what are the security implications when a program want to have unlimited access to the computer? does it mean it will no longer be bothered by comodo and can do what it want?
Indeed. Hence why you need to be careful allowing a program these privileges. They are typical for installers but also may happen with system analysis tools, debuggers …
Please share technical details on “unlimited access” please help me with some answers: 1. Does it as example mean it can install viruses as it wishes? 2. Or render the os unstartable?
I have seen this on installers and wonder. 3. why do they ask for “unlimited access”?
- Is there a way to run installers which ask “unlimited access” but fail in an isolated envronment safely?
Once you grant unlimited access then it can do anything and would be the same as using install/updater HIPS ruleset. So if it turns out to malicious it can infect the system with other malware. One way CIS detects installers is if it contains setup or install in the file name then you will get an unlimited access request alert. setup installers usually need admin rights so they can make certain system changes or write to restricted directorys (i.e. the Windows or Program files folders). You can choose to run in containment at the alert to force the application to run in the containment.
I have one app which i dont completely trust.
However it wants unlimited access and will fail without that.
It fails also in the containment.
It could be that it wants to load a device driver or access another process in memory which it can’t do in containment. Or it needs to make use of certain Windows services or COM interfaces which may not be available to containment processes or blocked from being accessed. In these cases you could create an ignore rule for that application and monitor actions using HIPS and if virusscope is set to monitor all applications you can view its activities.
Well i would most like to run it in the sandbox.
However it does crash. So how could i find out what it needs and make this rules for inside the sandbox?
You can’t make rules to control the access for contained applications, think of the sandbox as an auto HIPS that automatically blocks certain actions while allow others. You can’t override those blocked access to allow like you can with HIPS rules.
Well executed in sandbox it complains cant allocate memory for decompression and without the sandbox it will ask for unlimited access and it seems like there is only the way to execute it in containment which will cause the error and to allow it which would remove all restrictions do i understand this right?
Now i as experienced computer user wonder a bit why there is no way to limited contain it…
You wrote: “In these cases you could create an ignore rule for that application and monitor actions using HIPS and if virusscope is set to monitor all applications you can view its activities.”
I am a little overwhelmed with that i dont know how to monitor with HIPS or virusscope i dont know how to use virusscope to monitor at all…
When I mentioned monitor with HIPS I mean turn off auto-containment and have HIPS enabled and expand the HIPS alert to see the description to view what exactly is being done by the process. For VirusScope you can change setting to monitor all applications by un-check monitor only the applications running in containment, then when you get a HIPS alert you can click on show activities link at bottom of alert window.
Another workaround you can try is to create an auto-containment rule to ignore for the application, but enable under the options tab ‘do not apply the selection action to child processes’.