Tags
Comodo dialog box Windows UAC user access rights verification phone number password reset security code forgot password Android threat history generates alert lock device Android devices Mac OS devices mobile devices passcode Lock log SIEM log forwarding log storage log storage settings scan profile Parental control FLS file-lookup server internet access rights Real-time scan default profiles pre-configured profiles pre-defined profiles customize profile clone profile Clone unknown MAC profile Linux profile cloud-based service Maintenance Window maintenance analysis tool UFH check policy test policy Virtual Appliances DNS Resolver register invite graphs Dynamic IP Dome shield Integration O365 Comodo Office 365 removal tool CCS removal tool Comodo Secure Email Gateway subscriptions service Dome Antispam Valkyrie report info web Comodo SWG tutorial policy DLP PAC file iboss Bluecoat Websense Comodo Dome ICAP Dome Agent traffic URL C1 account SWG portal SSL Encrypted Traffic Dome Cloud enable widget chart endpoint dashboard file groups Rules exceptions Wi-Fi networks Wi-Fi setup security restrictions iCloud auto containment containment settings virtual file system sandbox environment client access control local configuration Comodo Client Security Rebranding Communication Client Rebranding security client re-brand Comodo Clients application rules global rules Portsets port sets Firewall ruleset rule set rulesets global proxy server global proxy antivirus settings Client Proxy remote control tool Firewall protection firewall settings configuration file export profile PowerShell VBS script Windows Standard Account Endpoint Manager Client Communication (EMCC) server security clients updates vulnerable security patches installed Client Communication Communication Client (CC) submission Communication Client tray icon script OS Patch Third Party Patch Installation Uninstallation Discovery additional package External Device Control external ITarian remote Windows device apps signed-in logged-in identify License wizard on-boarding local Comodo Client Security Mac devices Linux devices MSP customers EM profile Mac OS profile MAC OS X device user device configuration profile copy invoice enrollment Logging Settings SIEM tool external server Account Security mobile console EM device owners ownership remove MAC third party application remote uninstallation software inventory duplicate Name Master Image Golden Image Bulk Installation Package Windows Operating Systems summary information local time External IP address OS summary Devices list MDM profile iOS push certificate create APNs Apple account portal APN Apple Push Notification search bar filter options customer device group group membership managed device trust rating old duplicates removal device name MAC address MSP (Managed Service Provider) Versions Marketing & Sales Customer Relationship Management (CRM) Enroll New Device New Ticket quick actions bar release notes security status activity status profile status Sales funnel Secure Internet Gateway application launch Two factor Time zone Language Lockout time Change Password tokens device enrollment User Groups Manage Profiles User List Management customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up Malware File Name Security Sub-System communication client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection Virtual Desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to create auto-containment rules in a Windows profile

Release Time
07/03/2017
Views
1760 times
Categories
profiles
Tags

What is an auto-containment rule?

  • Auto-containment rules let you define which applications can run on managed devices, and what privileges they are allowed.
     
  • Comodo Client Security (CCS) on a device consults these rules every time a program is opened.
     
  • Each rule consists of 3 basic elements:
     
    1. Action - choice of:
       
      • Run Virtually - The application is run inside the container, a highly secure environment that is isolated from the rest of the endpoint.
         
      • Run Restricted - The application has limited privileges, can access very few operating system resources and can only open 10 processes at a time.
         
      • Block - The application is not allowed to run at all.
         
      • Ignore - The application can run as normal outside the container.
         
    2. Target - The applications, file groups or folders that you want to monitor in the rule. You can also add filters to target files that meet certain conditions.
       
    3. Options - Choose the trust level of the files you picked in #2. You can also set limits on memory consumption, execution time, and log options.
       
  • This tutorial explains how to create auto-containment rules in a Windows profile.

Create an auto-containment rule

  • Login to ITarian
     
  • Click 'Applications' > 'Endpoint Manager'
     
  • Click ‘Configuration Templates’ > ‘Profiles’
     
  • Open the Windows profile applied to your target devices
     
    • Open the 'Containment' tab

      OR
       
    • Click 'Add Profile Section' > 'Containment', if it hasn't yet been added:
       
  • Click the 'Rules' tab


 

  • Click 'Add Rule'
     

Follow these three steps to create your rule:

Step 1 – Choose the action

The 'Action', in combination with the restriction level in the 'Options' tab, determines the privileges of a contained application.

Choose one of the following actions:

  • Run Virtually - The application is run inside the container, a highly secure environment that is isolated from the rest of your computer.
     
  • Run Restricted - The application is allowed to access very few operating system resources. It is not allowed to execute more than 10 processes at a time and has very limited privileges. Some applications, like computer games, may not work properly under this setting.
     
  • Block - The application is not allowed to run at all.
     
  • Ignore- The application can run as normal outside the container.
     

Step 2 – Select rule targets and filters

  • The targets are the files/folders/groups that are covered by the rule.
     
  • You can filter a rule so it applies to a narrower sub-set of files.
     
    • For example, you can specify 'All executables' as the target, then add a filter so it only affects executables from the internet.
       
    • Another example is if you want to allow unknown files created by a specific user to run outside the container. You would create an 'Ignore' rule with 'All Applications' as the target, then add 'Files created by a specific user' as the filter.

Set target and filters

  • Click the 'Criteria' tab
     
  • Click 'Edit' at top-right:

  • Click ‘Browse’ to choose the file/folder/group you want to target with the rule.
     
  • Choose any filters you require from the list. Filters let you narrow the scope of the rule so it only catches files that meet certain conditions.
     
  • If you don’t want any filters then skip straight to step 3
     
  • Click ‘OK’

See the following links if you want help to select a target or add a filter:

Select the target

  • Click 'Type' drop-down to choose an application, file group, hash, or folder as your target
     
    • Files - Browse to a specific file.
       
    • File Groups - Apply the rule to predefined file groups.
       
      • A filegroup is a collection of files which (usually) share similar attributes and/or functionality. For example, the 'Executables' group is a list of file types that can run code on your computer.
         
      • You can view and manage file groups in 'Settings' > 'System Templates' > 'File Groups Variables'.
         
    • Folder -  Apply the rule to all files in a folder or drive
       
    • File Hash - Apply the rule to all files that have a specific SHA1 hash value.
       
      • A hash value is a large number that is generated by passing the file through a hashing algorithm. The number uniquely identifies the file, and it is extremely unlikely that two files will ever generate the same hash value. The benefit of using a file hash is that the rule will still work even if the file name changes.
         
      • Enter the SHA1 hash value of the target executable file in the 'Target' field.
         
    • Process Hash - Apply the rule to files whose processes have a specific SHA1 hash value. Please see the description above if required.
       
      • Enter the SHA1 hash value of the process created by the target file in the 'Target' field.

Configure filters

Filters let you narrow the scope of a rule. Once set, the rule will only apply if the target file meets the conditions you specify.

The available filters are:

Files created by a specific application

Apply the rule to a file based on its source application.

You can also specify the file rating of the source application. The rule will only contain a file if its parent app has a certain trust rating.

Specify the source application:

  • Click the 'Add' button in the 'File Created by applications' stripe.

  • Type - The target types are the same as explained above.
     
  • Reputation - Choose the file rating of the source you specified in the 'Type' drop-down:

  • Click 'OK' to save your settings
     
  • Repeat the process to add more source applications

Files created by a specific process

  • Applies the rules to files created by a particular parent process.
     
  • You can also specify:
     
    • The file rating of the source. The rule will only contain a file if its parent process has a certain trust rating.
       
    • The number of levels in the process chain that should be inspected.

Specify source processes

  • Click the 'Add' button in the 'File Created by Process(es)' stripe:

  • Type - See target types above for more details.
     
  • Reputation - Choose the file rating of the source you specified in the 'Type' drop-down:

 

  • Click 'OK'

The source process type will be added.

  • Limit number of parent processes in the process chain to' - Specify how far up the process tree CCS should check when inspecting the file's sources. 1 = will only check the file's parent process. 2 = will check the parent process and the grand-parent process, etc.
     
  • Repeat to add more source processes

Files created by specific users

  • Applies the rule to any files created by a certain user or user group.
     
  • Click the 'Add' button in the 'File Created by User(s)' bar.
     
  • Next, select the target user group:

  • Repeat the process to add more user groups

Files from specific sources

  • Applies the rule to files that were copied/downloaded from certain locations.
     
  • Click the 'Add' button in the 'File Origin(s)' bar.
     
  • Choose the source from the options:

 

 

  • Internet - The rule only applies to files downloaded from the internet.
     
  • Removable Media - The rule only applies to items copied from external devices. For example, from a USB drive, CD/DVD, or external storage.
     
  • Intranet - The rule only applies to items downloaded from the local network.

Repeat the process to add more sources

Files which have a specific trust rating

  • Applies the rule to files that have the trust rating you set.
     
  • Click the 'Select' button in the 'File Rating' stripe

 

  • You can choose from the following trust ratings:
     
    • Trusted - Applications that are safe to run. A file is trusted if:
       
      • The file is on the global whitelist of safe files
         
      • The file is signed by a vendor with 'Trusted' rating in CCS vendor List
         
      • The file was installed by a trusted installer
         
      • The file was given a trusted rating by an admin ('Settings' > 'Application Control')
         
    • Malicious - Malware files. These files are on the blacklist of known harmful files.
       
    • Unrecognized - Files that do not have a current trust rating. These files are not on the blacklist nor the whitelist, so are given an 'unknown' trust rating.

Set the file age as filter criteria

  • Applies the rule to files based on their created date, or their age.
     
  • Click the 'Select' button in the 'File age' stripe.

There are two ways to specify file age:

  • File Creation Date - Apply the rule to files created before or after a certain date.
     
  • File age - Apply the rule to files less than, or greater than, a certain number of days old.

Click 'OK' once you have selected your filters. All filters you added will be listed in the ‘Criteria’ tab:

Step 3 – Select the options

The next step is to choose additional options and restrictions on items contained by the rule.

  • Click the 'Options' tab.

The options available depend on the action chosen in step 1.

Here are the options for each action:

  • Ignore:
     
    • Log when this action is performed - A CCS containment log is created whenever this rule is triggered.
       
    • Don't apply the selected action to child processes - Child processes are those started by the target application.
       
      • This option is disabled by default, so the ignore rule also applies to child processes.
         
      • If enabled, the ignore rule does not apply to child processes. Each child process will be inspected individually and all relevant rules applied.
         
  • Run Restricted and Run Virtually:
     
    • Log when this action is performed – See above.
       
    • Set Restriction Level - The available restriction levels are:
       
      • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.
         
      • Limited - The application can only access selected operating system resources. The application is not allowed to execute more than 10 processes at a time and is run without admin privileges.
         
      • Restricted - The application is allowed to access even fewer operating system resources than the ‘Limited’ option. The application is not allowed to execute more than 10 processes at a time. Some applications, like computer games, may not work properly under this setting.
         
      • Untrusted - The application is not allowed to access any operating system resources and cannot execute more than 10 processes at a time. Some applications that require user interaction may not work properly under this setting.
         
    • Limit maximum memory consumption to - Specify how much RAM the application can use.
       
    • Limit program execution time to - The maximum time the program can run. The program is terminated after the specified length of time.
       
  • Block:
     
    • Log when this action is performed - See above.
       
    • Quarantine program - If checked, the blocked file will be automatically moved to quarantine on the device.
       

Click 'OK' to save your rule. Use the ‘On/Off’ switch to activate or deactivate the rule:

  • Repeat the process to add more rules
     
  • You can drag-and-drop the rules to re-prioritize them. Rules at the top of the table have a higher priority than those underneath. The setting in the rule nearer the top will prevail in the event of a conflict between rules.
     
  • You can edit or remove rules using the options at the right.