Whats the benefit of FULLY VIRTUALIZED?

If a program runs as FULLY VIRTUALIZED, what is the benfit from a security perspective?

I understand that with a fully virtualized application all the “damage” (wich is not real) can be reverted since all malware activity is monitored and fed into a virtualized environment. Thus, helping a machine to keep clean and malware free.

BUT, under security perspective, what is the benefit of “allowing” a malware do its thing even in a virtualized environment? Doesnt it mean that the malware can still cause harm such as steal private information, transfer data to hackers, etc, because it was allowed to do that in the virtualized environment?

Which is the reason I have set my BB to “Blocked” Just so very sad that this mode doesn’t generate alerts when something is blocked. =(

…in other words, full virtualized applications only protect a system but not a user’s privacy?

“Disclaimer”: These are my speculations, my understandings and my opinions, I can not guarantee that the information below is factually correct nor do I claim it to be. The information below is from my own personal experience and things I have read on this forum, however I have not checked whether these things are true or not and hence I can not guarantee that they are true. (lol disclaimer =P)

Well since the current iteration of the option “Fully Virtualized” seems to actually put the firewall for the sandboxed items in a default allow state (as I have read a little scattered here and there in this forum) I would say that fully virtualized at the current time of writing isn’t very good for privacy. It does block some techniques of keylogging but not all, I think it allows webcam logging(correct me if I’m wrong).

Currently for PRIVACY I would use HIPS, since then if a program is actually trying to do something like that, it would generate an alert (HIPS doesn’t do this for sandboxed items, at least not for me. HIPS in sandbox seems to be 100% automatic) in which you could choose block and terminate.

However that could potentially be quite bothersome since HIPS is notorious for making a lot of alerts, but if you put it in Safe mode you should only get alerts from unknown programs(correct me if I’m wrong) But then again I think the firewall is much better in the ranges Partially Limited to Untrusted and it’s first in Fully Virtualized when the firewall because default allow.(again I haven’t tested this and only read scattered posts on this forum claiming this)

I myself use HIPS set to Safe and BB set to Blocked, the only thing I’m bothered with is that “Blocked” mode for BB doesn’t generate a single alert, so unknow files trying to run might be blocked and put in unrecognized files without your knowing or decision.

But then again keyloggers outside of the Fully Virtualized environment aren’t able to log things within the environment and I think that goes for screen grabbers too(correct me if I’m wrong) so if you want privacy when you’re doing banking etc, then you can reset the sandbox then start the browser in the Kiosk or Fully Virtualized, whichever works best. (Preferably with you browser in incognito mode, if any extensions were to be rogue)

Personally I don’t see why I’d ever want to allow a malware to run at all, even if it’s in a virtualized environment. So if the “Blocked” setting for BB made alerts then it would be much easier for me, but Comodo doesn’t seem to like the idea of alerts for the “Blocked” setting. :-\

cough So to answer your questions… it does seem like that, however I would say that full virtualization partially protects your privacy.

Thanks SanyaIV.

Would be great if someone could confirm the aspects that SanyaIV requests for confirmation.

As far as I understand you, for privacy concerns, is better to enable HIPS_
I disabled it, because of this configuration tutorial by Chiron.

My advice is sound, in terms of security and privacy, but I’m still working on figuring out the best way to incorporate FV, as if I could get around the firewall leaks that would definitely be my advice. However, at the moment my official advice is not to activate it for the BB. That is because of certain FV sandbox firewall leaks, as mentioned by SanyaIV.

I agree with SanyaIV’s comments. The only thing I’m not sure about is that I didn’t think the firewall was set to default allow for FV. I just thought the firewall was not working correctly in the FV environment. Can someone please provide links for that? Perhaps I’ve just forgotten that aspect.

Personally speaking,setting the BB to block is a pointless exercise and you may as well not download anything at all in that respect.
Downloading from trusted websites and using hash checkers etc would certainly take away any need for the BB to come into play but as i have stated using the block option is redundant.

I think I just misunderstood what I read and it’s rather as you said that there are certain leaks. That’s why I put the disclaimer there! =P

I don’t really know, but I don’t know if HIPS has the capability that the “Blocked” setting does, at least I can’t get it to work in that way.
I don’t want to use the auto-sandbox either because I don’t want things to run in a sandbox, I have no need for that because I know which programs I want to have running and if I don’t recognize a program then I don’t even want to run it in the sandbox!

The reason I use “Blocked” is because it will block all the unknown files and put them in the unrecognized files, from there I can look at the file and decide whether it is something I know or not, if it’s something I know and I know that I trust it, then I’ll add it to the trusted list. If I don’t know what the program is then I’ll look it up and if I don’t trust it then I’ll remove it.

However I think that the “Blocked” setting could be improved by making it generate an alert which could just say that something has been blocked, because it’s not always that it’s obvious! And you could take it a bit further to have three options, Option 1: Allow, Option 2: Block File, Option 3: Block and Delete File, if option 1 is chosen then a checkbox becomes available where you can tick in “Trust this file”. It doesn’t have to be just like that but similar.

OR you could have another option in the Auto-sandbox where you are able to choose what it does, instead of having a pre-defined rule that all applications follow by.
So if an unknow program is executed then it is blocked from starting and you get an alert that gives you these options:
Option 1: Sandbox as (Drops down to choose between Partially Limited to Untrusted)
Option 2: Allow (Drops down to also have an option for “Allow and add to Trusted list”)
Option 3: Block (Drops down to also have “Block and Delete”)
Or something like that, then the blocked setting wouldn’t be needed.

Being redundant is not the problem. The real problem is that in the Blocked setting, you get no alert and therefore no option to tell CIS to not restrict the file again. If it happens to be something you want to use you have to go find and remove it from the unrecognized files before you can manually put it into trusted files. There should be the same alert in the blocked mode as in the others so when you tell CIS to not restrict it again, it automatically gets added to the trusted list. For me, the Blocked setting is unusable because of this. The seeming problems with Fully Virtualized made me abandon that as well and I’m now running with the Untrusted setting.

AFAIK it inherits whatever the non-virtualised firewall settings are. So for vanilla IS config that’s allow outbound. For proactive, it’s alert outbound for unknowns.

The best hint for privacy:

Have/enable control.

So, for privacy concerns… its better to keep away from Full Virtualization?

I don’t worry too much about privacy but for pure security considerations, it may be advisable to not use the setting until the apparent issues with the firewall are explained or sorted out.