Endpoint Manager

• Introduction To Comodo Client Security
  • Special Features
  • System Requirements
  • Install Comodo Client Security
  • Starting Comodo Client Security
  • The Main Interface
    • The Home Screen
    • The Tasks Interface
    • The Widget
    • The System Tray Icon
  • Understanding Security Alerts
• General Tasks – Introduction
  • Scan And Clean Your Computer
    • Run A Quick Scan
    • Run A Full Computer Scan
    • Run A Rating Scan
    • Run A Custom Scan
      • Scan A Folder
      • Scan A File
      • Create, Schedule And Run A Custom Scan
  • Instantly Scan Files And Folders
  • Processing Infected Files
  • Manage Virus Database And Program Updates
  • Manage Quarantined Items
  • View CCS Logs
    • Antivirus Logs
      • Filtering Antivirus Logs
    • Viruscope Logs
      • Filtering Viruscope Logs
    • HIPS Logs
      • Filtering HIPS Logs
    • Containment Logs
      • Filtering Containment Logs
    • Firewall Logs
      • Filtering Firewall Logs
    • Website Filtering Logs
      • Filtering Website Filtering Logs
    • Alerts Logs
      • Filtering Alerts Displayed Logs
    • Tasks
      • Filtering Tasks Launched Logs
    • File List Changes Logs
      • Filtering File List Changes Logs
    • Trusted Vendors List Changes Logs
      • Filtering Trusted Vendors List Changes Logs
    • Configuration Changes
      • Filtering Configuration Changes Logs
    • Device Control Logs
      • Filtering Device Control Logs
  • View Active Process List
  • View Active Internet Connections
• Firewall Tasks – Introduction
  • Allow Or Block Internet Access To Applications Selectively
  • Stealth Your Computer Ports
  • Manage Network Connections
  • Stop All Network Activities
  • Advanced Firewall Settings
• Containment Tasks - Introduction
  • Run An Application In The Container
  • Reset The Container
• Advanced Tasks - Introduction
  • Create A Rescue Disk
    • Downloading And Burning Comodo Rescue Disk
  • Submit Files
  • Identify And Kill Unsafe Running Processes
  • Remove Deeply Hidden Malware
  • Manage CCS Tasks
• Advanced Settings
  • General Settings
    • Customize User Interface
    • Configure Program And Virus Database Updates
    • Log Settings
    • Manage CCS Configurations
      • Comodo Preset Configurations
      • Importing/Exporting And Managing Personal Configurations
  • Security Settings
    • Antivirus Settings
      • Real-time Scanner Settings
      • Scan Profiles
      • Exclusions
    • Advanced Protection Settings
      • HIPS Behavior Settings
      • Active HIPS Rules
      • HIPS Rule Sets
      • Protected Objects
        • Protected Files
        • Blocked Files
        • Protected Registry Keys
        • Protected COM Interfaces
        • Protected Data Folders
      • HIPS Groups
        • Registry Groups
        • COM Groups
      • Comodo Containment
        • The Container - An Overview
        • Unknown Files - The Scanning Processes
      • Configuring Containment Settings
      • Configuring Rules For Auto-Containment
      • Viruscope
      • Device Control Settings
    • Firewall Settings
      • Firewall Behavior Settings
      • Application Rules
      • Global Rules
      • Firewall Rule Sets
      • Network Zones
        • Network Zones
        • Blocked Zones
      • Port Sets
      • Website Filtering
        • Creating And Modifying Website Filtering Rules
        • Defining And Modifying Website Categories
    • Manage File Rating
      • File Rating Settings
      • File Groups
      • File List
      • Trusted Files
      • Unrecognized Files
      • Submitted Files
      • Trusted Vendors List
• Appendix 1 CCS How To... Tutorials
  • Enable / Disable AV, Firewall, Auto-Containment And Viruscope Easily
  • Set Up The Firewall For Maximum Security And Usability
  • Block Internet Access While Allowing Local Area Network (LAN) Access
  • Setting Up HIPS For Maximum Security And Usability
  • Create Rules For Auto-Containing Applications
  • Running An Instant Antivirus Scan On Selected Items
  • Creating An Antivirus Scanning Schedule
  • Run Untrusted Programs Inside The Container
  • Run Browsers Inside The Container
  • Restore Incorrectly Quarantined Item(s)
  • Submit Quarantined Items To Comodo For Analysis
  • Enable File Sharing Applications Like BitTorrent And Emule
  • Block Any Downloads Of A Specific File Type
  • Disable Auto-Containment On A Per-application Basis
  • Switch Off Automatic Antivirus And Software Updates
  • Suppressing CCS Alerts Temporarily While Playing Games
  • Control External Device Accessibility
• Appendix 2 - Comodo Secure DNS Service
  • Router - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Windows XP - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Windows 7 / Vista - Manually Enabling Or Disabling Comodo Secure DNS Service
• About Comodo Security Solutions

Create Rules for  Auto-Containing Applications

You can define rules for programs that should be run in the contained environment. A contained application has much less opportunity to damage your computer because it is run isolated from your operating system and your files.

CCS ships with a set of pre-defined auto-containment rules that are configured to provide maximum protection for your system. Before creating a rule, first check if your requirement is met by the default rules. Refer to the section Configuring Rules For Auto-Containment for more details.

To create auto-containment rules

1. Open the 'Tasks' interface by clicking the green curved arrow at top right of the 'Home' screen.

2. Open 'Containment Tasks' then click 'Open Advanced Settings'.

3. Click 'Security Settings' > 'Advanced Protection' > 'Containment' > 'Auto-Containment' on the left hand menu.

4. Click the handle at the bottom of the interface to open the option panel:

5. Click the 'Add' button

The 'Manage Contained Program' screen will appear:

• Step 1 – Select the Action

• Step 2 – Select the Target

• Step 3 – Select the Sources

• Step 4 – Select the File Reputation

• Step 5 – Select the Options

Step 1 – Select the Action

The options in the 'Action' drop-down button combined with the 'Set Restriction Level' setting in the 'Options' tab determine the privileges a contained application has to access other software and hardware resources on your computer.

The options available are:

• Run Virtually - The application will be run in a container, completely isolated from your operating system and files on the rest of your computer.

• Run Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

• Block - The application is not allowed to run at all.

• Ignore - The application will not be contained and is allowed to run with all privileges.

Step 2 – Select the Target

The next step is to select the target to which the auto-containment rule should be applied. Click the 'Browse' button beside the 'Target' field.

You have six options available to add the target path:

• Files – Specify individual files as targets of the rule.

• Running Processes – Add any process that is currently running on your computer as a target of the rule.
  

• File Groups – Add predefined file groups as the rule target. For information about creating or modifying a predefined file group, refer to File Groups for more details.

• Folder – Allows you to add a folder or drive as the target

• File Hash – Allows you to add a file as target based on its hash value

• Process Hash - Allows you to add any process that is currently running on your computer as a target based on its hash value

Click here to know more about adding each of the options.

Step 3 – Select the Sources

If you want to include a number of items in a rule but want the rule to be applied only in certain conditions, then you can do so in this step. For example, if you want your target to be executables downloaded from the internet, then you would add 'All Applications' then apply a filter in 'Sources' tab. Another example is you want to exclude from containment any unrecognized files from your internal network share. You could create an ignore rule with 'All Applications' set as the target and specify your source as your intranet.

Please note that the 'Enable file source tracking' check box should be enabled in the 'Auto-Containment' screen for the source parameter to be taken account in the rule. If this is not enabled then the source parameter will be ignored and the rule will be applied based on the other parameters.

The following example describes how to add an 'Ignore' rule for Unrecognized files from a network source:

• In Step 1, select the action as Ignore

• In Step 2, select the Target as File Groups > All Applications

• In Step 3, click the 'Add' button and select 'Folder'. Navigate to the source folder on the network and click 'OK'.
  

The selected network source folder will be added under the 'Created by' column and the screen displays the options to specify the location and from where the files were downloaded.

• Location – Apply the rule to files found in one of the following locations:

• Any

• Local Drive

• Removable Drive

• Network Drive

Since the source is located in a network, select Network Drive from the options.

• Origin – The options available are:

• Any – The rule will apply to files that were downloaded to the source folder from both Internet and Intranet.

• Internet – The rule will apply to files that were downloaded to the source folder from Internet only.

• Intranet – The rule will apply to files that were downloaded to the source folder from Intranet only.

Since the example rule is created for files that are categorized as Unrecognized, the same has to be selected from the rating options in Step 4.

Step 4 – Select the File Reputation

• Click the Reputation tab in the 'Manage Contained Program' interface.

By default, the file rating is not selected meaning the rating could be Any. The options available are:

• Trusted – Applications that are signed by trusted vendors and files installed by trusted installers are categorized as Trusted files by CCS. Refer to the sections File Rating Settings and File List for more information.

• Unrecognized – Files that are scanned against the Comodo safe files database not found in them are categorized as Unrecognized files. Refer to the section File List for more information.

• Malware – Files are scanned according to a set procedure and categorized as malware if not satisfying the conditions. Refer the section Unknown Files – The Scanning Process for more information.

By default, file age is not selected, so the age could be Any. The options available are:

• Less Than – CCS will check for reputation if a file is younger than the age you set here. Select the interval in hours or days from the first drop-down combo box and set hours or days in the second drop-down box. (Default and recommended = 1 hours)

• More Than - CCS will check for reputation if a file is older than the age you set here. Select the interval in hours or days from the first drop-down combo box and set hours or days in the second drop-down box. (Default and recommended = 1 hours)

Select the category from the options. Since the example rule is created for files that are categorized as Unrecognized, the same has to be selected from the rating options.

Step 5 – Select the Options

• Click the 'Options' tab in the 'Manage Contained Program' interface.

By default, the 'Log when this action is performed' The options available for Ignore action are:

• Log when this action is performed – Whenever this rule is applied for the action, it will be logged.

• Don't apply the selected action to child processes – Child processes are the processes initiated by the applications. For example, the process may launch another app or plugin. CCS treats all child processes as individual processes and forces them to run as per their file rating and the containment rules.

• This option is disabled by default, so the ignore rule will usually be applied to all child process of the target application(s).

• If this option is enabled, then the Ignore rule will be applied only to the target application. All child processes will be checked individually and containment rules applied as per the child's file rating.

• The 'Don't apply to child processes' option is available only for the 'Ignore' action. For 'Run Restricted' and 'Run Virtually', the following options are available:

• Log when this action is performed – Whenever this rule is applied for the action, it will be logged.

• Set Restriction Level – When Run Restricted is selected in Action, then this option is automatically selected and cannot be unchecked while for Run Virtually action the option can be checked or unchecked. The options for Restriction levels are:

• Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)

• Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.

• Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

• Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.

• Limit maximum memory consumption to – Enter the memory consumption value in MB that the process should be allowed.

• Limit program execution time to – Enter the maximum time in seconds the program should run. After the specified time, the program will be terminated.

For Block action, the following options are available:

• Log when this action is performed – Whenever this rule is applied for the action, it will be logged.

• Quarantine program – If checked, the programs will be automatically quarantined. Refer to the section Manage Quarantined Items for more information.

Choose the options and click 'OK'. The rule will be added and displayed in the list.

 That's it. You have created an Ignore auto-containment rule for unrecognized files with a Network drive as source.