Comodo Internet Security

• Introduction To Comodo Internet Security
  • Special Features
  • System Requirements
  • Installation
    • CIS Premium Installation
    • CIS Pro-Installation And Activation
    • CIS Complete-Installation And Activation
      • Installing Comodo Internet Security 2012 Complete
      • Activating Online Backup, TrustConnect And Guarantee
      • Installing Comodo Backup
      • Installing Comodo TrustConnect
    • Activating Pro/ Complete Services After Installation
      • Activating Your License
      • Activating Your Guarantee Coverage
      • Renewal Of Your License
  • Starting Comodo Internet Security
  • Comodo Internet Security - Overview Of Summary Screens
    • Comodo Internet Security – Summary
    • Comodo Antivirus – Summary
    • Comodo Firewall – Summary
  • Comodo Internet Security - Navigation
  • Understanding Alerts
• Antivirus Tasks-Introduction
  • Run A Scan
  • Update Virus Database
  • Quarantined Items
  • View Antivirus Events
  • Submit Files To Comodo For Analysis
  • Scheduled Scans
  • Scan Profiles
  • Scanner Settings
    • Real Time Scanning
    • Manual Scanning
    • Scheduled Scanning
    • Exclusions
• Firewall Tasks-Introduction
  • View Firewall Events
  • Define A New Trusted Application
  • Define A New Blocked Application
  • Network Security Policy
    • General Navigation
    • Application Rules
    • Global Rules
    • Predefined Policies
    • Network Zones
    • Blocked Zones
    • Port Sets
  • View Active Connections
  • Stealth Ports Wizard
  • Firewall Behavior Settings
    • General Settings
    • Alert Settings
    • Advanced Settings
• Defense+ Tasks - Introduction
  • View Defense+ Events
  • Trusted Files
  • Unrecognized Files
    • Unrecognized Files
    • Submitted Files
  • Computer Security Policy
    • Defense+ Rules
    • Predefined Policies
    • Always Sandbox
    • Blocked Files
    • Protected Files And Folders
    • Protected Registry Keys
    • Protected COM Interfaces
    • Trusted Software Vendors
  • The Sandbox - An Introduction
    • Unknown Files - The Sand-boxing And Scanning Processes
  • View Active Process List
  • Run A Program In The Sandbox
  • Defense+ Settings
    • General Settings
    • Execution Control Settings
    • Sandbox Settings
    • Monitoring Settings
• More Options-Introduction
  • Preferences
    • General Settings
    • Parental Control Settings
    • Appearance
    • Log Settings
    • Connection Settings
    • Update Settings
  • Manage My Configurations
    • Comodo Preset Configurations
    • Importing/Exporting And Managing Personal Configurations
  • Diagnostics
  • Check For Updates
  • Manage This Endpoint
  • Browse Support Forums
  • Help
  • About
• Comodo GeekBuddy
  • Overview Of Services
  • Launching The Client And Using The Service
  • Accepting Remote Desktop Requests
  • Registration
  • Activation Of Service
  • Uninstalling Comodo GeekBuddy
• TrustConnect Overview
  • Microsoft Windows - Configuration And Connection
  • Mac OS X - Configuration And Connection
  • Linux / OpenVPN - Configuration And Connection
  • Apple IPhone / IPod Touch - Configuration And Connection
  • TrustConnect FAQ
• Comodo Dragon
• Appendix 1 CIS - How To... Tutorials
  • Setting Up Security Levels Easily
  • Setting Up The Firewall For Maximum Security And Usability
  • Blocking Internet Access While Allowing Local Area Network (LAN) Access
  • Setting Up Defense+ For Maximum Security And Usability
  • How To Password Protect Your CIS Settings
  • How To Reset Forgotten Password (Advanced)
  • Running An Instant Antivirus Scan On Selected Items
  • Creating An Antivirus Scanning Schedule
  • Running An Untrusted Program Inside Sandbox
  • Restoring Incorrectly Quarantined Item(s)
  • Submitting Quarantined Items To Comodo For Analysis
  • Enabling File Sharing Applications Like BitTorrent And Emule
  • Blocking Any Downloads Of A Specific File Type
  • Disabling Defense+ And Sandboxing For Specific Files Selectively
  • Switching Between Complete CIS Suite And Individual Components (just AV Or FW)
  • Switch Off Automatic Antivirus And Software Updates
  • Suppressing CIS Alerts Temporarily While Playing Games
• Appendix 2 Comodo Secure DNS Service
  • Router - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Windows XP - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Windows 7 / Vista - Manually Enabling Or Disabling Comodo Secure DNS Service
• Appendix 3 CIS Versions
• About Comodo Security Solutions

Unknown Files: The Sand-boxing and Scanning Processes

• When an executable is first run it passes through the following CIS security inspections:

• Antivirus scan

• Defense+ Heuristic check

• Buffer Overflow check

• If the processes above determine that the file is malware then the user is alerted and the file is quarantined or deleted

• An application can become recognized as 'safe' by CIS (and therefore not sandboxed or scanned in the cloud) in the following ways:

• Because it is on the local Comodo White List of known safe applications

• Because the user has added the application to the local 'Trusted Files'

• By the user granting the installer elevated privileges (CIS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CIS regards the installer and all files generated by the installer as safe)

• Additionally, a file is not sandboxed or sent for analysis in the cloud if it is defined as an Installer or Updater in HIPS policy (See Computer Security Policy for more details)
  
  

• Cloud Scanning Part 1

Files and processes that pass the security inspections above but are not yet recognized as 'safe' (white-listed) are 'Unrecognized' files. In order to try to establish whether a file is safe or not, CIS will first consult Comodo's File Look-Up Server (FLS) to check the very latest signature databases:

• A digital hash of the unrecognized process or file is created.

• These hashes are uploaded to the FLS to check whether the signature of the file is present on the latest databases. This database contains the latest, global black list of the signatures of all known malware and a white list of the signatures of the 'safe' files.

• First, our servers check these hashes against the latest available black-list

• If the hash is discovered on this blacklist then it is malware

• The result is sent back to the local installation of CCS

• If the hash is not on the latest black-list, it's signature is checked against the latest white-list

• If the hash is discovered on this white-list then it is trusted

• The result is sent back to local installation of CCS

• The local white-list is updated

• The FLS checks detailed above are near instantaneous.

• Sandbox and Cloud Scanning Part 2

If the hash is not on the latest black-list or white-list then it remains as 'unrecognized'. CIS simultaneously takes two distinct but complementary actions -

(1) It will run the unrecognized file in the local Sandbox so that it cannot access important operating system files or damage your computer, and 

(2) It will leverage Comodo's Cloud Scanning technology to determine whether the file behaves in a malicious fashion. 

• Unrecognized files and applications will be locally sandboxed. CIS will alert the user that it is going to run the application in the sandbox.

• Automatically sandboxed applications are run with 'Partially Limited' restrictions. More detail: Sandboxed applications are allowed to run under a specific set of conditions or privileges. In CIS, these are known as 'Restriction Levels'. There are four levels – Partially Limited, Limited, Restricted and Untrusted ('Partially Limited' is the default level for applications that are automatically placed in the sandbox). In part, sandbox restriction levels are implemented by enforcing or relaxing the native access rights that Windows can grant to an application. For example, the 'Limited' setting applies some of the supported operating system restrictions and grants it access rights similar to if the application was run under a non-admin user account. These restriction levels are fortified with certain Defense + restrictions that apply to all sandboxed applications (for example, they cannot key log or screen grab, set windows hooks, access protected COM interfaces or access non-sandboxed applications in memory. If the user enables virtualization, then sandboxed apps. can't modify registry keys or modify existing protected files either).

• Automatically sandboxed applications cannot be viewed or modified in the interface. Applications that were automatically sandboxed can only be removed if they become recognized as 'safe' by CIS (see conditions above).

• Unrecognized files are simultaneously uploaded to Comodo's Instant Malware Analysis servers for further checks: 

• Firstly, the files undergo another anti-virus scan on our servers.

• If the scan discovers the file to be malicious (for example, heuristics discover it is a brand new variant) then it is designated as malware. This result is sent back to the local installation of CIS and the local and global black-list is updated

• If the scan does not detect that the file is malicious then it passes onto the next stage of inspection – behavior monitoring.

• The behavior analysis system is a cloud based service that is used to help determine whether a file exhibits malicious behavior. Once submitted to the system, the unknown executable will be automatically run in a virtual environment and all actions that it takes will be monitored. For example, processes spawned, files and registry key modifications, host state changes and network activity will be recorded.

• If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list.

• If no malicious behavior is recorded then the file is placed into 'Unrecognized Files' and will be submitted to our technicians for further checks. Note: Behavior Analysis can identify malicious files and add to the global black list, but it cannot declare that a file is 'safe'. The status of 'safe' can only be given to a file after more in-depth checks by our technicians.

• In either case, the result is reported back to your CIS installation in approximately 15 minutes. If the executable was not found to be malicious then it will be run in the sandbox. It will simultaneously be added to the 'Unrecognized Files' list and uploaded to our technicians for analysis. If is discovered to be a threat then CIS will show an AV alert to the user. From this alert the user can opt to quarantine, clean (delete) or disinfect the malicious file. This new threat will be automatically added to the global  black list database and therefore benefit all CIS users.
  
  

Sandbox - Other notes

• Applications can be placed in the sandbox automatically by CIS or by the Always Sandbox feature. Users also have the option to run an application in the sandbox on a 'one-off' basis.

• If a safe or installer application is executed by an application running inside the sandbox, the installer also runs in the sandbox no matter what 

• If a user defines an application for sandboxing, this causes any applications (safe or installer) to also be executed inside the sandbox.

• In addition to the Sandbox restriction level set for an application, Defense + also implements the following restrictions. A sandboxed application cannot:

• Access non-sandboxed applications in memory

• Access protected COM interfaces

• Key log or screen capture

• Set windows hooks

• Modify protected registry keys (if virtualization is enabled)

• Modify EXISTING protected file (if virtualization is enabled).

Refer to the following sections for more details on sandbox:

• Always Sandbox

• Run a Program in the Sandbox

• Sandbox Settings
  
  

Comodo Internet Security User Guide | © 2012 Comodo Security Solutions Inc. | All rights reserved