Comodo Help
Find the desired product help
Comodo Internet Security

Comodo Internet Security

Version 6.3

English

Print Help Download Help
Advanced Settings > Security Settings > Defense+ Settings > Behavior Blocker
  • Introduction To Comodo Internet Security
    • Special Features
    • System Requirements
    • Installation
      • CIS Premium – Installation
      • CIS Pro - Installation And Activation
      • CIS Complete - Installation And Activation
      • Activating CIS Pro/Complete Services After Installation
        • Activating Your License
        • Activating Your Guarantee Coverage
        • Renewal Or Upgrading Your License
    • Starting Comodo Internet Security
    • The Main Interface
      • The Home Screen
      • The Tasks Interface
      • The Widget
      • The System Tray Icon
    • Understanding Security Alerts
  • General Tasks – Introduction
    • Scan And Clean Your Computer
      • Run A Quick Scan
      • Run A Full Computer Scan
      • Run A Rating Scan
      • Run A Custom Scan
        • Scan A Folder
        • Scan A File
        • Create, Schedule And Run A Custom Scan
    • Instantly Scan Files And Folders
    • Processing Infected Files
    • Manage Virus Database And Program Updates
    • Manage Quarantined Items
    • View CIS Logs
      • Antivirus Logs
        • Filtering Antivirus Logs
      • Firewall Logs
        • Filtering Firewall Logs
      • Defense+ Logs
        • Filtering Defense+ Logs
      • Alerts Logs
        • Filtering Alerts Displayed Logs
      • Tasks
        • Filtering Tasks Launched Logs
      • Configuration Changes
        • Filtering Configuration Changes Logs
    • Manage CIS Tasks
    • View Active Internet Connections
    • View Active Process List
  • Firewall Tasks – Introduction
    • Allow Or Block Internet Access To Applications Selectively
    • Stealth Your Computer Ports
    • Manage Network Connections
    • Stop All Network Activities
    • Advanced Firewall Settings
  • Sandbox Tasks – Introduction
    • The Virtual Kiosk
      • Starting The Virtual Kiosk
      • The Main Interface
      • Running Browsers Inside The Virtual Kiosk
      • Opening Files And Running Applications Inside The Virtual Kiosk
      • Configuring The Virtual Kiosk
      • Closing The Virtual Kiosk
    • Run An Application In The Sandbox
    • Reset The Sandbox
  • Advanced Tasks – Introduction
    • Create A Rescue Disk
      • Downloading And Burning Comodo Rescue Disk
    • Remove Deeply Hidden Malware
    • Submit Files
    • Identify And Kill Unsafe Running Processes
  • Advanced Settings
    • General Settings
      • Customize User Interface
      • Configure Program And Virus Database Updates
      • Log Settings
      • Manage CIS Configurations
        • Comodo Preset Configurations
        • Importing/Exporting And Managing Personal Configurations
    • Security Settings
      • Antivirus Settings
        • Real-time Scanner Settings
        • Scan Profiles
        • Exclusions
      • Defense+ Settings
        • HIPS Behaviour Settings
        • Active HIPS Rules
        • HIPS Rule Sets
        • Protected Objects
          • Protected Files
          • Blocked Files
          • Protected Registry Keys
          • Protected COM Interfaces
        • Behavior Blocker
          • The Sandbox - An Overview
            • Unknown Files - The Auto - Sandboxing And Scanning Processes
        • Configure The Sandbox
      • Firewall Settings
        • Firewall Behavior Settings
        • Application Rules
        • Global Rules
        • Firewall Rule Sets
        • Network Zones
          • Network Zones
          • Blocked Zones
        • Port Sets
      • Manage File Rating
        • File Rating Settings
        • Trusted Files
        • Unrecognized Files
        • Submitted Files
        • Trusted Vendors List
  • Comodo GeekBuddy
    • Overview Of Services
    • Activation Of Service
    • Launching The Client And Using The Service
    • Accepting Remote Desktop Requests
    • Chat History
    • Using Issue Tracker
    • Uninstalling Comodo GeekBuddy
  • TrustConnect Overview
  • Comodo Dragon
  • Comodo BackUp
  • Appendix 1 CIS How To... Tutorials
    • Enabling / Disabling Security Components Easily
    • Setting Up The Firewall For Maximum Security And Usability
    • Blocking Internet Access While Allowing Local Area Network (LAN) Access
    • Setting Up The HIPS For Maximum Security And Usability
    • Setting Up The Behavior Blocker For Maximum Security And Usability
    • Password Protect Your CIS Settings
    • Reset Forgotten Password (Advanced)
    • Running An Instant Antivirus Scan On Selected Items
    • Creating An Antivirus Scanning Schedule
    • Running Untrusted Programs Inside Sandbox
    • Running Browsers Inside Sandbox
    • Running Untrusted Programs Inside Virtual Kiosk
    • Running Browsers Inside The Virtual Kiosk
    • Restoring Incorrectly Quarantined Item(s)
    • Submitting Quarantined Items To Comodo For Analysis
    • Enabling File Sharing Applications Like BitTorrent And Emule
    • Blocking Any Downloads Of A Specific File Type
    • Disabling Behavior Blocker And Auto-Sandboxing On A Per-application Basis
    • Switching Between Complete CIS Suite And Individual Components (just AV Or FW)
    • Switch Off Automatic Antivirus And Software Updates
    • Suppressing CIS Alerts Temporarily While Playing Games
    • Renewing Your License
  • Appendix 2 - Comodo Secure DNS Service
    • Router - Manually Enabling Or Disabling Comodo Secure DNS Service
    • Windows XP - Manually Enabling Or Disabling Comodo Secure DNS Service
    • Windows 7 / Vista - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Appendix 3 - Glossary Of Terms
  • About Comodo Security Solutions

Behavior Blocker


The Behavior Blocker is an integral part of the Defense+ engine and is responsible for authenticating every executable image that is loaded into the memory. The Behavior Blocker intercepts all files before they are loaded into memory and intercepts prefetching/caching attempts for those files. It calculates the hash of the executable at the point it attempts to load into the memory. It then compares this hash with the list of known / recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe and the Behavior Blocker allows it to run. If no matching hash is found on the safelist, then the executable is 'unrecognized' and is run inside the auto-sandbox. You will be notified via an alert when this happens.

 




The 'Behavior Blocker' configuration panel can be accessed by clicking ‘Tasks > Advanced Tasks > Open Advanced Settings >  Security Settings > Defense + > Behavior Blocker’. This panel allows you to quickly determine how proactive the Behavior Blocker should be and which types of files it should check.

  • Auto-sandbox unknown applications
  • Detect installers and show privilege alerts
  • Define exceptions for behavior blocking
  • Detect shellcode injections
  • Do heuristic command-line analysis


  • Auto-sandbox unknown applications as - Allows you to enable or disable the Behavior Blocker. If enabled, the Behavior Blocker runs unrecognized applications inside the sandbox with the access restriction as selected in the drop down menu. (Default = 'Enabled' with 'Partially Limited')

Note: The Behavior Blocker configuration setting can also be set in the 'Advanced View' of the 'Home' screen beside the Auto-Sandbox status link in the 'Defense+ and Sandbox' pane.

 

Note: The 'auto-sandbox' referred to here is distinct from the Virtual Kiosk discussed in Sandbox Tasks. For the most part, the 'auto-sandbox' is a non-virtual environment under which unrecognized applications are allowed to run under a set of strict access restrictions (default='Partially Limited'). These restrictions prevent the application from taking actions that are damaging to your system. Users can, however, enable 'Full Virtualization' of auto-sandboxed files in the Behavior Blocker settings.

 

Configuring Access Restriction


The Behavior Blocker will auto-sandbox an unknown executable and restrict its execution privileges according to an access restriction level set by you. Access restriction levels determine what level of rights a sandboxed application has to access other software and hardware resources on your computer:

    • Partially Limited - The application is allowed to access all operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)

    • Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.

    • Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.Some applications, like computer games, may not work properly under this setting.

    • Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.

    • Blocked - The application is not allowed to run at all.

    • Fully Virtualized - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.

  • Detect programs which require elevated privileges: Allows you to instruct the Behavior Blocker to display alerts when an installer or updater requires administrator or elevated privileges to run. An installer that is allowed to run with elevated privileges is permitted to make changes to important areas of your computer such as the registry. Refer to the section Understanding Security Alerts for more details.



You can decide on whether or not to allow the installer or the unknown application based on your assessment, from the alert itself. (Default=Enabled)

  • Show privilege elevation alerts for unknown programs: Allows you to instruct the Behavior Blocker to display alerts when a new or unrecognized program, application or executable requires administrator or elevated privileges to run. You can decide on whether or not to allow the the unknown application based on your assessment, from the alert itself. (Default=Enabled)
  • Define exceptions for behavior blocking – Allows you to add certain file paths for being excluded from monitoring by the Behavior Blocker. The executables included in the exceptions area are allowed to run without checking of authenticity. (Default = Disabled)

 

Note: The files added through this interface will be exempted only from monitoring by Behavior Blocker. To exclude a file from monitoring by all the components of CIS including Antivirus, Firewall, HIPS and Behavior Blocker, add it to Trusted Files list.

To define exceptions

    • Select the 'Define exceptions for behavior blocking' checkbox and click the Exceptions link. The 'Manage Exceptions' dialog will appear.



 

    • Click the handle at the bottom of the interface and choose 'Add'

    • You can add items by selecting the required option from the drop-down:

  • File Groups - Enables you to select a category of pre-set files or folders. For example, selecting 'Executables' would enable you to create a ruleset for all files with the extensions .exe .dll .sys .ocx .bat .pif .scr .cpl . Other such categories available include 'Windows System Applications' , 'Windows Updater Applications' , 'Start Up Folders' etc. For more details on file groups, refer to the section File Groups.
  • Running Processes - As the name suggests, this option allows you to select an application or executable from the processes that are currently running on your PC.
  • Browse Folders - Opens the 'Browse for Folders' window and enables you to navigate to the folder you wish to add.
  • Browse File - Opens the 'Open' window and enables you to navigate to the application or file you wish to add.
    • Click 'OK' to implement your settings.

Advanced Settings:

  • Do heuristic command-line analysis for certain applications - Selecting this option instructs Comodo Internet Security to perform heuristic analysis of programs that are capable of executing code such as visual basic scripts and java applications. Example programs that are affected by enabling this option are wscript.exe, cmd.exe, java.exe and javaw.exe. For example, the program wscipt.exe can be made to execute visual basic scripts (.vbs file extension) via a command similar to 'wscript.exe c:teststest.vbs'. If this option is selected, CIS detects c:teststest.vbs from the command-line and applies all security checks based on this file. If test.vbs attempts to connect to the internet, for example, the alert will state 'test.vbs' is attempting to connect to the internet (Default = Enabled).

If this option is disabled, the alert would only state 'wscript.exe' is trying to connect to the Internet'.

Background note: 'Heuristics' describes the method of analyzing a file to ascertain whether it contains codes typical of a virus. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist. This helps to identify previously unknown (new) viruses.

  • Detect shellcode injections (i.e. Buffer overflow protection) - Enabling this setting turns-on the Buffer over flow protection.

Background: A buffer overflow is an anomalous condition where a process/executable attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits.

Turning-on buffer overflow protection instructs the Comodo Internet Security to raise pop-up alerts in every event of a possible buffer overflow attack. You can allow or deny the requested activity raised by the process under execution depending on the reliability of the software and its vendor. Click here for more details on the alerts.

Comodo recommends that this setting to be maintained selected always (Default = Enabled).

To exclude some of the file types from being monitored under Detect Shellcode injections.

    • Select the 'Detect shellcode injections' checkbox and click the Exceptions link. The 'Manage Exceptions' dialog will appear.


 

    • Click the handle from the bottom of the interface and choose 'Add'

    • You can add items by selecting the required option from the drop-down:

  • File Groups - Enables you to select a category of pre-set files or folders. For example, selecting 'Executables' would enable you to create a ruleset for all files with the extensions .exe .dll .sys .ocx .bat .pif .scr .cpl . Other such categories available include 'Windows System Applications' , 'Windows Updater Applications' , 'Start Up Folders' etc. For more details on file groups, refer to the section File Groups.
  • Running Processes - As the name suggests, this option allows you to select an application or executable from the processes that are currently running on your PC.
  • Browse Folders - Opens the 'Browse for Folders' window and enables you to navigate to the folder you wish to add.
  • Browse File - Opens the 'Open' window and enables you to navigate to the application or file you wish to add.

Note:These settings are recommended for advanced users only.

  • Click 'OK' to implement your settings.
Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2025. All rights reserved.