Behavior Blocker
The Behavior Blocker is an integral part of the Defense+ engine and is responsible for authenticating every executable image that is loaded into the memory. The Behavior Blocker intercepts all files before they are loaded into memory and intercepts prefetching/caching attempts for those files. It calculates the hash of the executable at the point it attempts to load into the memory. It then compares this hash with the list of known / recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe and the Behavior Blocker allows it to run. If no matching hash is found on the safelist, then the executable is 'unrecognized' and is run inside the auto-sandbox. You will be notified via an alert when this happens.
The 'Behavior Blocker' configuration panel can be accessed by clicking ‘Tasks > Advanced Tasks > Open Advanced Settings > Security Settings > Defense + > Behavior Blocker’. This panel allows you to quickly determine how proactive the Behavior Blocker should be and which types of files it should check.
- Auto-sandbox unknown applications as - Allows you to enable or disable the Behavior Blocker. If enabled, the Behavior Blocker runs unrecognized applications inside the sandbox with the access restriction as selected in the drop down menu. (Default = 'Enabled' with 'Partially Limited')
|
Note: The Behavior Blocker configuration setting can also be set in the 'Advanced View' of the 'Home' screen beside the Auto-Sandbox status link in the 'Defense+ and Sandbox' pane. |
|
Note: The 'auto-sandbox' referred to here is distinct from the Virtual Kiosk discussed in Sandbox Tasks. For the most part, the 'auto-sandbox' is a non-virtual environment under which unrecognized applications are allowed to run under a set of strict access restrictions (default='Partially Limited'). These restrictions prevent the application from taking actions that are damaging to your system. Users can, however, enable 'Full Virtualization' of auto-sandboxed files in the Behavior Blocker settings. |
Configuring Access Restriction
The Behavior Blocker will auto-sandbox an unknown executable and restrict its execution privileges according to an access restriction level set by you. Access restriction levels determine what level of rights a sandboxed application has to access other software and hardware resources on your computer:
-
Partially Limited - The application is allowed to access all operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)
-
Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
-
Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.Some applications, like computer games, may not work properly under this setting.
-
Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.
-
Blocked - The application is not allowed to run at all.
-
Fully Virtualized - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.
-
Detect programs which require elevated privileges: Allows you to instruct the Behavior Blocker to display alerts when an installer or updater requires administrator or elevated privileges to run. An installer that is allowed to run with elevated privileges is permitted to make changes to important areas of your computer such as the registry. Refer to the section Understanding Security Alerts for more details.
You can decide on whether or not to allow the installer or the unknown application based on your assessment, from the alert itself. (Default=Enabled)
- Show privilege elevation alerts for unknown programs: Allows you to instruct the Behavior Blocker to display alerts when a new or unrecognized program, application or executable requires administrator or elevated privileges to run. You can decide on whether or not to allow the the unknown application based on your assessment, from the alert itself. (Default=Enabled)
- Define exceptions for behavior blocking – Allows you to add certain file paths for being excluded from monitoring by the Behavior Blocker. The executables included in the exceptions area are allowed to run without checking of authenticity. (Default = Disabled)
|
Note: The files added through this interface will be exempted only from monitoring by Behavior Blocker. To exclude a file from monitoring by all the components of CIS including Antivirus, Firewall, HIPS and Behavior Blocker, add it to Trusted Files list. |
To define exceptions
-
Select the 'Define exceptions for behavior blocking' checkbox and click the Exceptions link. The 'Manage Exceptions' dialog will appear.
-
Click the handle at the bottom of the interface and choose 'Add'
-
You can add items by selecting the required option from the drop-down:
- File Groups - Enables you to select a category of pre-set files or folders. For example, selecting 'Executables' would enable you to create a ruleset for all files with the extensions .exe .dll .sys .ocx .bat .pif .scr .cpl . Other such categories available include 'Windows System Applications' , 'Windows Updater Applications' , 'Start Up Folders' etc. For more details on file groups, refer to the section File Groups.
- Running Processes - As the name suggests, this option allows you to select an application or executable from the processes that are currently running on your PC.
- Browse Folders - Opens the 'Browse for Folders' window and enables you to navigate to the folder you wish to add.
- Browse File - Opens the 'Open' window and enables you to navigate to the application or file you wish to add.
- Click 'OK' to implement your settings.
Advanced Settings:
- Do heuristic command-line analysis for certain applications - Selecting this option instructs Comodo Internet Security to perform heuristic analysis of programs that are capable of executing code such as visual basic scripts and java applications. Example programs that are affected by enabling this option are wscript.exe, cmd.exe, java.exe and javaw.exe. For example, the program wscipt.exe can be made to execute visual basic scripts (.vbs file extension) via a command similar to 'wscript.exe c:teststest.vbs'. If this option is selected, CIS detects c:teststest.vbs from the command-line and applies all security checks based on this file. If test.vbs attempts to connect to the internet, for example, the alert will state 'test.vbs' is attempting to connect to the internet (Default = Enabled).
If this option is disabled, the alert would only state 'wscript.exe' is trying to connect to the Internet'.
|
Background note: 'Heuristics' describes the method of analyzing a file to ascertain whether it contains codes typical of a virus. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist. This helps to identify previously unknown (new) viruses. |
- Detect shellcode injections (i.e. Buffer overflow protection) - Enabling this setting turns-on the Buffer over flow protection.
Background: A buffer overflow is an anomalous condition where a process/executable attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits.
Turning-on buffer overflow protection instructs the Comodo Internet Security to raise pop-up alerts in every event of a possible buffer overflow attack. You can allow or deny the requested activity raised by the process under execution depending on the reliability of the software and its vendor. Click here for more details on the alerts.
Comodo recommends that this setting to be maintained selected always (Default = Enabled).
To exclude some of the file types from being monitored under Detect Shellcode injections.
-
Select the 'Detect shellcode injections' checkbox and click the Exceptions link. The 'Manage Exceptions' dialog will appear.
-
Click the handle from the bottom of the interface and choose 'Add'
-
You can add items by selecting the required option from the drop-down:
- File Groups - Enables you to select a category of pre-set files or folders. For example, selecting 'Executables' would enable you to create a ruleset for all files with the extensions .exe .dll .sys .ocx .bat .pif .scr .cpl . Other such categories available include 'Windows System Applications' , 'Windows Updater Applications' , 'Start Up Folders' etc. For more details on file groups, refer to the section File Groups.
- Running Processes - As the name suggests, this option allows you to select an application or executable from the processes that are currently running on your PC.
- Browse Folders - Opens the 'Browse for Folders' window and enables you to navigate to the folder you wish to add.
- Browse File - Opens the 'Open' window and enables you to navigate to the application or file you wish to add.
|
Note:These settings are recommended for advanced users only. |
- Click 'OK' to implement your settings.