Create Rules for Auto-Sandboxing Applications
You can define rules for programs that should be run in the sandboxed environment. A sandboxed application has much less opportunity to damage your computer because it is run isolated from your operating system and your files.
CAVS ships with a set of pre-defined auto-sandbox rules that are configured to provide maximum protection for your system. Before creating a rule, check if your requirement is met by the default rules. Refer to the section Configuring Rules for Auto-Sandbox for more details.
To create auto-sandbox rules
-
Open 'Tasks' interface by clicking the green curved arrow at top right of the 'Home' screen
-
Open 'Sandbox Tasks' and click 'Open Advanced Settings'.
-
Click 'Security Settings' > 'Defense+ ' > 'Sandbox' > 'Auto-Sandbox' from the left hand side pane
-
Click the handle at the bottom of the interface and open the option panel
-
Click the 'Add' button
The Manage Sandboxed Program screen will be displayed.
- Step 1 – Select the Action
- Step 2 – Select the Target
- Step 3 – Select the Sources
- Step 4 – Select the File Reputation
- Step 5 – Select the Options
The
options under the Action drop-down button combined with the Set
Restriction Level setting in the Options tab determine the amount of
privileges an auto-sandboxed application has access to other software
and hardware resources on your computer.
The options available under the Action button are:
- Run Virtually - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.
- Run Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
- Block - The application is not allowed to run at all.
- Ignore - The application will not be sandboxed and allowed to run with all privileges.
The next step is to select the target to which the auto-sandbox rule is to be applied. Click the Browse button beside the Target field.
You have six options available to add the target path.
- Files – Allows to add individual files as target.
- Running Processes – As the name suggests, this option allows you to add any process that is currently running on your computer
- File Groups – Allows to add predefined File Groups as target. To add or modify a predefined file group refer to the section File Groups for more details.
- Folder – Allows you to add a folder or drive as the target
- File Hash – Allows you to add a file as target based on its hash value
- Process Hash - Allows you to add any process that is currently running on your computer as target based on its hash value
If you want to include a number of items for a rule but want the rule to be applied for certain conditions only, then you can do this in this step. For example, if you include all executables in the Target but want the rule to be applied for executables that were downloaded from the internet only, then the filter can be applied in the Sources. Another example is if you want to run unrecognized files from network share, you have to create an ignore rule with All Applications as target and source located on network drives.
The following example describes how to add an Ignore rule for Unrecognized files from a network source:
- In Step 1, select the action as Ignore
- In Step 2, select the Target as All Applications in File Groups
- In Step 3, click Folder from the Add options.
The 'Browse For Folder' dialog will be displayed.
- Navigate to the source folder in the network, select it and click 'OK'.
The selected network source folder will be added under the 'Created by' column and the screen displays the options to specify the location and from where the files were downloaded.
- Location – The options available are:
- Any
- Local Drive
- Removable Drive
- Network Drive
Since the source is located in a network, select Network Drive from the options.
- Origin – The options available are:
- Any – The rule will apply to files that were downloaded to the source folder from both Internet and Intranet.
- Internet – The rule will apply to files that were downloaded to the source folder from Internet only.
- Intranet – The rule will apply to files that were downloaded to the source folder from Intranet only.
Since the example rule is created for files that are categorized as Unrecognized, the same has to be selected from the rating options in Step 4.
Step 4 – Select the File Reputation
- Click the Reputation tab in the Manage Sandboxed Program interface.
By default, the file rating is not selected meaning the rating could be Any. The options available are:
- Trusted – Applications that are signed by trusted vendors and files installed by trusted installers are categorized as Trusted files by Defense+. Refer to the sections File Rating Settings and File List for more information.
- Unrecognized – Files that are scanned against the Comodo safe files database not found in them are categorized as Unrecognized files. Refer to the section 'File List' for more information.
- Malware – Files are scanned according to a set procedure and categorized as malware if not satisfying the conditions. Refer the section Unknown Files – The Scanning Process for more information.
By default, file age is not selected, so the age could be Any. The options available are:
- Less Than – Comodo Antivirus for Servers will check for reputation if a file is younger than the age you set here. Select the interval in hours or days from the first drop-down combo box and set hours or days in the second drop-down box. (Default and recommended = 1 hours)
- More Than - CAVS will check for reputation if
a file is older than the age you set here. Select the interval in
hours or days from the first drop-down combo box and set hours or
days in the second drop-down box. (Default and recommended = 1
hours)
Select the category from the options. Since the example rule is created for files that are categorized as Unrecognized, the same has to be selected from the rating options.
-
Click the Options tab in the Manage Sandboxed Program interface.
By default, the 'Log when this action is performed' The options available for Ignore action are:
- Log when this action is performed – Whenever this rule is applied for the action, it will be logged.
- Don't apply the selected action to child processes – Child processes are the processes initiated by the applications, such as launching some unwanted app, third party browsers plugins / toolbars that was not specified in the original setup options and / or EULA. CAVS treats all the child processes as individual processes and forces them to run as per the file rating and the Sandbox rules.
- By default, this option is not selected and the ignore rule is applied also to the child process of the target application(s).
- If this option is selected, then the Ignore rule will be applied only for the target application and all the child processes initiated by it will be checked and Sandbox rules individually applied as per their file rating.
The 'Don't apply the selected action to child processes' option is available for the Ignore action only. For actions – Run Restricted and Run Virtually – the following options are available:
- Log when this action is performed – Whenever this rule is applied for the action, it will be logged.
- Set Restriction Level – When Run Restricted is selected in Action, then this option is automatically selected and cannot be unchecked while for Run Virtually action the option can be checked or unchecked. The options for Restriction levels are:
- Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.(Default)
- Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
- Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
- Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.
- Limit maximum memory consumption to – Enter the memory consumption value in MB that the process should be allowed.
- Limit program execution time to – Enter the maximum time in seconds the program should run. After the specified time, the program will be terminated.
For Block action, the following options are available:
- Log when this action is performed – Whenever this rule is applied for the action, it will be logged.
- Quarantine program – If checked, the programs will be automatically quarantined. Refer to the section Manage Quarantined Items for more information.
Choose the options and click 'OK'. The rule will be added and displayed in the list.
That's it. You have created an Ignore auto-sandbox rule for unrecognized files with a Network drive as source.