Why are elevated programs allowed to ignore D+ settings?

First of all, I’d like to say that I’m impressed by the latest version of CIS, and I thank the Comodo team for making this great product.

Right now, I have one issue that really bugs me:

With sandbox enabled, if a program tries to run with elevated privileges and Allow is selected, that program is allowed complete access to your system and D+ ignores it. I see this as a problem because I’ve come across many rogue and malware installer that do ask for elevated privileges, and all it takes is for the user to select Allow to have their system completely compromised. The only way to combat this, it seems, is to disable the sandbox, but I do not wish to sacrifice the sandbox functionality just for this.

I’ve also noticed that even if you manually create D+ rules for the application, if elevated privileges are granted then those rules are completely ignored. Why can’t Comodo treat the program as an unknown application if elevated privileges are granted, and alert the user if the application is performing suspicious activity?

This can be observed with CLT: If CLT is granted elevated privileges, a terrible score is given and no alerts are displayed. The user should really be alerted of changes in this situation, as granting it elevated privileges is the ONLY way to run the program with the sandbox enabled. By disabling the sandbox and running it again, alerts are displayed and rules are created, thus giving an almost perfect score (perfect in Proactive Security mode).

Is there any way for Comodo to create rules for applications that are granted elevated privileges? From what I can tell, the only way is to disable the sandbox, which I do not want to do. I want programs with elevated privileges to still be monitored and protected from my system with D+. Could I also make a request for this to be a default feature in future versions? It seems like it would provide much better protection.

Thanks.

If you’re saying that there should be another button that allows it to continue, but alert the user to any activity, then I agree. A third option is a good idea.

The option to have it continue allowed should be kept however as if you know it’s safe it does greatly minimize the alerts.

Maybe you should add this to the wishlist.

Mistermooth.

To correct you on a couple of things.The computer won’t be ‘completely compromised’ after allowing an elevation prompt because sandboxed applications don’t touch the ‘real’ system.This is also the reason for the reduced score in CLT when the sandbox is enabled (no real modifications to the system).

The whole purpose of this is to avoid the plethora of pop-ups generated by D+ for unknown programs in earlier versions,severely offputting for many users.

No, if a program requests to be executed with elevated privileges and the user selects “Allow”, that program is run outside of the sandbox.

What configuration are you using since I’m unable to reproduce this behaviour?

Internet Security.

Just run CLT; it will ask for elevated privileges. If you select allow, CLT is run outside of the sandbox. This is the “Automatically detect installers/updaters and run them outside of the Sandbox” feature.

If you disable this feature, then CLT is automatically run inside the sandbox.

so its best to have that off then on?

with Automatically detect installers/updaters checked in the settings and you allow the installer to run thinking its good it will bypass the sandbox because you said allow?

shouldnt that be unchecked for security?

Yes, clicking allow grants the program complete access to your system.

Thanks, i dont like that one bit. thats not really being safe

so comodo is useless if one not knowing if the installer is malware or not and clicks allow? thus just bypass CIS4?

Yes

This needs to be explained further.

i agree, we all need more insight on this. because i dont agree with the way it is now. its more of a big risk.

I was thinking about disabling “Automatically detect installers/updaters and run them outside of the Sandbox” whereas I posted a related wish about Installer wizard with Drag & drop support

If anyone is interested please vote.

shouldnt that be unchecked for security?
You can start by right-clicking on the comodo-icon and change the configurations to "proactive" Since your going to be tweaking comodo anyway

The option should be unchecked by default like other default settings that only helps to bypass comodo but you will need to restart all the installers each time since comodo sandbox is not able to unsanbox “on the fly”

Just out of curiosity. How are you going to react on the alert when you disabled “Automatically detect installers/updaters”. I guess you will allow the program to run as an installer, since running an installer in a Sandbox will not bring you anything. Will it?.

The only protection against a malicious installer is not to start executing it anyway when you got it from an unknown source. In other words: “your own save and sound behaviour”.

With Regards,
Eric-Jan.

Tip! Test “illegal” harvested programs in a totally virtual environment (VMware for instance). Or do a backup and restore with the backup detached from your machine when fiddling around.

I guess this option is great for people who like to install a bunch of stuff they just have to click allow and that’s it … , but for trojans and backdoor ticking this option or leave it unticked doesn’t matter because they don’t ask for administrative privilage so you will still be protected :stuck_out_tongue: