Comodo Help
Find the desired product help
Endpoint Manager

Endpoint Manager

Comodo Client Security 12.10

English

Print Help Download Help
Appendix 1 - CCS How To... Tutorials > Create Rules To Auto-Contain Applications
  • Introduction To Comodo Client Security
    • Special Features
    • System Requirements
    • Install Comodo Client Security
    • Start Comodo Client Security
    • The Main Interface
      • The Home Screen
      • The Tasks Interface
      • The Widget
      • The System Tray Icon
    • Understand Security Alerts
    • Password Protection
  • General Tasks - Introduction
    • Scan And Clean Your Computer
      • Run A Quick Scan
      • Run A Full Computer Scan
      • Run A Rating Scan
      • Run A Custom Scan
        • Scan A Folder
        • Scan A File
        • Create, Schedule And Run A Custom Scan
      • Automatically Scan Unrecognized And Quarantined Files
    • Instantly Scan Files And Folders
    • Process Infected Files
    • Manage Virus Database Updates
    • Manage Blocked Autoruns
    • Manage Quarantined Items
  • Firewall Tasks - Introduction
    • Configure Internet Access Rights For Applications
    • Stealth Your Computer Ports
    • Manage Network Connections
    • Stop All Network Activities
    • View Active Internet Connections
  • Containment Tasks - Introduction
    • Run An Application In The Container
    • Reset The Container
    • Identify And Kill Unsafe Running Processes
    • Open Shared Space
    • The Virtual Desktop
      • Start The Virtual Desktop
      • The Main Interface
      • Run Browsers Inside The Virtual Desktop
      • Open Files And Run Applications Inside The Virtual Desktop
      • Pause And Resume The Virtual Desktop
      • Close The Virtual Desktop
    • Containment Statistics Analyzer
  • DLP Tasks - Introduction
    • Run Data Loss Prevention Scans
    • Manage DLP Quarantined Files
  • Advanced Tasks - Introduction
    • Create A Rescue Disk
      • Download And Burn Comodo Rescue Disk
    • Remove Deeply Hidden Malware
    • Manage CCS Tasks
    • View CCS Logs
      • Antivirus Logs
      • VirusScope Logs
      • Firewall Logs
      • HIPS Logs
      • Containment Logs
      • Website Filtering Logs
      • Device Control Logs
      • Autorun Event Logs
      • Alert Logs
      • CCS Tasks Logs
      • File List Changes Logs
      • Vendor List Changes Logs
      • Configuration Changes Logs
      • Virtual Desktop Event Logs
      • Data Loss Prevention Event Logs
      • Search And Filter Logs
    • Submit Files For Analysis To Comodo
    • View Active Process List
  • CCS Advanced Settings
    • General Settings
      • Customize User Interface
      • Configure Virus Database Updates
      • Log Settings
      • Manage CCS Configurations
        • Comodo Preset Configurations
        • Personal Configurations
      • Manage Performance
    • Antivirus Configurations
      • Real-time Scanner Settings
      • Scan Profiles
    • Firewall Configuration
      • General Firewall Settings
      • Application Rules
      • Global Rules
      • Firewall Rule Sets
      • Network Zones
        • Network Zones
        • Blocked Zones
      • Port Sets
    • HIPS Configuration
      • HIPS Settings
      • Active HIPS Rules
      • HIPS Rule Sets
      • HIPS Groups
        • Registry Groups
        • COM Groups
    • Protected Objects
      • Protected Objects - HIPS
        • Protected Files
        • Blocked Files
        • Protected Registry Keys
        • Protected COM Interfaces
      • Protected Objects - Containment
        • Protected Files And Folders
        • Protected Keys
    • Data Loss Prevention
      • DLP Monitoring Rules
      • DLP Discovery Rules
      • DLP Keyword Groups
    • Containment Settings
      • Containment Settings
      • Auto-Containment Rules
      • Virtual Desktop Settings
      • Containment - An Overview
      • Unknown Files - The Scanning Processes
    • File Rating Configuration
      • File Rating Settings
      • File Groups
      • Submitted Files
    • Advanced Protection
      • VirusScope Settings
      • Scan Exclusions
      • Device Control Settings
      • Script Analysis Settings
      • Miscellaneous Settings
    • Web Filter Settings
      • Website Filtering Rules
      • Website Categories
  • Appendix 1 - CCS How To... Tutorials
    • Enable / Disable AV, Firewall, Auto-Containment And VirusScope Easily
    • Set Up The Firewall For Maximum Security And Usability
    • Block Internet Access While Allowing Local Area Network (LAN) Access
    • Set Up HIPS For Maximum Security And Usability
    • Create Rules To Auto-Contain Applications
    • Run An Instant Antivirus Scan On Selected Items
    • Create An Antivirus Scan Schedule
    • Run Untrusted Programs Inside The Container
    • Run Browsers Inside The Container
    • Restore Incorrectly Quarantined Items
    • Submit Quarantined Items To Comodo Valkyrie For Analysis
    • Enable File Sharing Applications Like BitTorrent And Emule
    • Block Any Downloads Of A Specific File Type
    • Disable Auto-Containment On A Per-application Basis
    • Switch Off Automatic Antivirus Updates
    • Suppress CCS Alerts Temporarily
    • Control External Device Accessibility
  • Appendix 2 - Comodo Secure DNS Service
    • Router - Manually Enable Or Disable Comodo Secure DNS
    • Windows - Enable Comodo Secure DNS
  • About Comodo Security Solutions

Create Rules to Auto-Contain Applications

 

  • Click 'Settings' > 'Containment' > 'Auto-Containment'
  • Auto-containment rules let you define which types of files should automatically run in the container.
  • You can contain files based on various criteria, including location and file source.
  • A contained application has much less opportunity to damage your computer because it runs isolated from your operating system and your files.
  • CCS ships with some pre-defined rules configured to provide maximum protection for your system. Click here to check whether these rules meet your needs before creating a custom rule.
  • The rest of this tutorial explains how to create a custom auto-containment rule.

Create auto-containment rules

1. Click 'Settings' on the CCS home screen


2. Click 'Containment' > 'Auto-Containment' 


3. Make sure 'Enable Auto-Containment' is selected 


4. Click 'Add'




The add rule screen contains two tabs:

  • Criteria - Define the conditions of the rule.
  • Options - Configure additional actions like logging, memory usage and time restrictions.

There are three steps:

  • Step 1 – Choose the action
  • Step 2 – Select the rule targets
  • Step 3 – Choose additional options

Step 1 - Choose the action

 

The setting in the action drop-down combined with the restriction level in the options tab determine the privileges of an auto-contained application. These items specify what right the application has to access other processes and hardware resources.




Choose one of the following actions:

  • Run Virtually - The application will run in a virtual environment, completely isolated from your operating system and the rest of your files.
  • Run Restricted - The application is allowed limited access to operating system resources. The application is not allowed to execute more than 10 processes at a time. Some applications, like games, may not work properly under this setting.
  • Block - The application is not allowed to run at all.
  • Ignore - The application is not contained. It is allowed to run as normal on your computer.

Step 2 - Select the target targets

  • Next, select the types of files which will be covered by your rule.
  • You can add rule filters so the rule only applies to specific types of file.
  • For example, you can specify 'All executables' as the target and add a filter so it only affects executables downloaded from the internet.
  • Another example is if you want to allow unrecognized files created by a specific user to run outside the container. You would create an 'Ignore' rule with 'All Applications' as the target and 'File created by specific user' as the filter criteria.

Select targets and filters

  • Click the 'Criteria' tab.
  • Click the 'Edit' button at the far right:




Next:

  • Select the target
  • Configure the filters

Select the target

  • Click the browse button next to the location field:




Select one of the following target types:

  • Files - Add individual files as target.
  • Running Processes - Add any process that is currently running on your computer. This targets the parent application of the process.
  • File Groups - Add a predefined file group as the target. For example, the 'Executables' group contains a list of file types that can run code on your computer. Click 'Settings' > 'File Rating' > 'File Groups' to add or modify a file group.
  • Folder - Add a directory or drive as the target. All files in the target folder are covered by the rule.
  • File Hash -  Add a file's hash value as the target of the rule. A hash value is a number derived from the file itself, which uniquely identifies and represents the file. It is extremely unlikely that two files can ever generate the same hash value. The rule will apply to the target file, even if the file name changes.
  • Process Hash - Add a processes hash value as the target of the rule. Please see description above if required.

Add an individual File

  • Choose 'Files' from the 'Browse' drop-down.




  • Navigate to the file and click 'Open'
  • The file will be added as the target and run as per the action chosen in Step 1.




  • Click 'OK' if you don't want to specify any filters or options.
  • If required, you can configure filter criteria and file rating and options for the rule.


Add a currently running process

  • Choose 'Running Processes' from the drop-down:



  • Select the process belonging to the parent application you want to add and click 'OK'
  • The parent application of the process will be added as the target



 

  • Click 'OK' if you don't want to specify any filters or options
  • If required, you can configure filter criteria and file rating and options for the rule


Add a File Group

  • Choose 'File Groups' from the drop-down.
  • For example, the 'Executables' group contains a list of file types that can run code on your computer. Click 'Settings' > 'File Rating' > 'File Groups' to add or modify a file group.
  • Select the file group you want to target with the rule:




  • Click 'OK' if you don't want to specify any filters or options
  • If required, you can configure filter criteria and file rating and options for the rule


Add a folder/drive partition

  • Choose 'Folder' from the 'Browse' drop-down.



 

  • Navigate to the drive partition or folder you want to add as target and click 'OK'
  • Click 'OK', if you don't want to specify any filters or options
  • If required you can configure filter criteria and file rating and options for the rule


Add a file using its hash value

  • Choose 'File Hash' from the drop-down.




  • Navigate to the file whose hash value you want to add as target and click 'Open'.
  • Click 'OK', if you don't want to specify any filters or options.
  • If required you can configure filter criteria and file rating and options for the rule.
  • CCS generates the hash value of the parent file and stores that as the target.
  • CCS uses this hash value to identify the file and apply the rule, so that the rule intercepts the target even if the file name changes.


Add an application from a running process based on its hash value

  • Choose 'Process Hash' from the drop-down.




  • Select the process, to add the hash value of its parent application to target and click 'OK' from the 'Browse for Process' dialog.
  • Click 'OK', if you don't want to specify any filters or options.
  • If required you can configure filter criteria and file rating and options for the rule.
  • CCS generates the hash value of the parent file and stores that as the target.
  • CCS uses this hash value to identify the file and apply the rule, so that the rule intercepts the target even if the file name changes.


Configure the Filter Criteria and File Rating

 

You can apply an action to a file if it meets certain criteria.


The available filter criteria are:

  • By application that created the file
  • By process that created the file
  • By user that created the file
  • By file origin
  • The file rating
  • By vendor who signed the file
  • The file age

Auto-contain a file if it was created by a specific application

  • This will apply the rule to a file based on its parent application.
  • You can also specify the file rating of the parent application. The rule will then only contain a file if the parent app has a certain trust rating.

Specify parent applications:

  • Click the add button in the 'File created by applications' stripe:




  • The options available are same as those available under the 'Browse' button beside 'File location', as explained above. See the previous section for each of options for more details.
  • Click the 'Any' link beside 'File Rating' and select the file rating of the source



  • Repeat the process to add more applications or groups/folders.

 Auto-contain a file if it was created by a specific process

  • This will apply the rule to a file based on its based on its parent process.
You can also specify:
  • The trust rating of the parent process. The rule will then only contain a file if the parent process has a certain trust rating.
  • The number of levels in the process chain that should be inspected.

Specify source process:

  • Click the 'Add' button in the 'File started processes' stripe:



 

  • The options available are same as those available under the 'Browse' button beside 'File location', as explained above. See the previous section for each of options for more details.
  • Click the 'Any' link beside 'File Rating' and select the file rating of the source


     
  • 'Limit number of parent processes in the process chain to' - Specify how far up the process tree CCS should check. 1 = will only check the trust rating of the file's parent process. 2 = will check the trust rating of the parent process and the grand-parent process etc. 



  • Repeat the process to add more processes

Auto-contain a file created by specific users

  • Click the 'Add' button in the 'File created by users' stripe.




  • Enter the names of the users you want to add in the large text box.
  • Name format = [domain name][user/group name], or [user/group  name]@[domain name].
  • Alternatively, click 'Advanced' then 'Find Now' to locate specific users. Click 'OK' to confirm your choice.



The user will be added to the list.




  • Repeat the process to add more users
 

Auto-contain a file if it was downloaded/copied from a specific source

  • Click the 'Add' button in the 'File origin' stripe




  • Choose the source from the options:

  • Internet - Apply the rule to files that were downloaded from the internet
  • Removable Media - Apply the rule to items copied to your computer from removable storage devices
  • Intranet - Apply the rule to files downloaded from the local intranet
  • Repeat the process to add more sources

Select file rating as filter criteria

  • Click the 'Select' button in the 'File Rating' stripe



 

  • Trusted - A file will have a trusted rating if:
  • The file is on the Comodo whitelist of safe files
  • The file is signed by a vendor who has a trusted rating in 'Settings' > 'File Rating' > 'Vendor List'
  • The file was installed by trusted installer
  • The user has given the file a trusted rating in 'Settings' > 'File Rating' > 'File List'
  • See File Rating Settings for more information
  • Malware - The file has a trust rating of 'Malicious'
  • Unrecognized - Any file that does not have a 'Trusted' or 'Malicious' rating is classed as 'Unrecognized'. Although these files may not turn out to be malicious, Comodo auto-contains these files until we have established their true trust rating

Auto-contain a file based on software vendor

  • You can apply an action to a file based on the vendor who digitally signed the file. The vendor is the software company that created the file.
  • You can also specify the trust rating of the vendor. The rule will only contain a file if its vendor has the stated trust rating.

Choose vendors:

  • Click the 'Add' button in the 'File signed by vendors' stripe.




  • There are three ways you can add a vendor:

1. Directly select a vendor

  • Choose 'Vendor from a Vendor List' from the drop-down
  • The 'Add Vendor' dialog opens with a list of vendors in the Vendor List



  • Use the sort and filter options in the column headers to search for the vendor to be specified
  • Choose the vendor and click 'OK'. The vendor will be added as a criterion

2. Specify an executable file on your local drive

  • Choose 'File Signer' from the drop-down.
  • Navigate to the executable file whose publisher you want to add as the criteria and click 'Open'.
  • CCS identifies the vendor of the file and adds the to the rule.
  • The rule will apply to files digitally signed by the vendor.

3. Select a currently running process

  • Choose 'Running Process Signer' from the drop-down
  • A list of all processes running at present on your computer is shown
  • Select the process to specify the publisher of the application that started the process and click 'OK'
  • CCS identifies the vendor of the process and adds the to the rule
  • The rule will apply to files digitally signed by the vendor

The selected vendor is added:


 

  • Vendor Rating - The rule will only apply to the vendor’s files IF the vendor has this rating at the time the file is checked. Note, the rating you set here can be different to the actual vendor rating in ‘Settings’ > ‘File Rating’ > ‘File List’ > ‘Vendor Rating’.
  • Example. If you select ‘Trusted’ here, then CCS will apply the rule if the vendor is trusted at the time the file is checked. If the vendor’s rating changes to ‘Malicious’ or ‘Unrecognized’, then the rule isn’t applied.

  • Repeat the process to add more vendors

Set the file age as filter criteria

  • Click the 'Select' button in the 'File age' stripe.




The 'File Age' dialog will appear. You can set the file age in two ways:

  • File creation date - To set a threshold date to include the files created before or after that date, choose this option, choose 'Before'/'After' from the first drop-down and set the threshold date and time in the respective combo-boxes.
  • File age - To select the files whose age is less than or more than a certain period, choose this option and specify the period.
  • Less Than - CCS will check for reputation if a file is younger than the age you set here. Select the interval in hours or days from the first drop-down combo box and set hours or days in the second drop-down box. (Default and recommended = 1 hours)
  • More Than - CCS will check for reputation if a file is older than the age you set here. Select the interval in hours or days from the first drop-down combo box and set hours or days in the second drop-down box. (Default and recommended = 1 hours)
  • Click 'OK' in the File Criteria dialog after selecting the filters to save your settings to the rule. The list of criteria will be displayed under the Criteria tab in the 'Manage Contained Program' dialog.




Step 3 – Select the Options

 

The next step is to choose optional actions and restrictions to be imposed on items contained by the rule.

  • Click the 'Options' tab.



The options will be displayed, depending on the 'Action' chosen in Step 1.


The options available for 'Ignore' action are:

  • Log when this action is performed - Whenever this rule is applied for the action, it will be added to CCS Containment logs.
  • Don't apply the selected action to child processes - Child processes are the processes launched by the application. CCS treats all child processes as individual processes and forces them to run as per the file rating and the containment rules.
  • By default, this option is not enabled and the 'Ignore' rule will also apply to child process of the target application(s).
  • If this option is enabled then the 'Ignore' rule will be applied only to the target application. Any child processes will be checked and Containment rules individually applied as per their file rating.

The 'Don't apply the selected action to child processes' option is available for the 'Ignore' action only.


The options available for 'Run Restricted' and 'Run Virtually' actions are:

  • Log when this action is performed - Whenever this rule is applied for the action, it will be added to CCS containment logs.
  • Set Restriction Level - When Run Restricted is selected in Action, then this option is automatically selected and cannot be unchecked while for Run Virtually action the option can be checked or unchecked. The options for Restriction levels are:
  • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed (Default)
  • Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges
  • Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting
  • Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting
  • Limit maximum memory consumption to - Enter the memory consumption value in MB that the process should be allowed
  • Limit program execution time to - Enter the maximum time in seconds the program should run. After the specified time, the program will be terminated
For 'Block' action, the following options are available: 
  • Log when this action is performed - Whenever this rule is applied for the action, it will be added to CCS containment logs.
  • Quarantine program - If checked, the programs will be automatically quarantined. See Manage Quarantined Items for more information 

Choose the options and click 'OK'. The rule will be added and displayed in the list.




Important Note: Please make sure the auto-containment rules do not conflict. If it does conflict, the settings in the rule that is higher in the list will prevail. You can restore the rules to default rules at any time by clicking the 'Reset to Default' button at the top.


Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • EDR Services
  • Ransomware Prevention
  • Managed IT Support Services
  • EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2023. All rights reserved.