Best practice configuration(s) for Containment

Does anyone have any best practice recommendations? For most of my customers, where they have stable apps and not much change, I just use most of the out-of-the-box settings after learning mode. I have one customer that has a very complex setup, terminal servers and an in-house application that’s regularly recompiled. Seems to trigger issues on a constant basis.

In looking deeply into the configs there’s abilities to only really contain apps that come from the internet and aren’t known, which in my mind seems like it would cover most dangerous scenarios (ransomware, phishing, etc.).

I know this might be the “bare minimum” but what have other IT folks decided works in their environments?

You are in a bit of a hard position, to be honest.

One of the beautiful things about CCS / CIS (Comodo Client Security / Comodo Internet Security) is that a file has to be known and trusted for it to be not contained; this, as you know, involves either Comodo scanning and rating or you the admin rating the new file. This beauty is also the downside for software developers as they are making code that has not yet been scanned, not fully tested and could have faults in it which look suspiciously like a virus.

Off the top of my head, I would suggest you look at doing exclusions for this company. What this would entail is: -

  • Make sure all the designed apps are stored in a central place
  • Create a new group
  • Add rules to identify the files/locations where the files are from step 1
  • Create this company its own profile
  • Add rules to Containment, HIPS, AV etc for excluding this group
Doing this should solve your issue, but WARNING; Doing this makes holes in your system that viruses can use. I hope this information helps

Whilst @StrobeTech is correct, and we use this method for many clients, the other option, especially if the files are not changing regularly, would be to trust unknown files instead of excluding folder via File Group Variables. We want to try and trust files more at clients’s sites rather than just excluding folders.

Hi @nct

I have a question about this configuration option for you (By all means I’m not saying your wrong, just trying to get a better understanding of your idea).

If I’m understanding you correctly, your changing the default AV trust settings to default allow instead of block of unknown files?
I have had a quick look in the settings and cannot see where or how to do this, could you show us?
Doing this, does this not open you up to zero day attacks as unknown files can happily run on your system?

The wording of my post above was not clear, and there seems to be no option to edit showing.

“…trust unknown files manually via the ITSM console which have been confirmed as safe or by scanning with Unknown File Hunter for a rating by Valkyrie . . .”

@StrobeTech Thanks for querying.

Hi @StrobeTech

I believe @nct is talking about assigning admin rating to these specific files from ITSM portal,

While both methods are possible to be used, I also agree with @nct that, assigning a trust rating to specific files (exact SHA) is more secure than defining rule matching based exceptions (a malware might be matched with the same rules if rules are not defined specific enough).

I agree that doing this is the best idea, but as the question is about application development where the code is changed and re-compiled regular for testing which results in a new hash this is not an option at all. The file group with vars is the only really workable solution unless you have a dedicated tech watching the containment logs 24/7 for the one client in question.

As log as the business has a non-easy guessable structure to the filing system a virus is not going to know to hide in that location of not to be able to spread; so should be safe but as discussed and as warning states in my original post this is not perfect and does open you up to issues.