Option to use CCAV as an anti-exe

[Jon79]

1. What actually happened or you saw:
Sometimes malware can mistakenly be whitelisted and it can run in the user's pc when CCAV makes a cloud lookup

2. What you wanted to happen or see:
The latest release (v1.19.456424.771) of CCAV has added an option to control the TVL, but if a file has been trusted on cloud, it will still run without warning.
It would be good for some users to lockdown their PC and allow to run only apps either already whitelisted or with a digital signature in the local TVL.
This can be achieved, for example, by adding a "Block all new apps" feature

3. Why you think it is desirable:
To avoid whitelisted malware

4. Any other information, screenshots etc:
Check the story here, from reply #9
https://forums.comodo.com/beta-corner-ccav/comodo-cloud-antivirus-v119456424771-rc-t122466.0.html

[Umesh]

Hi Jon79,
Please see enclosed snaps.
Assume you have "ENTER LOCK DOWN MODE" option available in some form, more ideas are welcome.
When you press it, user will be shown following small notification message:

When you enable this mode, no new application (either safe or unknown) can run, except ones from Microsoft or Comodo. In case you still want to execute a new application, you can add that application in exclusion list as available in "Sandbox Settings". This mode is only valid till system is re-booted and upon next system re-boot will exit from this mode. You can exit this mode any point you want.

- Also added a new Sandbox mode, i.e. block all untrusted applications.

Everyone, please share your thoughts.

Thanks
-umesh

[Jon79]

Hi Jon79,
Please see enclosed snaps.
Assume you have "ENTER LOCK DOWN MODE" option available in some form, more ideas are welcome.
When you press it, user will be shown following small notification message:
- Also added a new Sandbox mode, i.e. block all untrusted applications.

Everyone, please share your thoughts.

Thanks
-umesh

Hi Umesh,
Lockdown mode looks interesting, but limiting it to Microsoft and Comodo could lead to some problems (for example, what about Intel, Nvidia or Realtek?)
About sandbox mode, what do you mean by untrusted? Untrusted for the user or untrusted for Comodo Cloud?

My idea about this feature is that the user should have full control about apps that can run, either by manual whitelist or by custom TVL.
Any other app should be sandboxed unless the cloud lookup find it to be malicious (and the user still has the option to exclude such a file)

[Umesh]

Hi Jon79,

Lockdown mode looks interesting, but limiting it to Microsoft and Comodo could lead to some problems (for example, what about Intel, Nvidia or Realtek?)

Consider this as a state, you get in and get out and is non-persistent across boot, as during boot there can be number of critical apps and services that should run, so assume this as a post boot option, you can enable.

About sandbox mode, what do you mean by untrusted? Untrusted for the user or untrusted for Comodo Cloud?

That is not connected with Lock Down mode, just another option in case Comodo rating is untrusted, application can be blocked, right now we have default option as sandbox.

My idea about this feature is that the user should have full control about apps that can run, either by manual whitelist or by custom TVL.
Any other app should be sandboxed unless the cloud lookup find it to be malicious (and the user still has the option to exclude such a file)

In "Lock Down" mode, you can define applications that can run and also malicious will be blocked as well as cloud look up will be working. So it pretty much achieves what you are looking for.

Thanks
-umesh

Hi Umesh,
Lockdown mode looks interesting, but limiting it to Microsoft and Comodo could lead to some problems (for example, what about Intel, Nvidia or Realtek?)
About sandbox mode, what do you mean by untrusted? Untrusted for the user or untrusted for Comodo Cloud?

My idea about this feature is that the user should have full control about apps that can run, either by manual whitelist or by custom TVL.
Any other app should be sandboxed unless the cloud lookup find it to be malicious (and the user still has the option to exclude such a file)

[Jon79]

Hi Jon79,Consider this as a state, you get in and get out and is non-persistent across boot, as during boot there can be number of critical apps and services that should run, so assume this as a post boot option, you can enable.

Ok, it makes sense

In "Lock Down" mode, you can define applications that can run and also malicious will be blocked as well as cloud look up will be working. So it pretty much achieves what you are looking for.

Not really, since lockdown mode will be disable after rebooting.
I want something I can use always

That is not connected with Lock Down mode, just another option in case Comodo rating is untrusted, application can be blocked, right now we have default option as sandbox.

I think you can already do so by choosing "run only trusted apps"

I'll try to explain better my idea

Current mode
Trusted if:

• Digital signature in the local TVL
• Digital signature in the cloud TVL
• Trusted by cloud
• Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:

• Found malicious in the cloud

Unknown if:

• Anything else

Jon79 mode
Trusted if:

• Digital signature in the local TVL
• Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:

• Found malicious in the cloud

Unknown if:

• Anything else

No matter what mode you use, you can keep the current options about unknown files:

• Automatically run in the sandbox
• Block it
• Ask the user

[Ploget]

Hi Umesh
Good ideas from Jon79 - and I think your explanations sound excellent. Would make CCAV a real 'control' and access application . . . . even more than at present

Hi Jon79,Consider this as a state, you get in and get out and is non-persistent across boot, as during boot there can be number of critical apps and services that should run, so assume this as a post boot option, you can enable.That is not connected with Lock Down mode, just another option in case Comodo rating is untrusted, application can be blocked, right now we have default option as sandbox.
In "Lock Down" mode, you can define applications that can run and also malicious will be blocked as well as cloud look up will be working. So it pretty much achieves what you are looking for.

[Umesh]

Jon79 mode[/b]
Trusted if:
Digital signature in the local TVL
Trusted/whitelisted by the user

2nd one is covered due to exclusion, so mode can be extended to include to trust all entries in local TVL.

Only thing left will be persistence, in case you are using local TVL then it won't hurt as persistence won't cause issue.

Thanks
-umesh

Ok, it makes sense
Not really, since lockdown mode will be disable after rebooting.
I want something I can use always
I think you can already do so by choosing "run only trusted apps"

I'll try to explain better my idea

Current mode
Trusted if:

• Digital signature in the local TVL
• Digital signature in the cloud TVL
• Trusted by cloud
• Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:

• Found malicious in the cloud

Unknown if:

• Anything else

Jon79 mode
Trusted if:

• Digital signature in the local TVL
• Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:

• Found malicious in the cloud

Unknown if:

• Anything else

No matter what mode you use, you can keep the current options about unknown files:

• Automatically run in the sandbox
• Block it
• Ask the user

[cheater87]

I love this, I already use CIS as an anti exe, this not sure why CCAV has no block feature for sandboxed apps.

[morphiusz]

I love this, I already use CIS as an anti exe, this not sure why CCAV has no block feature for sandboxed apps.

It has. Look at the 2nd option in here:
https://forums.comodo.com/index.php?action=dlattach;topic=122509.0;attach=120227;image


All exes that would be run in the sandbox will be blocked instead.

[cheater87]

It has. Look at the 2nd option in here:
https://forums.comodo.com/index.php?action=dlattach;topic=122509.0;attach=120227;image


All exes that would be run in the sandbox will be blocked instead.

When was this added? 0_0

[morphiusz]

Of course I mean this “Run only safe applications” ; a second option in here

https://help.comodo.com/topic-394-1-767-9744-.html

I hope this is what you meant?

[Jon79]

The point is, in CCAV you can't disable the cloud lookup, while in CIS you can.
It would be great if CCAV could lookup only for malicious files, letting the user choose what's safe (custom TVL and manual whitelist).
But it's OK, I have switched to Avast with Hardened Mode on Aggressive and I'm quite happy with it