HIPS and Comodo sandbox

Hi guys,
I noticed that in version 6.3xx if I turn on the HIPS module, it doesn’t work in the sandbox…I mean: if some malware is running in comodo sandbox, I can have warnings by the AV and FW, but not by HIPS.
Is this thing been modified in v7 beta? It could be usefull to know what a sandboxed application is trying to do, before to install it definitely out of the sandbox…

I changed all capps title to normal case. Eic

I made a wish for something like this a while ago, but to answer your question no, you don’t get any HIPS alerts or similar.

HIPS alerts you about your real system.
If application is manually sandboxed or Auto fully virtualized, it is executing in virtual environment.

Yes but if something malicious is carried out in the FV sandbox you never get to know about it (assuming it does this silently) so you can’t determine whether an application is safe to use in the real system or not, hence having HIPS alerts (or my HIDS suggestion) would make it easier for the more advanced user to determine whether an application is safe, but also in a safe environment where the wrong answer doesn’t pose the risk of trashing the whole system.

Sure you can submit these applications to whitelisting but if they get denied then they don’t say why and being denied does not mean being malicious so you never get a clear answer there unless it’s allowed to be whitelisted, besides that can take several days and in some cases a week or more.

I agree with Sanya IV Litvyak: put the case I want to install an unknown application in comodo sandbox to give it a try…it could be usefull to know how it behaves in the sandbox before to decide If I want it on my PC…nowadays I can have warnig by the AV (ok, but if it’s zero day malware?), and FW (many legitimate application want to go on internet or recive connection…), but it could’nt be enought to value the new software.
Also…now I’m using sandboxie, and comodo HIPS is warning me about potential dangers…it’s very odd that it can “see” inside a third party sandboxing software, but not inside comodo sandbox…

HIPS is not needed with the auto-sandbox on. Comodo can see into Sandboxie because that is intentional in Sandboxie’s design. The Sandboxie FAQ says that antivirus will detect viruses in Sandboxie. Nothing surprising here. The fully virtual Comodo sandbox is meant to hide actions from the rest of the system. This means antivirus cannot spy on the files in the Kiosk. Once I did see an exception with an early version but this was probably because of a flaw in the Kiosk. If you try running malware in the Kiosk now that will probably not happen. I hope this helps you. :slight_smile:

You will be prompted by HIPS if something malicious occurs on the real system.

Yes but if you answer wrongly your whole system might be trashed, hence having a fully virtualized environment where you can analyze what the application is doing before moving it to the real system is something that would be useful. Currently we have to choice between analyzing on the real system or running it in the FV sandbox and never know what it is doing.

The purpose here isn’t to stop a malware from doing something malicious in the sandbox, it’s to see what it does in the sandbox in order to determine whether or not it’s something we want on our real system in the first place, the inability to do so pretty much means you’d have to run unknown programs in the sandbox until Comodo whitelists the file, or run it on your real system in the first place and risk breaking things, mind you HIPS alerts aren’t always very detailed and one alert alone could look normal so you allow it but in combination with other could look suspicious, but you had already allowed that one alert and now you can’t know for certain what it has done to your system… With FV sandbox you could just reset the sandbox… but as it works now you’d never know the file was malicious in the first place.

If you think about it they already have the technology, when manually running a program in the sandbox you can specify to run it with limitations like “Partially Limited” which means the file will run in the FV sandbox as Partially Limited (Note, this is only possible with manually sandboxed file and not possible with auto-sandbox at the moment) which means that they already have the possibility to have HIPS inside the FV sandbox and the only thing missing now is giving alerts instead, no I’m not saying this should be enabled by default, I’m saying it would be a very valuable tool for us users who are somewhat more experienced and want to test out an application but don’t know if we can trust it, normally you’d run that in the FV sandbox, wouldn’t you? I know I would, but the problem is yet again that you don’t get any information of any suspicious actions, with HIPS alerts you’d get to know what the application is doing in a controlled environment.

(At least I’d like a log of what the applications in the FV sandbox are doing which updates in real time (It’s possible with file changes and registry changes but can’t find anything to monitor things like keyboard access etc))

:-TU :-TU :-TU

add an option where the User can configure the interaction of HIPS and sandbox.

So what’s the point in developing and having a HIPS module, if CIS default settings are enought? Consider that the “auto-sandbox” is a right limiter, not a sandbox…so generally is less effective than a virtual environment…unless you use FV.

Didn’t you ask yourself the reason of this choice? Ronen Tzur is a very good programmer…even CIS guys, for sure :wink:

You’re right, and THIS is the choice I don’t fully understand. BTW, now AV and FW are working in CIS sandbox…

Comodo wanted a secure banking and shopping environment. I think for security purposes some would prefer restriced or limited. Are you saying that the AV is working in the FV sandbox? Have to test that! :slight_smile:

I tested to see if the AV detected malware in the FV sandbox. It does not. Running the sample in Sandboxie created a popup from the Comodo AV. The good thing is that Comodo Firewall still monitors FV applications. :slight_smile:

I don’t think that you get any alerts, all detected malwares are simply blocked, I even tried a .txt file with the eicar string and I wasn’t allowed to open it or modify it or even move it from my real system (by going into C:\VTRoot) all I could do was delete it. That means the AV component is active, though silent.

I just meant running malware in the Kiosk itself. That did not quarantine any malware or detect it. Maybe there something stopping Comodo from finding malware in the FV sandbox.

Yes, me too, I opened the kiosk and tried running files that CAV recognizes as malware, couldn’t launch any of them and when trying to edit the eicar .txt files I get “Access is denied” when trying to open it which means I’m not even allowed to read it, hence CAV is active and working in the FV sandbox by simply blocking access to malware silently without notifying the user.

Files you can use for example: http://www.eicar.org/85-0-Download.html (I tested with other files as well, for example a proof of concept keylogger that is detected as a leak test application, it too was blocked from running)

Did not realize that. I expected them to be quarantined but that explains why a lot of malware will not run in the Kiosk. Good job testing Sanya! I have no idea when Comodo added that feature to the Kiosk. :slight_smile: