Filtering Containment Logs
Comodo Client Security allows you to create custom views of all logged events according to user defined criteria. You can use the following types of filters:
Clicking on the handle at the bottom enables you to filter the logs for a selected time period:
- Today - Displays all logged events for today.
- Current Week - Displays all logged events during the current week. (The current week is calculated from the Sunday to Saturday that holds the current date.)
- Current Month - Displays all logged events during the month that holds the current date.
- Entire Period - Displays every event logged since Comodo Client Security was installed. (If you have cleared the log history since installation, this option shows all logs created since that clearance).
- Custom Filter – Enables you to select a custom period by choosing the 'From' and 'To' dates under 'Please Select Period'.
Alternatively, you can right click inside the log viewer module and choose the time period.
You can further refine the displayed events according to specific filters. The following are available filters for 'Containment' logs:
- Application - Indicates which application or process propagated the event. If the application has no icon, the default system icon for executable files are used
- Rating – Indicates the rating status of application
- Action - Indicates the action taken by Containment in response to the event
- Placed in Containment by – Indicates which application or process has been placed in containment
- Alert - Gives the details of the alert displayed for the event
To
configure Advanced Filters for Sandbox Events
-
Click the funnel button from the title bar. The Advanced Filter interface for 'Containment' logs will open.
-
Select the filter from the 'Advanced Filter' drop-down and click 'Add' to apply the filter.
You have 4 categories of filters that you can add. Each of these categories can be further refined by either selecting or deselecting specific filter parameters or by the user typing a filter string in the field provided. You can add and configure any number of filters in the 'Advanced Filter' dialog.
Following are the options available in the 'Add' drop down menu:
i. Application: Selecting the 'Application' option displays a drop-down field and text entry field.
a. Select 'Contains' or 'Does Not Contain' option from the drop-down menu.
b. Enter the text or word that needs to be filtered.
For example, if you select 'Contains' option from the drop-down field and enter the phrase 'bladerunner.exe' in the text field, then all events containing the entry 'bladerunner.exe' in the 'Application' column will be displayed. If you select 'Does Not Contain' option from the drop-down field and enter the phrase 'bladerunner.exe' in the text field, then all events that do not have the entry 'bladerunner.exe' in the 'Application' column will be displayed.
ii.Rating: Selecting the 'Rating' option displays a drop down menu and a set of specific filter parameters that can be selected or deselected.
a. Select 'Equal' or 'Not Equal' option from the drop down menu. 'Not Equal' will invert your selected choice.
b. Now select the check-boxes of the specific filter parameters to refine your search. The parameter available are:
- None
- Unrecognized
- Trusted
- Malicious
For example, if you select 'Equal' option from the drop-down field and select 'Malicious' from the checkboxes, then only events of applications that are identified as malicious will be displayed. If you select 'Not Equal' option from the drop-down field and checkbox 'Malicious', then all events that do not have the entry 'Malicious' in the 'Rating' column will be displayed. You can select more than one check box options from this interface, as required.
iii. Action: The 'Action' option allows you to filter the entries based on privileges that a contained application has to other resources on your computer. Selecting the 'Action' option displays a drop down field and a set of specific filter parameters that can be selected or deselected.
a. Select 'Equal' or 'Not Equal' option from the drop down. 'Not Equal' will invert your selected choice.
b. Now select the checkboxes of the specific filter parameters to refine your search. The parameter available are:
- Run Restricted –Runs in a virtual environment completely isolated from your operating system and files
- Run Restricted - The application is allowed to access very few operating system resources. It is allowed to execute not more than 10 processes at a time and is run with very limited access rights
- Blocked - The application is not allowed to run at all.
- Ignored - The application will not be placed in containment and will be allowed to run normally.
For example, if you checked the 'Run Restricted' box then selected 'Not Equal', you would see only those Events where the Restricted Action was not selected at the containment notification alert.
iv. Placed in Containment by: The 'Placed in Containment by' option allows you to filter the entries based on what placed the application in the container. Selecting the 'Placed in Containment by' option displays a drop down field and a set of specific filter parameters that can be selected or deselected.
a. Select 'Contains' or 'Does Not Contain' option from the drop-down field.
b. Enter the text or word that needs to be filtered.
- User: Displays files that the user placed in containment.
- Virtual Desktop: Displays Virtual desktop files that are placed in containment.
- Contained process: Displays files that are part of a contained process.
- Virtual Desktop Shell: Files placed in containment by the Virtual Desktop Shell.
- Containment Services: Files placed in the container by the containment service.
For example, if you select 'Contains' option from the drop-down field and select 'User' checkbox in the Placed in Containment by, you will see only those Events where Containment Action containing 'User'.
Note: More than one filter can be added in the 'Advanced Filter' pane. After adding one filter type, select the next filter type and click 'Add'. You can also remove a filter type by clicking the 'X' button at the top right of the filter pane. |
- Click 'Apply' for the filters to be applied to the Containment log viewer. Only those entries selected based on your set filter criteria will be displayed in the log viewer.