Understanding the auto-sandbox's default rules

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

https://s8.postimg.org/5tlksn711/chrome_2016_02_13_19_56_56.png

I may make some changes to the auto-sandbox’s rules. But before I do so, I should understand the logic behind its default rules and what they do and do not do. I will note that the auto-sandbox ships with a rule that tells the auto-sandbox to ignore metro apps (not displayed in the above image).

First rule: This rule blocks all files that are known to be malware, regardless of location and origin.

Second rule: This rule blocks all files that are executed from suspicious locations.

Third rule: This rule isolates all unrecognized files that are located on a local (if downloaded from the internet), network or removable drive and not whitelisted by neither COMODO nor the user.

Fourth rule: This rule isolates all unrecognized files that originate from browsers, e-mail clients, file downloaders, and pseudo-file downloaders, regardless of location.

Fifth rule: This rule isolates all unrecognized files that are located in a shared space, regardless of origin or location.

Is this accurate?

Rules follow a hierarchy; rules located at the top of the list are applied first. This brings me to my questions.

Questions:

  1. What are suspicious locations?

  2. What is the difference between rules 3 and 4? The appear to do the same thing, though the former rule is less restrictive.

  3. Rules follow a hierarchy. Rules at the top of the list are applied first. If rule 5 is at the bottom of the list, what is its purpose? I changed rule 4 to ‘block’. Files located in a shared space were blocked, even though rule 5 is set to isolate files. I had to move rule 5 to a higher position in the hierarchy (higher than rule 4) in order for the auto-sandbox to isolate files located in a shared space. Is it simply there for convenience? This way, users can adjust the existing rule instead of creating a new one?

Aim:

With the auto-sandbox’s default rules, I assume it will not prevent unrecognized keyloggers; only those which are known to be malicious. The auto-sandbox does not even apply any restrictions to the default rules. Therefore, I am considering configuring the auto-sandbox to block all unrecognized files that are not located in a shared space. Unrecognized files located in a shared space would be run isolated but limited. Is this necessary, or does the auto-sandbox already deal with keyloggers? Sandboxie does not deal with keyloggers by default (It must be configured to do so), so that is why I am asking this.

Edit: Also, what is an example of a pseudo-file downloader? The term pseudo makes me think it is a program that claims to be a legitimate file downloader but is actually malicious. Perhaps it will download additional malware.

Edited image link. JoWa

2

If you open CIS advanced settings and go to File rating section and then File groups, the suspicious locations file group contains the recycle bin and comodo quarantine data folder.

2. What is the difference between rules 3 and 4? The appear to do the same thing, though the former rule is less restrictive.
Your accurate description of rules 3 and 4 answers your question. :)
3. Rules follow a hierarchy. Rules at the top of the list are applied first. If rule 5 is at the bottom of the list, what is its purpose? I changed rule 4 to 'block'. Files located in a shared space were blocked, even though rule 5 is set to isolate files. I had to move rule 5 to a higher position in the hierarchy (higher than rule 4) in order for the auto-sandbox to isolate files located in a shared space. Is it simply there for convenience? This way, users can adjust the existing rule instead of creating a new one?
Yeah pretty much what you said. The purpose I think is to make sure things work correctly without causing conflicts such as when you have one rule that does one thing and another rule that conflicts with the other rule. If CIS didn't follow a hierarchy, it wouldn't know what to do because rules would overlap or contradict each other.
[b]Aim:[/b]

With the auto-sandbox’s default rules, I assume it will not prevent unrecognized keyloggers; only those which are known to be malicious. The auto-sandbox does not even apply any restrictions to the default rules. Therefore, I am considering configuring the auto-sandbox to block all unrecognized files that are not located in a shared space. Unrecognized files located in a shared space would be run isolated but limited. Is this necessary, or does the auto-sandbox already deal with keyloggers? Sandboxie does not deal with keyloggers by default (It must be configured to do so), so that is why I am asking this.


The sandbox can block certain forms of keyboard access but not all, because a virtualized sandboxed application still needs to work for the user and if all types of keyboard access was blocked then the application won’t be able to accept user input. If you enable a restriction level such as Limited, Restricted, or Untrusted, then you would have keylogging protection. But applications that are running with some level of restriction may not work correctly.

[b]Edit:[/b] Also, what is an example of a pseudo-file downloader? The term [i]pseudo[/i] makes me think it is a program that claims to be a legitimate file downloader but is actually malicious. Perhaps it will download additional malware.
These are files/scripts/applications that CAN download files but are not specifically designed to do so. For example filezilla is an application meant for transferring of files, therefore it is part of the file downloaders file group. But powershell and powershell scripts can do all kinds of actions but also have the ability to download files.
3

So I can change rule 3 from ‘run virtually’ to 'block. Then, I can set a restriction level on rule 5 and move it above rule 3 in the hierarchy. This would prevent any keylogger from running unless it is in a shared space, where it would be limited in what it can do, correct? I can add any legitimate files that are blocked to the whitelist, and the rule for sandbox folders (not shown in the image) would still allow me to manually test any unrecognized software. Does this sound okay?

4

Yes that is all correct, just make sure the rule for sandbox folders is not set to block and you should be fine.

5

I spent some more time playing around with the auto-sandbox. What exactly does the Sandbox Folders rule do?

6

It prevents applications that are located in the sandbox folder from being executed. For example if you were to run an application in the sandbox and the application created a new application, the rule prevents you from manually opening the sandbox folder and running that new executable. It also prevents other applications from running those executables that are located in the sandbox folder which is the VTRoot hidden folder.

7

Are these Internet? or Proactive Security Profile rules? I think the Proactive Rules are different and are tighter/better?

8

These are the rules for the Internet configuration, for proactive the rules is set in such a way that all applications that are rated as unrecognized are sandboxed regardless of origin, location, and created by. Then blocked for applications that are rated as malware, located in suspicious locations, or located in the sandbox folder.

9

Makes sense, thank you. :wink:

10

http://s28.postimg.org/4xemb3g6l/cis_2016_02_22_02_28_39.png

This is the configuration that I am using at the moment. The rule for “Shared Spaces” is set to untrusted. If I run into any problems, I can change it to restricted or limited.

If a keylogger is run virtually instead of blocked, what restriction policy would need to be in place in order to protect against the keylogger?

On the subject of restriction policies, is there some place that provides a more in depth description of them? COMODO’s documentation is vague.

11

For keylogger protection I have found that setting the restriction level to Limited is enough to prevent keylogging. As for an in-depth explanation on what each restriction level entails, unfortunately other than what is already described in the help documentation is all that’s available.

12

Why when an unknown program (such as a keylogger) is run “virtually” it does not have a “restrition” option set by default? I noticed that it is blank by deafult in options.

13

Mostly for usability as setting a restriction level in addition to running virtually can cause some applications to not work correctly or at all. Also for the majority of users and applications, running fully virtualized provides good enough protection but CIS does allow you to customize the level of protection you want to have, so theirs that.