Author Topic: standalone autosandbox  (Read 2322 times)

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 944
Re: standalone autosandbox
« Reply #30 on: March 18, 2017, 08:54:29 AM »
maybe you can add an option during installation to have either the av realtime protection or just the sandbox protection.
something like "use comodo cloud av module to detect threats in realtime (uncheck if you already have an av)"

Here two proposals:
  • The first one is about a modular approach to have CASB, CCAV and CIS with one interface only
  • The second one is only about CCAV, with the option to use cloud AV or not
« Last Edit: March 20, 2017, 05:37:17 AM by Jon79 »

Offline shikamarunara

  • Newbie
  • *
  • Posts: 16
Re: standalone autosandbox
« Reply #31 on: March 20, 2017, 09:03:01 AM »
Those are good solutions, from my experience I think the first one is better.

Offline Graham1

  • Comodo's Hero
  • *****
  • Posts: 1866
Re: standalone autosandbox
« Reply #32 on: March 20, 2017, 09:15:06 AM »
First option as well, although I would put CCAV under "Antivirus". Within Antivirus module, have an option (slider) to choose between traditional signatures (downloaded) or cloud based lookup (online).

:)
Ubuntu 16.04 LTS (x64) | Chromium | uBlock Origin | Privacy Badger | HTTPS Everywhere

https://www.thevenusproject.com | Beyond Politics Poverty and War

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 944
Re: standalone autosandbox
« Reply #33 on: March 20, 2017, 09:23:41 AM »
First option as well, although I would put CCAV under "Antivirus". Within Antivirus module, have an option (slider) to choose between traditional signatures (downloaded) or cloud based lookup (online).

:)

Hi Graham1,

in my view, cloud lookup (something similar to the one present in CIS under "file rating settings") should be included in the default auto-sandbox package (even if with the option to disable it):
https://help.comodo.com/topic-72-1-766-9179-File-Rating-Settings.html
This feature doesn't prevent the use of a third-party realtime AV.

The Cloud AV I mentioned is something similar to the realtime scan currently present in CCAV:
https://help.comodo.com/topic-394-1-767-9243-Antivirus-Settings.html
These feature can't be used alongside a third-party realtime AV

The offline AV is something similar to the AV present in CIS:
https://help.comodo.com/topic-72-1-766-9160-Real-time-Scan-Settings.html

Offline Graham1

  • Comodo's Hero
  • *****
  • Posts: 1866
Re: standalone autosandbox
« Reply #34 on: March 20, 2017, 02:34:29 PM »
in my view, cloud lookup (something similar to the one present in CIS under "file rating settings") should be included in the default auto-sandbox package (even if with the option to disable it):
https://help.comodo.com/topic-72-1-766-9179-File-Rating-Settings.html
This feature doesn't prevent the use of a third-party realtime AV.

I agree. I haven't used CIS for a while now so unsure how "File Rating Settings" is setup compaired to CCAV.

Quote
The Cloud AV I mentioned is something similar to the realtime scan currently present in CCAV:
https://help.comodo.com/topic-394-1-767-9243-Antivirus-Settings.html
These feature can't be used alongside a third-party realtime AV

The offline AV is something similar to the AV present in CIS:
https://help.comodo.com/topic-72-1-766-9160-Real-time-Scan-Settings.html

I still think both types of antivirus (CAV and CCAV) should be integrated within one Antivirus module (component) as they both offer different styles of detection (local vs online), although with the default sandbox feature, you could do away with the offline version.

:)
Ubuntu 16.04 LTS (x64) | Chromium | uBlock Origin | Privacy Badger | HTTPS Everywhere

https://www.thevenusproject.com | Beyond Politics Poverty and War

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 944
Re: standalone autosandbox
« Reply #35 on: March 20, 2017, 04:41:12 PM »
I agree. I haven't used CIS for a while now so unsure how "File Rating Settings" is setup compaired to CCAV.

I still think both types of antivirus (CAV and CCAV) should be integrated within one Antivirus module (component) as they both offer different styles of detection (local vs online), although with the default sandbox feature, you could do away with the offline version.

:)

i think currently in ccav there isn't a file rating --> cloud lookup because everything is done by the realtime cloud av.
so, in ccav files are checked online whenever you download, select, copy or move it. in cis (or better, in cfw) files are checked online only on execution, when you try to run it.
that's why cfw is so lightweight compared not only to cis, but also to ccav.

has anyone tried to use ccav with the realtime av disabled? how a file is deemed good, bad or unknown? only by the local trusted vendor list?

Offline Graham1

  • Comodo's Hero
  • *****
  • Posts: 1866
Re: standalone autosandbox
« Reply #36 on: March 20, 2017, 05:20:23 PM »
i think currently in ccav there isn't a file rating --> cloud lookup because everything is done by the realtime cloud av.
so, in ccav files are checked online whenever you download, select, copy or move it. in cis (or better, in cfw) files are checked online only on execution, when you try to run it.
that's why cfw is so lightweight compared not only to cis, but also to ccav.

I always thought CCAV checked applications on execution and then marked executable as either good (trusted application), bad (quarantine) or unknown (sandbox). Then after 10 days, status of executable is reset but maybe I'm wrong.

Quote
has anyone tried to use ccav with the realtime av disabled? how a file is deemed good, bad or unknown? only by the local trusted vendor list?

I would guess that by not having the antivirus part enabled, executables would be trusted if in the "Trusted Vendors" or already in "Trusted Application" (unless reset after 10 days), otherwise treated as unknown and sandboxed.

:)

« Last Edit: March 20, 2017, 05:26:10 PM by Graham1 »
Ubuntu 16.04 LTS (x64) | Chromium | uBlock Origin | Privacy Badger | HTTPS Everywhere

https://www.thevenusproject.com | Beyond Politics Poverty and War

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 944
Re: standalone autosandbox
« Reply #37 on: March 21, 2017, 02:19:59 AM »
I always thought CCAV checked applications on execution and then marked executable as either good (trusted application), bad (quarantine) or unknown (sandbox). Then after 10 days, status of executable is reset but maybe I'm wrong.

https://help.comodo.com/topic-394-1-767-9244-Antivirus-Settings.html
The real-time scanner (aka 'On-Access Scan') is always ON and checks files in real time when they are created, opened or copied (as soon as you interact with a file, Comodo Cloud Antivirus checks it). This instant detection of viruses assures you, the user, that your system is perpetually monitored for malware and enjoys the highest level of protection.

I would guess that by not having the antivirus part enabled, executables would be trusted if in the "Trusted Vendors" or already in "Trusted Application" (unless reset after 10 days), otherwise treated as unknown and sandboxed.

https://help.comodo.com/topic-394-1-767-9257-File-Rating-Settings.html
The CCAV file rating system is a cloud-based file look-up service (FLS) that attempts to ascertain the reputation of files on your computer by consulting a global database. Whenever a file is first accessed, Cloud Antivirus will check the file against our master whitelist and blacklists and will award it trusted status if:
  • The application/file is included in the local Trusted Applications list
  • The application is from a vendor included in the Trusted Vendors list
  • The application is included in the extensive and constantly updated Comodo safelist
Trusted applications are excluded from monitoring by Auto-Sandbox - reducing hardware and software resource consumption.

So, maybe the file rating is still working even if you disable the realtime scan

Offline Graham1

  • Comodo's Hero
  • *****
  • Posts: 1866
Re: standalone autosandbox
« Reply #38 on: March 21, 2017, 03:37:06 AM »
https://help.comodo.com/topic-394-1-767-9244-Antivirus-Settings.html
The real-time scanner (aka 'On-Access Scan') is always ON and checks files in real time when they are created, opened or copied (as soon as you interact with a file, Comodo Cloud Antivirus checks it). This instant detection of viruses assures you, the user, that your system is perpetually monitored for malware and enjoys the highest level of protection.

https://help.comodo.com/topic-394-1-767-9257-File-Rating-Settings.html
The CCAV file rating system is a cloud-based file look-up service (FLS) that attempts to ascertain the reputation of files on your computer by consulting a global database. Whenever a file is first accessed, Cloud Antivirus will check the file against our master whitelist and blacklists and will award it trusted status if:
  • The application/file is included in the local Trusted Applications list
  • The application is from a vendor included in the Trusted Vendors list
  • The application is included in the extensive and constantly updated Comodo safelist
Trusted applications are excluded from monitoring by Auto-Sandbox - reducing hardware and software resource consumption.

Thanks for the quotes and links Jon79. Much appreciated :)

Quote
So, maybe the file rating is still working even if you disable the realtime scan

I couldn't find any documentation on this so I'll post this question on the forum.

:)

Ubuntu 16.04 LTS (x64) | Chromium | uBlock Origin | Privacy Badger | HTTPS Everywhere

https://www.thevenusproject.com | Beyond Politics Poverty and War

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 944
Re: standalone autosandbox
« Reply #39 on: March 21, 2017, 03:48:38 AM »
Thanks for the quotes and links Jon79. Much appreciated :)

I couldn't find any documentation on this so I'll post this question on the forum.

:)

 :D  :-TU

Offline umesh

  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 1662
    • COMODO
Re: standalone autosandbox
« Reply #40 on: March 23, 2017, 12:38:03 PM »
Hi Jon79,
If you take Comodo firewall and disable HIPS and enable Auto-Sandbox, you got pretty much what you listed as CASB. Isn't it?

Quote
CASB (Comodo Auto SandBox) with only the features I wrote below:
Quote from: Jon79 on March 17, 2017, 10:39:29 AM
- Cloud lookup to decide if a file is good (whitelisted), bad (blacklisted) or unknown
- Auto-sandbox to block execution of bad files and to run unknown files inside the sandbox (plus the option to block internet connection to
files running inside the sandbox)
- Viruscope like it is now


Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 944
Re: standalone autosandbox
« Reply #41 on: March 23, 2017, 01:25:43 PM »
Hi Jon79,
If you take Comodo firewall and disable HIPS and enable Auto-Sandbox, you got pretty much what you listed as CASB. Isn't it?

yes that's exactly what i'm currently doing.
but since ccav seems more actively developed, i was thinking to switch to it

Offline liosant

  • Comodo's Hero
  • *****
  • Posts: 823
Re: standalone autosandbox
« Reply #42 on: March 24, 2017, 07:46:36 PM »
Here two proposals:
  • The first one is about a modular approach to have CASB, CCAV and CIS with one interface only
  • The second one is only about CCAV, with the option to use cloud AV or not
:D
Command prompt is opened by secure applications, but secure applications can be used by malware or unknown files to run command lines

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek