Announcement

Collapse
No announcement yet.

Auto-Sandbox for PDFs from Emails

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ricky@314.Technology
    started a topic Auto-Sandbox for PDFs from Emails

    Auto-Sandbox for PDFs from Emails

    Hi All,

    I have just rolled out Comodo End-point Security Management, everything seems to working great. However, almost all PDF documents that are opened from an email are run in sandbox.
    The issue with this is that the users are unable to print or save the PDFs without first saving and opening the PDF to their file system - due to the volume of users/pdfs this causes a significant time increase.

    I have attempted to add an exclusion group (containing the path to adobe) to the sandbox settings, however, the PDFs are still getting sandboxed. I can move the pdf to be Trusted, however, this is impractical.

    Is there a way that I can allow all pdfs from emails?

    Thank you for your advice.

    Kind Regards,
    Ricky Kunde

  • Jimmy
    replied
    lmt ,

    We thank you for giving us your feedback. Please do not hesitate to reach us for any issues you might encounter. Thank you for your support

    Leave a comment:


  • lmt
    replied
    Dear Sir
    Thanks your fully support, my problem was sovled.
    Will upgrade 8.2 to 8.3
    No more question.



    Leave a comment:


  • Jay
    replied
    Hello lmt ,

    We are analyzing the case and we`ll respond to the ticket created by Samuel as soon as we can.

    Kind Regards,
    Jay

    Leave a comment:


  • lmt
    replied
    Dear Sir
    Follow your instructions

    1. in CAVS 8.3 session host, the attachment pdf file would not in sandbox, and no more error message.

    2. the new policy is not effect CAVS 8.2 right? I have to upgrade all session hosts from CAVS 8.2 to CAVS 8.3?

    3. with the new policy, HIPS will never monitor acrodrd32.exe? I mean if I saved the pdf to a folder, then open it , acrodrd32 is still under monitor?

    Leave a comment:


  • Samuel C
    replied
    Hello lmt,

    We appreciate for sharing additional details and responding to the support ticket. We will review the information and provide you an update on this matter. Thank you

    Leave a comment:


  • lmt
    replied
    1. About my enviroment, I briefly description as following
    • We are using windows server 2012 R2 Remote DeskTop session host, there are 15 session hosts, about 30 users each hosts.
    • Comodo products is :ESM 3.5.21217.512, security Product CASV 8.2.0.4710, 8.3.0.5205
    • Every session host install CASV 8.2.0.4710 or 8.3.0.5205
    • Adobe reader version is 11.0.20.17
    • Outlook2010 version is :14.0.7188.5002 (32 bits)
    1. I have try to exclude the outlook temp folder from sandbox, then adobe reader operate good, without any error message, no matter preview within outlook, or double click the pdf attachment, open with rader.
    2. If I set to the normal situation, outlook attachment pdf auto-sandbox, there are easy to error.
    3. Error as attached
    4. 30 users on the same session hosts, not everyone, some users will happen, some users will not at the same time.
    5. I don’t to disable the auto-sandbox function, or disable HIPS Settings/Do heuristic command-line analysis for certain application
    Attached Files

    Leave a comment:


  • Oliver C
    replied
    Hello lmt ,

    We will be contacting you thru email to help you out with your concern.

    Leave a comment:


  • lmt
    replied
    I agree pdf attachment with auto-sanbox, but, face a problem, it is very easy got an error message "an internal error......." can not open the pdf. if I save to a folder then I can open it smoothly, is there any solution to avoid the "an internal error...." error message?

    Leave a comment:


  • Nick
    replied
    Hello MTekhna ,

    Regarding the second issue reported, to control the notifications and monitor thresholds, you will have to edit the following:
    1. In Configuration Templates > Alerts menu please create a new alert (the default alert that is already there cannot be edited because it is the default one) and choose the appropriate settings.
    2. In Configuration Templates > Profiles click the profile that is being in use then go to 'Monitoring' tab and click the existing monitor (probable "Recommended Performance Monitoring") then Edit and at the bottom of the window, under 'Use Alert Settings' replace the default alert with the new one that you have created. (NOTE: if the Edit button is missing in the upper right hand corner, then probably you are using the default profile, which again is not editable. In this case you will have to clone the default profile, make the changes and replace the profile in use).
    If you need to tune the alerts further more, all you have to do is to edit the alert that you have created in Configuration Templates > Alerts.

    Regarding the other 2 issues reported, we will contact you via email to troubleshoot these problems.

    Leave a comment:


  • MTekhna
    replied
    Originally posted by Harvey View Post
    Hello MTekhna

    If you have reinstalled Comodo Client - Security since then, please disable the "Do heuristic command-line analysis for certain applications" option from the ITSM profile (ITSM > Profiles > Profile list > -Open Profile in question- > HIPS > HIPS Settings), or if you have the identical issue on a different machine, disable it from the profile assigned on that specific device so we can see if the issue is avoided by doing this.

    Looking forward to your reply.
    Harvey I did as suggested and waiting see the outcome but the site I am having issues with is currently inaccessible from RMM.

    Leave a comment:


  • MTekhna
    replied
    It seems two issues may be being created here. 1 PDFs and other unknown files are being sandboxed regardless of whether they originated in email or not.I have created PDFs on the system to test this also have seen Adobe itself which was downloaded and installed run in sandbox. I have a machine which I tried to install Cisco packet tracer on which won't even install the program but runs the installer in sandbox. So some more control is needed there to administer effectively. 2 is alerts of processor ram and or disk usage thrashing that seems to occur frequently and I'm witnessing Comodo activity to be the culprit here. 3 Bonus issue - RMM going down intermittently, I have a site completely down now I must visit to see whats's going on..

    Leave a comment:


  • Ricky@314.Technology
    replied
    Hi Harvey,

    Thank you for the information. I applied a Group Policy to move the Outlook temp files to a new location, however, this did not help. I have disabled the "Do heuristic command-line analysis for certain applications" for the time being - to keep the users happy.

    Hi Ferdinand,

    Thank you for your reply, would you mind exporting and sharing your ITSM computer profile? I'm just looking at the documentation now and setting up a new one, however, i'm interested to see how others have got theirs setup.

    Kind Regards,
    Ricky Kunde

    Leave a comment:


  • melih
    replied
    Originally posted by azon2111 View Post
    Not sure I understand your question. But auto-sandboxing and HIPS (any place these levels are defined?) I get and I have turned on. I am saying that those bypassing the sandboxing of mail attachments regardless of extension is NOT a good thing. In case what I wrote was confusing.

    Any unknown executable would end up running inside containment (sandbox). So even if there is a malicious PDF and that ends up dropping a payload (Unknown executable), it will end up inside containment hence no harm done.

    Leave a comment:


  • azon2111
    replied
    Originally posted by melih View Post



    Do you know how our endpoint protection work?
    Not sure I understand your question. But auto-sandboxing and HIPS (any place these levels are defined?) I get and I have turned on. I am saying that those bypassing the sandboxing of mail attachments regardless of extension is NOT a good thing. In case what I wrote was confusing.
    Last edited by azon2111; 08-15-2016, 03:03 PM.

    Leave a comment:

Working...
X