v4 Sandbox POLL

I see a lot of threads about the sandbox. They are mostly complaints; Now here, you must say what you LIKE about the sandbox as it stands.

Ladies and Gentleman, lets hear it for the Comodo Sandbox.

It is at an early stage, but if it is helping to keep the pop-ups away and we are protected, I am happy. I don’t think we can yet see how it really works, but give it time.

This is by a big margin the quietest ever version of CIS CFP or CPF.

Well for my part…

I understand a reasonable part of what’s there now

Think end users may not have to understand the final product that deeply (but lets see)

Really like how its being used to reduce pop-ups, and run unknown software with low security risk

Really like what we know about what’s intended

Know its implementation needs improving

Think some improvements that are required will prove difficult, but hope to be surprised

Am very glad that Comodo’s still willing to take the risks necessary to develop radically new approaches…

I think the biggest “mistake” on this issue is that some see it as a replacement for SandboxIE and a likes… It’s not…

I like the idea behind it, It’s made to fill the gap between the AV pattern detection and the “unknown/undetected” malware that arrives before a detection pattern is released.

If all works as it should it should AUTOMATICALLY

  1. detect and visually notify the user of unknown sandboxed processes.
  2. submit them for online analysis, good put 'em on safelist out of the sandbox, bad quarantine
  3. no online match, forward to CIMA, suspicious keep in sandbox, clean give user option to move out of sandbox
  4. result, much less damage by zero-day and other nasty hard to detect stuff.

In it’s current form it’s just a start but the goal is to provide a secure “almost zero pop-up” system.
And not a substitute for SandboxIE just put Sandbox to Disabled and you have 3.14 with a few different color’s on the GUI.

That’s my view on the “Sandbox”

I think most people just don’t understand the idea. Haven’t seen any reasonable explanation why it should be excluded.
But it doesn’t concern the design - it’s horrible and must be completely renewed.
What I don’t understand is the rule allowing everything out!? Is that right and I missed something? Of course there will be no popups at all - it works the same way the windows firewall does by default. BTW the Comodo Leak Test agrees - 140 points!

Just wondering is there any chance it will “consider” my money bag suspicious and automatically send it to Comodo for “testing”?

I fully agree. Its a great idea in practise, just needs bit of tweaking/updating and it will be very good. One thing i am worried about though is the possible security risked on a 64bit system.

Cheers

I strongly agree, this is very well put.

One query that has been buzzing round my head. How is this achieved without installer/installation sandboxing - which we are told in difficult in 64 bit (complex anyway)? The elevated privs. thing does not really work, how is the user to know how to answer?

I have some ideas how it might be resolved - maybe, at simplest, a restricted installer policy & set of sandbox privs. (So the unknown installer works semi-sandboxed, without virtualisation). Maybe install to a virtual drive or VM. Maybe install to a VM running on a comodo server, projected (complete with interprocess commm OMG!) into the local machine

Mouse

I think it is wonderful how the sandbox utilizes OS’s security features to restrict and contain applications. It’s as if CIS protects the OS by being a part of it and not as an outsider program. OS-aided policy-based sandboxing is top-notch security; malwares will find it hard to do any damage.

I strongly agree. A very elegant solution which means more security with less maintenance effort for Comodo, and less likelihood of obscure software conflicts for the user. Also smaller learning curve for users who already understand the OS facilities.

This seems to be one of Comodo’s signature strategies. Look at CSE - facilities which were buried and difficult to use surfaced and made usable by a simple bit of software.

If you wanna see a really full virtual box solution, guys, look for DefenseWall. This is a good implementation of trusted/untrusted + firewall. Works like automatic SandBoxie. It passes Comodo Leak Test with 330 score right from the box. But for my taste it’s just a headache.

I kinda agree with the poster above. Its too much work - trusted untrusted… ??? :-\

I know for a fact that all the programs I use are trusted to do whatever they want, otherwise I would not use them. So this whole sandbox approach is pretty redundant for me; but I think that for a number of users it would be nice. Though as i said before, I cannot see my girlfriends, friends using this. Its complicated stuff… to say the least.

By the way: thanks for polling guys. looks like, despite the criticisms on other threads, Comodo & co are on the right track… :-TU

I was one who assumed it would be a Sandboxie replacement.

I think that the option to use it as an extra security feature or a full sandbox should be available, so if you choose to run an app in a sandbox it would be a full sandbox, asking to commit changes, save data etc, but if CIS does not know the app then it would run it in a partial sandbox.

Cheers

The applications run in the CIS sandbox really slow. I guess it works more like an interpreter than a virtualised process and that’s the way it works in a 64-bit OS. If I’m right that would be a big minus. Very big. We’ll see it when the things come by.

I think the intention of automatic sandboxing is that the user does not need to understand much about it, and that it reduces their need to understand how the rest of CIS works. They should be able to use the software without security risk, and critically with many less difficult to understand pop-ups. The proof of this pudding will be in the eating - we are not there yet!

NOTE: New topic created for detailed discussion of Apach’s problem related to slow running of applications in sandbox. (Or others with similar problems).

Mouse

I understand it but think it is going to cause some major headaches in the future!

Case in point is the screen capture utility Fastone Capture Version 5.3

File: C:\Users\Mat\Documents\fscapture\FSCapture.exe
Size: 1111552 bytes
Modified: 12 February 2007, 17:31:26
MD5: BDB0B87D300B3AEB98797FF0A3C54924
SHA1: 8D4E3B79B5D1F9281A829B713A835BCC012FC8D2
CRC32: 4E0F5E85

Now this is a well known application which is not signed. So i fire it up because i wan`t to take a screenshot and all i get when trying to take a shot is a white screen…why?

I know ill look in My Pending Files and there it is (but is it sandboxed) well there is a registry entry for it but nothing in "Programs in the Sandbox". Well lets do the online look up from Pending files (allthough shouldnt the sandbox have done this?) because i`m now a bit uneasy about it, so lets see what it says…

Oh dear it says Error, i`ll try and sumbit it, allready submitted!

Now what, i have an application which is only usable if i move it to “My own Safe Files” but i dont know if its Safe or not, Sandboxed or not!

This is only a hypothetical example of issues that could arise…

[attachment deleted by admin]

Had the same problem myself!

Think the idea is that file analysis will be automated via CIMA instead of manual, thus faster.

The devs also need to get the permissions right. Not sure writing/reading from/to screen is likely to cause damage. However a security functionality trade off must exist for some progs. (Wonder if you can access the D+ permissions for sandboxed programs, and so relax them selectively, via the D+ GUI?)

So sandbox maybe needs (optionally) to say. “CIS has put a unknown program in the sandbox, while a background check is carried out. If you absolutely know this program to be safe you can over-ride this. Most applications will function fine while in the sandbox, but a few may not. The program will be automatically taken out of the sandbox without further action by you if it passes the background tests”.

What about a My pending files menu to move such files to the permanent sandbox with a predefined sandbox policy?

A new settings group “Predefined Sandbox policies” could be used to configure all related setting for a sandbox (eg Untrusted,Restricted,Limited, Unrestricted, virtualization, CPU and memory limits) and these predefined policies could be available in specific alerts (eg elevation alert with a"Treat as" combo box), dialogs (pending files) or context menus (run sandboxed).

FSCapture.exe could be moved to the permanent sandbox with a sandbox policy of eg. unrestricted/no_virtualization and thus trigger the whole extent of D+ alerts.

ATM the only options would be to:

Wait until FSCapture.exe get a safe result from a pending files lookup (perhaps this could be automated by CIS)
Allow FSCapture.exe right away trusting it is safe (either by guess or after some checks were carried beforehand)
Disable the sandbox to run FSCapture.exe and check its actions through D+ alerts.

Hope there could be some improvement to manage the safe application temporarily sandboxed (eg when a safe app is launched by a sandboxed app) since those sandboxed but safe executables won’t appear in my pending files (BTW unrecognized batch files are not listed in my pending files too) and can be noticed only looking at D+ event logs.

Now that i do like the sound of, if it was something your not completely sure about and then saw alerts for say device driver installation or Global hook you could explore further.

:-TU

Also agree with this, i suppose it`s a fine line to get the balance between what needs what and not having to many alerts :-\

I just hope CIMA can handle the deluge of requests that could be coming it`s way and not do a Daisy :a0