Sandboxing Internet-Facing Applications

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

I have all my internet-facing applications sandboxed to minimize the damage in case they are hijacked to do something malicious or run something malicious on the system. I run almost all of them without the registry and file-system virtualization and with “limited” restriction level.

I want to know how well the sandbox will protect these applications.

2

There is now a virtualisation FAQ here which will help with these issues. The FAQ is still under development and may change

Mouse

3

The FAQ was very helpful, a few things have cleared up regarding how the sandbox works, but it does not answer my question.

From what I understand of the main Sandbox FAQ, it still isn’t ready for manual-sandboxing, am I right?

Can you elucidate on how manual-sandboxing should be used right now and what it is for?

In terms of configuring it, how must one set the sandbox up to get the maximum from it?

4

Sorry not to have fully answered your question.

The follwing is my current understanding - but I am not a Comodo member of staff and so cannot give chapter and verse.

If you manually sandbox an item at the ‘limited’ level…

And do not enable virtualisation
You get the following protection, in the main without alerts. The internet facing software (eg browser), and any software process it directly runs, cannot:

[ol]- write to (ie infect) existing protected files or registry keys. The ones involved are those included in predefined groups in My Protected Registry Keys/Files.

  • take operating system admin privileges. At limited level these privs are restricted to a standard user account.
  • consume too many PC resources. Process limit is 10 processes, additionally memory and processing time limits can be set. (Set as OS Job restrictions)
  • key log or screen grab, set windows hooks*, access protected COM interfaces* or access non-sandboxed applications in memory. (Set as Defence + restrictions) [/ol]
    These are the same as the restrictions for automatic sandboxing. NB Also any unknown software downloaded by the internet facing software and run as a separate task will be run autosandboxed whether or not the internet facing software is manually sandboxed.

If you enable virtualisation
You get the following protection, in the main without alerts.

[ol]- all the restrictions listed above remain in place, apart from file and registry write restrictions. Iinstead of write restrictions, virtual copies are made of all file and registry entries modified. This means some software will run more reliably than without virtualisation.

  • all application usage traces should be localised so, if you delete them, you can ensure you delete them all. They are localised: a) in the application specific key under HKEY_LOCAL_MACHINE\SYSTEM\Sandbox\ b) in the application specific directory under c:\sandbox. [/ol]

Known limitations (off the top of my head!):

[ol]- There is as yet no tool to delete usage traces

  • Chrome will not run at the limited level
  • Various other bugs - please see CIS bug reports [/ol]

In addition because this is deep functionality which is being added to CIS one cannot really guarantee that all will work as planned until more users have used it for longer in more environments.

Some of this is documented in the CIS help file under D+\sandbox'Programs in the sandbox’

Hope this helps a bit.

Best wishes

Mouse

*Alerts will be received for these restrictions.