Setup Defense+ / Auto-sandbox to allow application to acees certain folders only

Hi,

I would like to set up Auto-Sandbox to run two recetnly downloaded applcations in the restricted enviroment. I would simply set to run them as fully virtualized but the applications are sort of data managers to addon files. The addons themselves are of a text type. The applications have to have access to one particular folder. Unfortunately, fully vritualized applications cannot save to any folder but the one specified in Sandbox Settings → “Do not virtualize access to”. I wouldn’t like to add anything else to “Do Not Virtualize this folders” because then each sandboxed application would also have access to this folder.

My question is if it’s possible in CIS to turn on an access to a specific folder for particular sandboxed application?

I though it could done with Auto-Sandbox and then with Target, Action, Sources, Reputation and Options but, to be frank, I did not fully understand the meaning of those settings.

Cheers!

With the autosandbox alone this is not possible but with both the HIPS and autosandbox you can achieve this. Do you have HIPS enabled?

Yes. I have installed the complete Comodo Internet Security.

But do you have the HIPS enabled? The HIPS are not enabled by default unless you switched to proactive configuration.

I am sorry. I have not put attention to whether you ask for “installed” or “enabled”.

Yes, HIPS is installed and enabled. I also switched CIS to the Proactive profile.

Cheers!

first we can create the restriction rules to restrict the application to only access certain folders

  • open the main GUI and click tasks → advanced tasks → open advanced settings.

  • Once that is open click security settings → Defense + → HIPS → HIPS rules

  • Now right click in the white space and click add

  • Click browse and add the application you are trying to restrict

  • Change the ruleset to “use a custom ruleset”

  • Under the access rights tab scroll down to “Procted File/Folders” and change the action to Block

  • Then click “modify (0\0)” next to the option you just changed then under the “Allowed Files/Folders” tab add the folders you want to allow the application access to

Now all thats left is to setup the autosandbox rules to always sandbox the application

  • From the advanced settings go to security settings → Defense + → Sandbox → Autosandbox
  • Right click in the whitespace and click add
  • Now click browse and add the application you want autosandboxed
  • Now click “OK” then “OK” again

This should be it. Test out these rules and let me know if it works

Thanks for the routine.

Everything runs with one issue. Application does not change the real folder but its virtual equivalent location. It would change if I added the location to “Do not virtualize this folders”. If I erase Sandbox, it reads from real folder but not change it.

I believe I’ve followed your routine.

First, I created a ruleset with the restriction to have access only to my folder. In The Ruleset → Modify → Allow Files / Folder, I pointed and added my folder. I made just a slight different change. I have not created a custom ruleset for the application but created a separate one in Rulesets, named that, and then assigned this named ruleset to the application. I think the end effect should be the same. The reason for that is the ruleset is going to be assigned to another auto-sandboxed application which will be treated exactly the same way with the exact restriction to the same folder.

Second, I have added the application to Auto-sandbox with Action set to “Run Virtually” and restriction level set to “Limited”. I moved this rule to the bottom. Above are only Block rules for Malware and Suspicious locations.

Cheers!

Sounds like everything you have done is correct. If you want the sandboxed application to modify the files on the real system (not virutal) then you will have to add the folders to the Do not virtualize list. The only other way around this is to just set restriction to the application only and not virtualize it.

There are wishes created to apply sandboxed changes to the real system. Until that is fulfilled there is no way to apply changes from within the sandbox without excluding the folders that are being changed

It’s not perfect to add folders for global access but at least it’s something!

Thanks for your assistance on that :slight_smile:

you can try one more thing. After adding the folders to the do not virtualize option also add the same folders to the protected data folders under HIPS in protected objects

This should allow access for the application since you created a hips rule for it but block other sandboxed apps from accessing these folders. Its not exactly what you wanted but it prevents global access while allowing your application to access these folders.

*NOTE: i dont know if this will work but it should since you made a specified hips rule to allow access to these folders.

Just tested it, allowing access to a file through Protected Files/Folders doesn’t work if the folder is set up in Protected Data Folders, Protected Data Folders seems to take higher priority and setting an exclusion for protected files/folders doesn’t set an exclusion for Protected Data Folders.

Personally I don’t believe that it is possible to do what OP is asking for, it’s not possible to give one sandboxed application access to a specific folder on the real system without also allowing all other sandboxed applications equal access to that folder, only possible solution would be to set up HIPS rules for all other sandboxed applications that blocks access to that folder, it would still let them read the data though.

Edit: It could perhaps be possible if Comodo would implement the separate sandbox wish that would see a dedicated sandbox for each program, if it was also configurable then this could possibly become reality.

Thanks Sanya for testing this. i wasnt sure what would take precedence