I wish to convert a folder into a quarantine zone that allows a suspect process to deliver files,
and allows a clean system to scan and read and copy.
These files must NEVER be allowed to execute whilst in that zone.
Under XP I have used CACLS to grant myself access to System Volume Information.
I have no experience at using DENY.
I am now using Windows 7 Ultimate and ICACLS seems more powerful, and more difficult for me to understand.
I would appreciate advise on :-
a suitable command string to ICACLS to implement the above ;
any additional or alternative protection the Comodo can provide.
The application is a shared folder that can be accessed by my clean Desktop, and a dirty Guest.
My quad core Desktop will sometimes act as Host to a Guest operating system via use of Oracle VirtualBox,
in which case two cores remain available to the Host and the other two are under Guest/Malware control.
I suspect Comodo Defense+ and the two Host cores may be unable to block, or even detect, any malware operation that is performed by the two Guest cores.
My main concern is with the above folder named Guest-2-Host.
There will also be a shared folder named Host-2-Guest which VirtualBOx will write-protect against the Guest.
The Desktop Host will only write clean files to this folder, and hopefully the Guest will never put anything there.
The host will read and copy files from there into its unshared territory where it may execute any executables.
I am not too concerned about any further protection on this folder, but will be very happy to act on any advice.
You can create a file group whose Blocked Applications list contains the folder that you wish to block execution from. Move this rule to the beginning of your ruleset so that it is processed first. The Global Blacklist file group in the guide at https://forums.comodo.com/guides-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html illustrates this; see steps #12 and #20.
Many thanks, that looks very useful.
I am however concerned by comments that indicate it boosts security for those using limited accounts.
I only use a Guest account with very limited capabilities on very rare occasions.
I normally use my password protected account with standard Administrator access.
UAC is permanently disabled - dealing with Comodo warnings was more than enough hassle in the past, though v5.5 is much better than it was.
I have been depending on C.I.S. to keep me safe, and Macrium Reflect partition image backups to save my bacon when needed.
For the last 5 years since retirement and heavy internet use I have used Comodo,
and the only disasters that required an image restore were Microsoft Security updates that blasted through without warning regardless of the settings to only notify of availability.
Two such disasters this year >:-D
Hence my question - if I persist with using Administrator privilege,
will this Blocked Application List protect me adequately,
or will I have left wide open a back-door that is not so protected ?
It seems that you are using VirtualBox to protect your host operating system. It’s theoretically possible but probably unlikely in practice that malware encountered in a virtual machine will also infect your host system. You could use Secunia PSI to periodically check for known security problems in VirtualBox which are corrected in a newer version. For added protection from host compromise, you could also virtualize your host system using Returnil Virtual System while a virtual machine is running.
You are using two folders for transferring files to and from the virtual machine. That’s ok but you could get by with just one folder. Keep in mind that malware in the virtual machine can infect files in the transfer folder(s), so move or delete files from the transfer folder as soon as possible.
The method that I described should work in your situation, although I’m not sure it’s necessary. You can test that it works by putting an .exe file in the transfer folder and try to run it. You could instead use the operating system’s AppLocker feature to do the same.
I highly recommend turning UAC on, and at its max setting instead of the default setting.
Many thanks for the information.
I tried VMWare installed on my secondary drive E:.
Just before desktop shut down for the night I saw a big RED bar in Windows Explorer and a warning that C:\ was unusable. My primary Drive Free space had dropped from 8 GB to 200 MB.
I did not know if 200 MB was enough free space for a reboot in the morning.
TreeSize found 8 GB in my system TEMP folder, so I quickly regained lost free space.
I realised then that when I used Ctrl’C / Ctrl’V to copy from a VMWare folder to the secondary drive G:,
VMWare was using my Primary %TEMP% folder as the paste buffer.
I am really glad that was not 8 GB of virtual malware invading my reality >:-D
I think VirtualBox is safer - but I am not pushing my luck
I like the idea of using an Applocker Path Rule.
But am I correct in assuming that if Host Windows has a rule against execution from that folder,
only the Host is forbidden unless the Guest Windows are given a similar rule.
I fear I might forget to add such a rule to any new Virtual Guest and it may be free to execute that application upon any target inside i"Guest Space" or “Host Space”.
I dedicate two cores of my quad core to VirtualBox,
and two cores remain for the Host.
I am happy that Host Comodo can switch the Firewall to “Block All” and the 2 cores under Guest control cannot then see the internet.
Does Host Windows Applocker or Host Comodo Global Blacklist file group have any awareness of or control over the 2 cores that are under Guest control ?
I am happy to allow VirtualBox to notify me of the availability of an update.
Secunia however has a pre-requisite of a fresh partition image even before a scan.
A few years ago I created an image before allowing a Scan,
not because I saw danger in the scan but I feared problems with the updates.
After the scan I saved the page for subsequent off-line review of the non-updated results.
I rebooted to look at the saved page whilst off-line, but instead faced major system event errors.
I was unable to overcome those errors until I restored the image.
When restored I returned and found that in the small print when allowing the scan they also took the unusual liberty of fixing a recently discovered Windows error that every-one had and which prevented success with a particular update that MIGHT be needed if I had the relevant application installed.
It was like taking my dog to a dog groomer and on collection finding its puppy making days had also been “fixed”.
Shock and Horror.
You’re welcome :).
AppLocker rules on the host apply to what’s running on the host only. If you want to control the virtual machine, you will need separate AppLocker rules in the virtual machine. This is also true of other security software. Thus, you should probably consider having security software inside the virtual machine also, if you don’t already.
Sorry, just to be sure I understand the situation,
should my Guest have inadequate protection for the dangers I expose it to,
and given that it has the ability to write into a folder that is shared with the Host.
Please confirm that any Malware in the Guest can damage the host
- without interception by Host CIS Defence+ ;
- without interception by Host CIS Blocked Application List ;
- without interception by Host CIS A.V.
- without any restriction by Host Windows ICACLS or CACLS.
- BUT be fully cancelled out by Host Windows Returnil - or could Guest Malware break Returnil as well ?
I am using two shared folders so that every time I launch VirtualBox it will automatically have access to the folder it is allowed to read from.
The Other folder that the guest can write to will ONLY be available if before launching VirtualBox I launch a script that uses SUBST to create a virtual Drive V:\ that designates the Host folder in which I receive files that the Guest has previously scanned for malware.
I am very new to Virtual systems and am likely to create many experimental machines for sundry purposes.
Often they will have Comodo because I give them a “Virtual Disk” based on a Macrium Image backup of an earlier real system,
e.g. I might want to compare in real-time the operation of an Application before and after Upgrade.
Sometimes they will be created with an installation disc that delivers a “raw” Windows with negligible protection from the internet until AFTER it has downloaded and installed trustworthy protection such as CIS.
I may even run without Comodo to see why my computer goes unconscious for 5 seconds once a minute or once a month ! ! !
Sometimes I need to switch the configuration to BLOCK the Firewall and Disable A.V. and Defense+,
otherwise some tasks like copying a few thousand files from one partition to another get delayed by Scan on Demand,
and other actions give Defense+ pause for thought.
When I ran a VB Script to give CMD.EXE a file time stamp to 1 second precision,
the loop would run a dozen times a second and pause for 5 seconds at 67 second intervals - unless I disabled the Firewall.
The next time I need to run a VB script I will probably let a Virtual take the risk.
I certainly intend to explore why Comodo Firewall has to be wide open for any VB script to run, assuming that v5.8 has the same effect.
Lots of things to try with a new VirtualBox toy ;D
There is malware that can get by Returnil. Returnil, however, has anti-executable protection to try to limit the chances of such a thing happening.
It’s possible that there is malware that could get by CIS that Returnil would handle. I would think that VirtualBox+Returnil on the host (with its anti-executable on) would probably protect you in the vast majority of cases, even without using CIS on the host.
Thanks for all the information.
I am concerned that Returnil will not only protect the Host from any malware incursion via the normally closed shared folder,
but will also protect the Host from my own chosen actions unless I remember to allow my changes to persist.
If I have a really bad day I might not realise that Returnil has protected my storage system from actually getting updated with a partition image backup :o
I have more than enough yet to understand about VirtualBox without coping with another “virtual layer”.
A new VBox cannot used a shared folder until firstly it contains an operating system, and secondly that O.S. is given a VBox utility that can be installed by the O.S. so it may access the shared folder and other Host things such as USB Drives.
I now plan that the first thing to place in the Host-2-Guest shared folder is a BAT script for the Guest to execute and impose under Guest authority some ICACLS restrictions on the Guest-2-Host folder.
I will also be careful.
When all else fails there are my partition image backups.
You’re welcome :).
Regarding using anti-executable technology on your transfer folders, I recommend to do it if and only if your concern is that you yourself will run files from it on the host. The virtual machine could infect files in a transfer folder if it has write permissions to do so. You shouldn’t be concerned about a virtual machine executing the files in a transfer folder on the host though, because that can’t happen.
Here are three ways you could get your host infected via a virtual machine:
- Malware in the virtual machine exploits a vulnerability in VirtualBox.
- If the virtual machine and host are networked, malware in the virtual machine could do a port attack on a vulnerable service or program on the host.
- As discussed above, malware could infect files in your transfer folder. If you then run those infected files on the host, your host could become infected.
I will ensure I keep VirtualBox up to date.
The network defaults allow the Host and Guest to see that the other party exists,
but have no access to one another.
I do not intend to change that.
I believe VirtualBox can be configured to access the Internet Router without interception by Host Firewall.
I am using the default which is blocked by the Host Firewall.
Host Comodo can protect a brand new Guest O.S. which has not yet got any Internet protection of its own.
I will permanently prohibit execution within the shared folders,
and on the few occasions I allow Guest-2-Host transfer I will close the Guest before scanning the contents,
and only then make use of them.
I now feel ready for adventure