I’m no security expert and would be grateful if you could help me understand the following:
Under CIS auto-containment rules, unrecognized applications are run virtually as “partially limited”. I wonder under what restriction level are unknown applications run in CCAV ?
Under CCAV network traffic control, the help menu states that TCP connections are blocked. Could a malware potentially use other types of protocols to communicate?
edit: changed “untrusted applications” to “unknown applications” to clarify the question.
I’m no expert on CCAV, but I think I can at least answer your first question.
The restriction levels are from a time (CIS versions 4 – 7) when sandboxed or “contained” applications were run on your original system but with limited access rights.
For example: Partially limited applications could not modify the registry and therefore not install things to run at start up.
This would prevent a keylogger or rogue AV from installing; a ransomware however could still encrypt your files if it didn’t need admin rights (e.g. WannaCry).
Higher restriction levels can prevent that but also cause a lot of incompatibilities (like having no keyboard input in games running sandboxed because direct keyboard access was denied to prevent keyloggers), which is why partially limited was the default.
Since version 8 however, CIS virtualizes unknown applications (based on rating, origin, age etc.). Meaning they run in a copy of your system (like a virtual machine or Comodo’s virtual desktop). If the container is reset, it’s all gone.
You could still have restrictions inside the container, but it’s kind of unnecessary and turned off by default. It’s not actually run partially limited; that’s just the default option showing in the greyed-out dialogue box if “Set Restriction Level” is not ticked (which by default it isn’t).
CCAV uses virtualization just like present-day versions of CIS and does not need restriction levels, meaning it doesn’t have any.
Many thanks ! The answer to the first question is clear.
Thanks for the explanation Lonely.
I would just add that restriction levels are still useful as they prevent contained applications from reading critical parts of the system. I am told setting the restriction level to ‘Restricted’ or above can help protect Webcam Access by contained applications for example.
True, but on Windows 10 any level above “partially limited” is not compatible with User Account Control.
(Meaning it will be run “partially limited” even if “untrusted” is selected.)
The only way around this is to disable the UAC service (simply setting UAC to “never notify” does not work) and that is not a supported state for Windows 10. So it is definitely not a future proof solution to rely on restriction levels.
It makes more sense to just use containment to protect the system and use the firewall to protect data (untick the “do NOT show popup alerts → allow requests” option and tell it to also “monitor IPv6 traffic”). That way whatever accesses the webcam or anything else from inside the container cannot send any information out without you authorising it.