First of all, I’d like to say that I’m impressed by the latest version of CIS, and I thank the Comodo team for making this great product.
Right now, I have one issue that really bugs me:
With sandbox enabled, if a program tries to run with elevated privileges and Allow is selected, that program is allowed complete access to your system and D+ ignores it. I see this as a problem because I’ve come across many rogue and malware installer that do ask for elevated privileges, and all it takes is for the user to select Allow to have their system completely compromised. The only way to combat this, it seems, is to disable the sandbox, but I do not wish to sacrifice the sandbox functionality just for this.
I’ve also noticed that even if you manually create D+ rules for the application, if elevated privileges are granted then those rules are completely ignored. Why can’t Comodo treat the program as an unknown application if elevated privileges are granted, and alert the user if the application is performing suspicious activity?
This can be observed with CLT: If CLT is granted elevated privileges, a terrible score is given and no alerts are displayed. The user should really be alerted of changes in this situation, as granting it elevated privileges is the ONLY way to run the program with the sandbox enabled. By disabling the sandbox and running it again, alerts are displayed and rules are created, thus giving an almost perfect score (perfect in Proactive Security mode).
Is there any way for Comodo to create rules for applications that are granted elevated privileges? From what I can tell, the only way is to disable the sandbox, which I do not want to do. I want programs with elevated privileges to still be monitored and protected from my system with D+. Could I also make a request for this to be a default feature in future versions? It seems like it would provide much better protection.
To correct you on a couple of things.The computer won’t be ‘completely compromised’ after allowing an elevation prompt because sandboxed applications don’t touch the ‘real’ system.This is also the reason for the reduced score in CLT when the sandbox is enabled (no real modifications to the system).
The whole purpose of this is to avoid the plethora of pop-ups generated by D+ for unknown programs in earlier versions,severely offputting for many users.
Just run CLT; it will ask for elevated privileges. If you select allow, CLT is run outside of the sandbox. This is the “Automatically detect installers/updaters and run them outside of the Sandbox” feature.
If you disable this feature, then CLT is automatically run inside the sandbox.
The option should be unchecked by default like other default settings that only helps to bypass comodo but you will need to restart all the installers each time since comodo sandbox is not able to unsanbox “on the fly”
Just out of curiosity. How are you going to react on the alert when you disabled “Automatically detect installers/updaters”. I guess you will allow the program to run as an installer, since running an installer in a Sandbox will not bring you anything. Will it?.
The only protection against a malicious installer is not to start executing it anyway when you got it from an unknown source. In other words: “your own save and sound behaviour”.
Tip! Test “illegal” harvested programs in a totally virtual environment (VMware for instance). Or do a backup and restore with the backup detached from your machine when fiddling around.
I guess this option is great for people who like to install a bunch of stuff they just have to click allow and that’s it … , but for trojans and backdoor ticking this option or leave it unticked doesn’t matter because they don’t ask for administrative privilage so you will still be protected