You may know me as that crazy person who is overlapping Kaspersky Internet Security with Comodo Firewall.
I have been thinking about why do I need CF, and I realized, that the only reason is to limit unknown applications to do damage, if they are malicious. For that, I only need the auto-containment module of CF.
My CF configuration was a bit modified version of Cruel Sister's. Problem with CS settings is, that you are never really sure if something is denied execution inside the sandbox cause it's malicious, or if it's just new to Comodo.
I found the best way to deal with this issue is, to have an AV that has excellent and fast signatures (Kaspersky, ESET, Norton).
After testing this combination, I realized, that we can safely let the potential malicious application roam restricted inside the Sandbox of Comodo to see its true self and decide if its really malicious or not. Our knowledge and our beloved AV suite will help us in this decision.
Scrolled through Comodo's website, hoping to find an individual application just for that, but I found the next best thing, Comodo Antivirus Free.
Difference between Comodo Firewall and Comodo Antivirus is, well, the Firewall module is not in the Antivirus. That's great, we don't need it anyways.
As usual, Comodo's infamous v11 wasn't auto-containing properly, but again, as usual, v10.2 came to rescue.
This configuration of Comodo Antivirus is suitable with every other available security suite. It doesn't add too much of a performance hit either.
So we start with installing Comodo Antivirus 10.2.
You can find it here.
Then you go to Settings, and set the Proactive Security config as Active.
Then you go back to Updates, and disable everything. We don't need Comodo's signatures, cause they're very late, and we don't need the application to update to version 11 either.
Then you disable Realtime scanning, since that will be done by your stronger AV anyways
Then you disable HIPS as well
Then you disable "Do not virtualize access to specified registry keys/values" in Containment Settings
And last, you edit the "Run Virtually" in Auto-Containment settings
Here, you can either set Restriction Level to Restricted or Limited, both will be fine, tho Restricted can break certain applications.
Oh and for performance/compatibility porpuses, you change the "Monitor only the applications in the container" VirusScope setting as well:
Now let's see how it performs in two scenarios. First scenario is when your AV suite is reacting on things happening inside the Container:
Application Control put it into Untrusted and Trusted at the same time for a sec there
There is no alert from KIS cause I already tested it, so it's not new to it.
Second scenario, when your Sandbox is saving your ass cause your AV is dumb-dumb. Resetting the Container wipes all problem away.
Every suggestion about setting something differently is welcome!
I have been thinking about why do I need CF, and I realized, that the only reason is to limit unknown applications to do damage, if they are malicious. For that, I only need the auto-containment module of CF.
My CF configuration was a bit modified version of Cruel Sister's. Problem with CS settings is, that you are never really sure if something is denied execution inside the sandbox cause it's malicious, or if it's just new to Comodo.
I found the best way to deal with this issue is, to have an AV that has excellent and fast signatures (Kaspersky, ESET, Norton).
After testing this combination, I realized, that we can safely let the potential malicious application roam restricted inside the Sandbox of Comodo to see its true self and decide if its really malicious or not. Our knowledge and our beloved AV suite will help us in this decision.
Scrolled through Comodo's website, hoping to find an individual application just for that, but I found the next best thing, Comodo Antivirus Free.
Difference between Comodo Firewall and Comodo Antivirus is, well, the Firewall module is not in the Antivirus. That's great, we don't need it anyways.
As usual, Comodo's infamous v11 wasn't auto-containing properly, but again, as usual, v10.2 came to rescue.
This configuration of Comodo Antivirus is suitable with every other available security suite. It doesn't add too much of a performance hit either.
So we start with installing Comodo Antivirus 10.2.
You can find it here.
Then you go to Settings, and set the Proactive Security config as Active.
Oh and for performance/compatibility porpuses, you change the "Monitor only the applications in the container" VirusScope setting as well:
Now let's see how it performs in two scenarios. First scenario is when your AV suite is reacting on things happening inside the Container:
There is no alert from KIS cause I already tested it, so it's not new to it.
Second scenario, when your Sandbox is saving your ass cause your AV is dumb-dumb. Resetting the Container wipes all problem away.
Every suggestion about setting something differently is welcome!