Please add an option for the autorun blocker.
If an unknown application is trying to start with the Windows,
comodo behavior blocker will popup alerts for it.
If the user click the button, “Don’t block it again”, then the file will be added to the exceptions.
I think this function can block some rare exploit kits.
for example, the following one
And this one.https://forums.comodo.com/news-announcements-feedback-cis/bypass-comodo-v510-hta-file-t84700.0.html
Very good idea! +1 here
Shouldn’t they be sandboxed? The unknown applications on my computer that auto-run are sandboxed when I start my computer. Or did I miss something about the wish?
I’m a little confused.
Currently any file sandboxed shouldn’t be able to autorun. Thus, isn’t it already an autorun blocker?
Whats the point when you can stop them with killswitch. ??? :-\
There is one problem for comodo behavior blocker.
BB can not automatically sandbox any application which starts with the Windows.
In other words, the users will get about 0 point for the CLT.exe if they do not enable the HIPS.
You can check this by creating an autorun entry for a CLT.exe and then restart the Windows.
There is one problem for comodo behavior blocker.
BB can not automatically sandbox any application which starts with the Windows.
In other words, the users will get about 0 point for the CLT.exe if they do not enable the HIPS.
You can check this by creating an autorun entry for a CLT.exe and then restart the Windows.
Are you sure about this? Because I have a few programs on auto-start and all that were unknown (VPNCheck Pro and Corsair control thingy) got sandboxed.
@ a256886572008, can an application be added to autostart by the applications itself, or is it possible that the bypass was possible because you manually added it yourself?
For example, a rare java exploit kit.
The autorun entry is created by the java.exe which is trusted by CIS.
And this one.
The autorun entry is created by the mshta.exe which is also trusted by CIS.
https://forums.comodo.com/news-announcements-feedback-cis/bypass-comodo-v510-hta-file-t84700.0.html
Please add an option for the behavior blocker.
Do heuristic image-path analysis for certain autorun entries.
If an unknown application is trying to start with the Windows,
comodo behavior blocker will block it.
Before
2013-01-04 10:37:33 C:\WINDOWS\explorer.exe Modify File C:\Documents and Settings\Roger\Start Menu\programs\Startup\Shortcut - antitest.exe.lnk
After
Before
2013-01-04 10:47:25 C:\WINDOWS\regedit.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\789
After
The novice users will understand it easier than before if this option is enabled.
(1) The autorun entry is created by the java.exe which is trusted by CIS.
comodo
C:\Program Files(x86)\Java\jre7\bin\java.exe Create Autoruns C:\Users\Evangeline\AppData\Roaming\tDBHelpserv\tDBHelpserv.dll
(2) The autorun entry is created by the mshta.exe which is also trusted by CIS.
https://forums.comodo.com/news-announcements-feedback-cis/bypass-comodo-v510-hta-file-t84700.0.html
comodo
C:\WINDOWS\system32\mshta.exe Create Autoruns C:\Documents and Settings\Roger\Application Data\PPStream\mission717Yjy.bin
Please add an option for the behavior blocker.
Do heuristic image-path analysis for certain autorun entries.
http://i.imgur.com/kcEdU.png
If an unknown application is trying to start with the Windows,
http://i.imgur.com/aKZhs.png
comodo behavior blocker will block it.
The novice users will understand it easier than before after enabling this option.
Okay, this makes sense to me. Essentially CIS should also make sure that not even a safe program can add an autorun entry for a sandboxed unknown program.
If the autorun entry is a driver, CIS will not sandbox it definitely.
So, CIS should block any autorun creation for unknown files before restarting the Windows.
:-TU