to old school avast scanning or Geswall] detailing program activity like:
09:00:01 suspiciousprogram.exe created folder in \temp\suspro\install
09:00:01 suspiciousprogram.exe created file installerdownload.exe in \temp\suspro\install
09:00:02 installerdownload.exe connects to 91.122.06.04 on port 80
09:00:05 installerdownload.exe is downloading a file trojan1.exe
09:01:02 installerdownload.exe is executing file trojan1.exe
09:01:05 trojan1.exe is crawling/indexing for user files
09:01:13 trojan1.exe is attempting to delete folder at \windows\system32
09:01:16 trojan1.exe is trying to write to \windows\system32\drivers\hosts file
09:01:25 trojan1.exe is trying to encrypt . on drive C:\

VERDICT: File is attempting suspicious/dangerous actions which may compromise the system if trusted.

This could be offline/local analysis if no cloud/online analysis is available. If there is, a report could be downloaded already and help with decision making whether an application is safe or there is some hidden agenda inside.

2

+1 sound good, please add poll

3

I wish I could, I don’t see the option, not even in additional options, so, maybe the mods could do it?

4

Sounds similar to my HIDS suggestion for BB
+1

5

Similar but different :wink:

6

Here’s to put it as an example like Geswall:

http://www.gentlesecurity.com/docs/pix/026.png

http://www.gentlesecurity.com/docs/pix/028.png

http://www.gentlesecurity.com/docs/pix/017.png

Oh and also add to it we can see dropped/created files/folders:

http://www.gentlesecurity.com/docs/pix/025.png

7

Well if you also want to be asked inside the sandbox, then yes there is a wish for that :“HIDS” by SanyaIV. If you only want to have a log, then Ok

8

HIDS really is very interesting and having control inside sandbox is really nice to have! :-TU
But LOGS would be for assessing if the application is safe or not safe.
Because I don’t see it how one can be sure if the app is 100% safe and if it’s trying to do something behind the scenes…

9

Yep here you are right. This is why a mod should help you to add a poll, personally I like your idea, and yes has strong points for being implemented in near future.

10

I wish if the mods could make a yes/no poll

Now I think of it, ANUBIS/CIMA offline hybrid could be swell…
http://anubis.iseclab.org/
http://camas.comodo.com/

11

I assume you only read the HIPS part of my HIPS/HIDS suggestion =P The HIDS would have no questions asked and the actions would be shown in a window, not pop-ups, HIPS would be normal CIS HIPS but in Sandbox, which is why I have different options for voting :wink:

However I should stop talking about my suggestion in here, off-topic.

12

You mean, actions of CIS regarding sandboxed program would be shown in a window?

13

No, actions of sandboxed programs would show in the window, like if it writes a file or accesses the keyboard directly etc.

14

So basically that’s what I want/need as described in the topic?

15

I think so.

16

Yep :wink:

17

Cool, gave the Yes vote on the pool :-TU

18

As you are the OP you can add it yourself, bottom of page second button to the right of the reply button.

19

Sorry I did my best, must be blind, I don’t see it… ???

[attachment deleted by admin]

20

Hi JakeGreen,
It is near the bottom of any page within the topic (Screenshot).
Note: Do not select reply to see the ‘Add Poll’ function.

[attachment deleted by admin]