Possible to keep manual sandbox but not the auto-sandbox?

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

In settings, I see only a setting that enables/disables the “sandbox”. There is no separate setting to enable/disable the auto-sandbox and another separate setting to enable/disable the Always Sandbox feature. Under Defense+ → Defense+ Settings → Sandbox settings, they mixed together the auto-sandbox and always-sandbox configuration. It’s confusing when Comodo mixed access restriction (what they call auto-sandbox) with the real sandbox (that employs virtualization) under the one “sandbox” term while also mixing their settings together. This was maybe meant to simplify the interface to noobs but it doesn’t take expertise in the alternate protection schemes to end up getting confused by what Comodo is trying to define.

It is unfortunate that Comodo use the term “sandbox” so loosely. Comodo’s auto-sandbox is an access restriction scheme where privileges are reduced, perhaps interprocess communication is throttled, and other methods already provide within Windows. This is like GeSWall which is also a policy enforcer that reduces privileges. This access restriction scheme does NOT prevent malware files from getting on your host nor keeps them from running but throttles what they can do when running. The manual sandbox (because you manually add entries to the Always Sandbox list) does include the file & registry virtualization.

If I disable the “sandbox” under Defense+ tab → Defense+ settings → Sandbox, does that only disable the auto-sandbox (the employs access control, privilege reduction, etc but nothing of virtualization)? Or does it also disable the Always Sandbox function?

I ask because I currently use Avast (free version). The free version includes their auto-sandbox which DOES include virtualization to layer the untrusted process away from the file system and registry. Unknown or suspicious processes get sandboxed (correctly termed this time). There is no manual sandbox in the free version of Avast to equate to the Always Sandbox in Comodo’s suite. So I can force a program to always be sandboxed (virtualized) using Comodo’s Always Sandbox list but I’d like to use Avast’s sandbox (virtualized) feature for unknown/untrusted/suspicious processes. I don’t want to use Comodo’s auto-sandbox (access restriction scheme) since a lot of that can be done already using SRPs (software restriction policies) already included in Windows. I already restrict web browsers using SRPs to force them to run under a Basic account which means they run under a LUA (limited user account) token.

So I’d like a security matrix as follows:
Yes: Avast’s (free) auto-sandbox (virtualization)
No: Comodo’s auto-sandbox (access restrict)
Yes: Comodo’s always sandbox ← yes

I’d like to use the auto-sandbox from Avast with the always sandbox from Comodo so both are actually sandboxes that are virtualizing the unknown/suspicious or specified processes. I’d like to get the best of both.

Note: Please don’t suggest using Sandboxie. Their free version is nagware, I don’t bother with nagware, and I’m only investigating free-only (freeware) solutions.

2

I’m looking for the exact same thing.

I use Comodo IS 5 for a couple of weeks now and i don’t feel great about the auto-sandbox feature. It keeps isolating trusted applications (like Adobe Bridge for example) and everytime it does that i have to go to sandbox and terminate the app, add it to trusted list and run it again. It’s annoying for me this way.

I’d like to get rid of the auto-sandbox and manually choose to allow or isolate the apps on their startup, and also creating rules for them along the way.

Personally i like to have a deeper control over the way apps run.

But i failed to find any configuration options under the settings menus. Maybe i’m still just not too used to Comodo, who knows…

An answer or pointing in the right direction within the Forums would be much appreciated.

Later edit:

Now that i’m o a spree looking for a solution to this, i found that, in Defense+ settings, under Execution Control Settings, you can uncheck “Treat unrecognized files as”. I had it on “Untrusted” and maybe that’s why it was using auto-sandbox, but now that i ruled out the setting, logically, it should ask me for sandboxing everytime. But i cannot confirm this yet.

LLE:
https://forums.comodo.com/defense-sandbox-help-cis/how-do-i-deny-an-application-access-to-a-particular-folder-t62610.0.html;prev_next=prev

a lot later edit:

Run with elevated Privileges. CIS will display this kind of alert when the installer of an unknown application requires administrator, or elevated, privileges to run. An installer that is allowed to run with elevated privileges is permitted to make changes to important areas of your computer such as the registry.

    If you have good reason to trust the publisher of the software then you can click the 'Allow' button. This will grant the elevated privilege request and allow the installer to run.

    If you are unsure of the safety of the software, then Comodo recommends that you run it in the sandbox by clicking the 'Sandbox' button.

    If this alert is unexpected then you should abort the installation by clicking the 'Block' button (for example, you have not proactively started to install an application and the executable does not belong to an updater program that you recognize)

    If you select 'Always trust the publisher of this file' then CIS will treat all files from this installer as safe and no future alerts will be generated when you run executables by this publisher.

    In all cases, please remember to select 'Submit this file to Comodo for analysis' so that our researchers can establish whether the application is safe or not. If it is found to be safe, we shall add it to the global safelist (whitelist). If it is found to be malicious we will add it to our global list of malware signatures (blacklist). Comodo will then distribute the updated lists to all users of CIS.

You will see this type of alert if:

The sandbox is enabled 

and

'Automatically detect and run installers outside the sandbox' is enabled. These settings can be modified in Defense+ Tasks > Defense+ Settings > Sandbox Settings.

There are two versions of this alert - one for unknown installers that are not digitally signed and the second for unknown installers that are digitally signed but the publisher of the software has not yet been white-listed (they are not yet a ‘Trusted Software Vendor’).


http://img37.imageshack.us/img37/6305/alertdeleprivel.png

Edit by Dennis2: I removed the spam like notification that your image were uploaded to a well known image sharing site

3

https://forums.comodo.com/defense-sandbox-faq-cis/autosandbox-can-i-turn-it-off-but-keep-the-manual-sandbox-v5-t62566.0.html

and also

https://forums.comodo.com/defense-sandbox-faq-cis/slider-controls-sandbox-and-d-what-effects-do-these-have-t61612.0.html.

CIS V. 6 will bring the process of virtualizatton to the automatic sandbox. It has been said in this forum that a possible beta will come in January.

I do not know if it is your intention but using both sandboxes in real time might lead to nasty conflicts.

I do not know if you have already seen this link but there you can ask comodo to whitelist your unkwon applications, digitally signed or not. If they are digitally signed you can ask to be included in the TVL (the vendor). They will do a background check, and accept or deny.

4

To use the Manual sandbox go to “Defense+”, “Computer security policy”, “always sandbox”. Just remember the Manual Sandbox uses virtualizattion. https://forums.comodo.com/defense-sandbox-faq-cis/sandbox-faq-cis-5-t61604.0.html.

5

So under Defense+ tab → Defense+ Settings → Sandbox Settings tab, I enabled the following options:

  • I must have “sandbox” enabled. This enables both the privilege restrictor “auto-sandbox” and the virtualizing “Always Sandbox”. If this slider is in the Disabled position then I lose both sandboxes.
    [*]Virtualization is enabled for both file and registry (for use by the virtualizing “Always Sandbox”).

I disabled both the following options:

  • Automatically detect installers/updaters and run them outside of Sandbox.
    [*]Automatically trust files from trusted installers.

Then I go to the Execution Control Settings tab and:

  • Deselect the “Treat unrecognized files as ”. This disables the privilege restrictor “auto-sandbox”.

With Comodo adding 2 sandboxes (one as a privilege restrictor and another that virtualizes) and with other security products adding sandboxes (that you may still want to use in a combination with Comodo, like Avast) and with other sandbox products available (GeSWall, BufferZone Pro), it can get tough figuring out how to brew the most effective elixir. It took awhile to get a grasp of just what Comodo was doing with their sandbox, er, sandboxes.

Maybe I’ll postpone trialing a new security suite configuration to see if Comodo Firewall v6 does come out in January 2012 (well, sometime later since that’s for the beta and I’d want to trial released versions) and then figure this out all over again.

Thanks for the hint on which settings are for which sandbox so I can choose to use the virtualizing “Always Sandbox” with or without the privilege restricting “auto-sandbox”.