HIPS or HIDS inside Sandbox

Hello,

Please read the whole post before voting! :wink:

Edit: Through out this wall of text, when I referr to HIPS I mean the Interactive HIPS, not the silent already implemented HIPS.

My wish is for HIPS or something similar to HIDS (Host Intrusion Detection System) to be implemented within the Sandbox, I’m mostly thinking about the fully virtualized sandbox since giving the option to the other levels of sandbox would pretty much negate those levels, no? Well the HIPS would negated them but not the HIDS.

The reason I’d like to see HIPS or HIDS inside the Sandbox is because then it’s easier to see what the file is doing and then determening yourself whether the file is safe or not, it’s also easier to stop something you don’t want the file to be able to do even inside the sandbox.

In my eyes the sandbox is a place where you run unknown applications (or programs in which you download unknown applications) in order to see whether they act like a legit program or if they act like malware, the problem is that the sandbox never tells you this so you might download a program then run it in the sandbox and it appears to be working like a normal legit program but in the background it performs things like keylogging etc, though as you only see the legit program you think of allowing it and if you do that, well… though luck.
And yes you can submit the files to Comodo to see what they say but this does take too long in my opinion, sure I submit them but I don’t wait for things to be whitelisted, I add them to trusted files myself, I actually tried to wait for something to be whitelisted once and I got the answer that the files had been whitelisted but it took weeks for the actual files to become trusted on my computer so no I don’t see that as an option and yes I understand that this might not be expected behavior though it happened.

If you had HIPS or HIDS like components inside the sandbox then the user can see what the files are doing and then make a decision him or herself, of course this would need the same knowledge as with the normal HIPS so this is something that is to be optional and not forced, also disabled by default.

I currently find myself conflicted between either using a powerful tool like HIPS that gives me control but only if I run things on the real system, or I could use the fully virtualized sandbox which protects my real system but gives me no control whatsoever and it even makes me blind to what is happening.

A HIPS inside the sandbox would fix the issues with keylogging and screengrabing since the user would be alerted to make a decision rather than the Sandbox playing nanny and making that decision itself. This gives both insight and control to those who want it.

A HIDS like component inside the Sandbox would tell you what is going on inside the sandbox in real-time however it would not give you the same control as HIPS. So it gives insight but no additional control to those who want it.

So personally I’d like to see HIPS implemented but I could also settle with a HIDS like component or perhaps even the ablity to choose either?

Explanation of what I mean by HIPS - The same as the normal HIPS in CIS though inside the Sandbox.

Explanation of what I mean by HIDS like component - I am not sure how this would look like, it wouldn’t be pop-ups rather it would be some sort of window that is updating in real-time with what the programs are doing so while the HIPS had given a pop-up about direct access to keyboard, the HIDS like component would have added a line in the window that has something like the columns “Name of process” “Action” “Time” where the name of the process would be something like opera.exe and action would be “Directly accessed the keyboard” and time would be the time it started/happened. Well apparently I figured out somewhat how it would look like.

Thank you for reading my wish and please do vote, I am still not sure exactly how the HIDS like componente would work but this could probably be figured out by the gods of Comodo (a.k.a developers)

Sanya IV Litvyak

+1 :-TU Thank you for making this wish :slight_smile:

Yes Purrleeze :slight_smile:

Yes for HIPS + AV

Okay thanks sanya for an excellent wish.

Please be kind with me here and this is a merely personal thing.
I would much prefer to see firewall alerts more active in the sandbox rather than the hips.
Remember the kiosk is just a virtual environment in which any process activity inside is gone upon clearance.

Sure, a keylogger could run in the kiosk but i would rely more on the firewall function to prevent data leaving the computer rather than actually being alerted to a keylogger.

Just my view on this.
Thanks.

It was some time ago I actualy used CIS (I’ve been away for a month and came back to a dead computer (motherboard + cpu are dead) so I can’t remember if the firewall is less active in the sandbox but if it is then yes absolutely, more active firewall is very welcome!

The main feature I’m looking for is actually seeing what is going one, being able to block keylogging is just a plus. I would rather both be able to block the keylogging before it happens and also block it from being transmitted. :wink:

So full CIS inside the Sandbox will satisfy everyone. :slight_smile:

Would be fun if they just kind of somehow ported CIS into the sandbox so a bug would be that you can open something in the sandbox while it is sandboxed by CIS, Sandboxception. =3 That would be a poor solution though. (What I mean is a copy of CIS running in the sandbox of another copy of CIS)

No, without any recursions. I care that the Sandbox should be protected and watched as the OS beyond it. No need to make a copy of CIS and to put it into the Sandbox. The only issue here is that anything in the Sandbox mustn’t be sandboxed again.

Just like if you install Sandboxie and CIS without Sandbox protects its area.

Interesting possibilities.
Why stop at CIS.

Maybe comodo could create some form of full virtualization feature.

Virtualizing the entire operating system seems a nice idea.

I voted no because I would consider it a step backwards in the evolution of the product. It would negate many of the improvements in usability for the masses. Work on strengthening the sandbox elements in their current implementation instead of going back in time and reintroducing interactivity.

I was making a joke with inception as the referrence, if that wasn’t obvious =P It’s not the kind of implemention I want.

I don’t see how it would negate any of the improvements in usability at all since it would be an optional feature that isn’t forced upon anyone and which is to be disabled by default. If anything it improves usability since more people can use it in the way they want.
And I’m not saying that they should give up strengthening the sandbox in it’s current implemention, rather I’d like to see them both strengthen and give the option for interaction. Rather than just one possible way, I like to see the grey.

Personally I see the direction of automatisation a step in the wrong direction, I prefer the ability of choice, to be able to choose automatisation or interactivity, though I do respect your opinion.

Question: What are your views on the HIDS suggestion?

Edit: I have updated the poll with two options, ‘only HIPS’ and ‘only HIDS’, earlier votes have not been removed, question one I think shall be considered as either HIPS or HIDS or both are okay.

Personally I see the direction of automatisation a step in the wrong direction, I prefer the ability of choice, to be able to choose automatisation or interactivity....

+1 I said yes.

If you want the interactivity it should happen outside the sandbox and not be necessary within it.

Why must it be outside of the sandbox? Why should everything be automated as soon as you come into a fully virtualized environment? Like I said, I prefer the choice, may I ask you why you are against the ability to choose?

Also do you not have any opinion about the HIDS suggestion? I’m interested in your opinion about this one.

I’m not against the ability to choose. I just think the sandboxing should be strong enough that such things aren’t needed.

To be honest, I really don’t know what the differences between HIPS and HIDS are. I never even heard of HIDS until you mentioned it.

Did you read my whol first post? I thought I explained it quite well but I might be wrong.

In networking at least, there are IDS and IPS, intrusion detection system and intrusion prevention system. When on host computers it’s called host intrusion prevention system however I don’t know if a sole HIDS even exists, I might have just invented another name for something that already exists.

Basically what I suggested with the HIDS is just a window that updates in real-time with what the programs are doing, so if they are accessing the keyboard directly then it shows up in the window instantly, if it writes a file then it shows up in the window instantly, this is just to easier see what the programs are doing and for the user him or herself to be able to determine if he or she trusts the program and can then determine if it’s safe to move it to the real system, so it’s nothing interactive and of course it could be disabled by default and give you the choice to show it or not show it.

I apologize if my assesement that you were againse choice is wrong, however it’s what I have gathered from the posts I’ve read, but once again I could have been wrong and I apologize.

Edit: Think of my suggestion for HIDS as a real-time updating log but that doesn’t log what CIS is doing but rather what the programs within the sandbox are doing.