Please read the whole post before voting!
Edit: Through out this wall of text, when I referr to HIPS I mean the Interactive HIPS, not the silent already implemented HIPS.
My wish is for HIPS or something similar to HIDS (Host Intrusion Detection System) to be implemented within the Sandbox, I’m mostly thinking about the fully virtualized sandbox since giving the option to the other levels of sandbox would pretty much negate those levels, no? Well the HIPS would negated them but not the HIDS.
The reason I’d like to see HIPS or HIDS inside the Sandbox is because then it’s easier to see what the file is doing and then determening yourself whether the file is safe or not, it’s also easier to stop something you don’t want the file to be able to do even inside the sandbox.
In my eyes the sandbox is a place where you run unknown applications (or programs in which you download unknown applications) in order to see whether they act like a legit program or if they act like malware, the problem is that the sandbox never tells you this so you might download a program then run it in the sandbox and it appears to be working like a normal legit program but in the background it performs things like keylogging etc, though as you only see the legit program you think of allowing it and if you do that, well… though luck.
And yes you can submit the files to Comodo to see what they say but this does take too long in my opinion, sure I submit them but I don’t wait for things to be whitelisted, I add them to trusted files myself, I actually tried to wait for something to be whitelisted once and I got the answer that the files had been whitelisted but it took weeks for the actual files to become trusted on my computer so no I don’t see that as an option and yes I understand that this might not be expected behavior though it happened.
If you had HIPS or HIDS like components inside the sandbox then the user can see what the files are doing and then make a decision him or herself, of course this would need the same knowledge as with the normal HIPS so this is something that is to be optional and not forced, also disabled by default.
I currently find myself conflicted between either using a powerful tool like HIPS that gives me control but only if I run things on the real system, or I could use the fully virtualized sandbox which protects my real system but gives me no control whatsoever and it even makes me blind to what is happening.
A HIPS inside the sandbox would fix the issues with keylogging and screengrabing since the user would be alerted to make a decision rather than the Sandbox playing nanny and making that decision itself. This gives both insight and control to those who want it.
A HIDS like component inside the Sandbox would tell you what is going on inside the sandbox in real-time however it would not give you the same control as HIPS. So it gives insight but no additional control to those who want it.
So personally I’d like to see HIPS implemented but I could also settle with a HIDS like component or perhaps even the ablity to choose either?
Explanation of what I mean by HIPS - The same as the normal HIPS in CIS though inside the Sandbox.
Explanation of what I mean by HIDS like component - I am not sure how this would look like, it wouldn’t be pop-ups rather it would be some sort of window that is updating in real-time with what the programs are doing so while the HIPS had given a pop-up about direct access to keyboard, the HIDS like component would have added a line in the window that has something like the columns “Name of process” “Action” “Time” where the name of the process would be something like opera.exe and action would be “Directly accessed the keyboard” and time would be the time it started/happened. Well apparently I figured out somewhat how it would look like.
Thank you for reading my wish and please do vote, I am still not sure exactly how the HIDS like componente would work but this could probably be figured out by the gods of Comodo (a.k.a developers)
Sanya IV Litvyak