Tags
malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard itarian unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos Rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection virtual desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to create auto-containment rules in a Windows profile

Release Time
07/02/2017
Views
1170 times
Category
profiles
Tags

What is an auto-containment rule?

  • Auto-containment rules let you define which applications can run on managed devices, and what privileges they are allowed.
     
  • Comodo Client Security (CCS) on a device consults these rules every time a program is opened.
     
  • Each rule consists of 3 basic elements:
     
    1. Action - choice of:
       
      • Run Virtually - The application is run inside the container, a highly secure environment that is isolated from the rest of the endpoint.
         
      • Run Restricted - The application has limited privileges, can access very few operating system resources and can only open 10 processes at a time.
         
      • Block - The application is not allowed to run at all.
         
      • Ignore - The application can run as normal outside the container.
         
    2. Target - The applications, file groups or folders that you want to monitor in the rule. You can also add filters to target files that meet certain conditions.
       
    3. Options - Choose the trust level of the files you picked in #2. You can also set limits on memory consumption, execution time, and log options.
       
  • This tutorial explains how to create auto-containment rules in a Windows profile.

Create an auto-containment rule

  • Login to ITarian
     
  • Click 'Applications' > 'Endpoint Manager'
     
  • Click ‘Configuration Templates’ > ‘Profiles’
     
  • Open the Windows profile applied to your target devices
     
    • Open the 'Containment' tab

      OR
       
    • Click 'Add Profile Section' > 'Containment', if it hasn't yet been added:
       
  • Click the 'Rules' tab


 

  • Click 'Add Rule'
     

Follow these three steps to create your rule:

Step 1 – Choose the action

The 'Action', in combination with the restriction level in the 'Options' tab, determines the privileges of a contained application.

Choose one of the following actions:

  • Run Virtually - The application is run inside the container, a highly secure environment that is isolated from the rest of your computer.
     
  • Run Restricted - The application is allowed to access very few operating system resources. It is not allowed to execute more than 10 processes at a time and has very limited privileges. Some applications, like computer games, may not work properly under this setting.
     
  • Block - The application is not allowed to run at all.
     
  • Ignore- The application can run as normal outside the container.
     

Step 2 – Select rule targets and filters

  • The targets are the files/folders/groups that are covered by the rule.
     
  • You can filter a rule so it applies to a narrower sub-set of files.
     
    • For example, you can specify 'All executables' as the target, then add a filter so it only affects executables from the internet.
       
    • Another example is if you want to allow unknown files created by a specific user to run outside the container. You would create an 'Ignore' rule with 'All Applications' as the target, then add 'Files created by a specific user' as the filter.

Set target and filters

  • Click the 'Criteria' tab
     
  • Click 'Edit' at top-right:

  • Click ‘Browse’ to choose the file/folder/group you want to target with the rule.
     
  • Choose any filters you require from the list. Filters let you narrow the scope of the rule so it only catches files that meet certain conditions.
     
  • If you don’t want any filters then skip straight to step 3
     
  • Click ‘OK’

See the following links if you want help to select a target or add a filter:

Select the target

  • Click 'Type' drop-down to choose an application, file group, hash, or folder as your target
     
    • Files - Browse to a specific file.
       
    • File Groups - Apply the rule to predefined file groups.
       
      • A filegroup is a collection of files which (usually) share similar attributes and/or functionality. For example, the 'Executables' group is a list of file types that can run code on your computer.
         
      • You can view and manage file groups in 'Settings' > 'System Templates' > 'File Groups Variables'.
         
    • Folder -  Apply the rule to all files in a folder or drive
       
    • File Hash - Apply the rule to all files that have a specific SHA1 hash value.
       
      • A hash value is a large number that is generated by passing the file through a hashing algorithm. The number uniquely identifies the file, and it is extremely unlikely that two files will ever generate the same hash value. The benefit of using a file hash is that the rule will still work even if the file name changes.
         
      • Enter the SHA1 hash value of the target executable file in the 'Target' field.
         
    • Process Hash - Apply the rule to files whose processes have a specific SHA1 hash value. Please see the description above if required.
       
      • Enter the SHA1 hash value of the process created by the target file in the 'Target' field.

Configure filters

Filters let you narrow the scope of a rule. Once set, the rule will only apply if the target file meets the conditions you specify.

The available filters are:

Files created by a specific application

Apply the rule to a file based on its source application.

You can also specify the file rating of the source application. The rule will only contain a file if its parent app has a certain trust rating.

Specify the source application:

  • Click the 'Add' button in the 'File Created by applications' stripe.

  • Type - The target types are the same as explained above.
     
  • Reputation - Choose the file rating of the source you specified in the 'Type' drop-down:

  • Click 'OK' to save your settings
     
  • Repeat the process to add more source applications

Files created by a specific process

  • Applies the rules to files created by a particular parent process.
     
  • You can also specify:
     
    • The file rating of the source. The rule will only contain a file if its parent process has a certain trust rating.
       
    • The number of levels in the process chain that should be inspected.

Specify source processes

  • Click the 'Add' button in the 'File Created by Process(es)' stripe:

  • Type - See target types above for more details.
     
  • Reputation - Choose the file rating of the source you specified in the 'Type' drop-down:

 

  • Click 'OK'

The source process type will be added.

  • Limit number of parent processes in the process chain to' - Specify how far up the process tree CCS should check when inspecting the file's sources. 1 = will only check the file's parent process. 2 = will check the parent process and the grand-parent process, etc.
     
  • Repeat to add more source processes

Files created by specific users

  • Applies the rule to any files created by a certain user or user group.
     
  • Click the 'Add' button in the 'File Created by User(s)' bar.
     
  • Next, select the target user group:

  • Repeat the process to add more user groups

Files from specific sources

  • Applies the rule to files that were copied/downloaded from certain locations.
     
  • Click the 'Add' button in the 'File Origin(s)' bar.
     
  • Choose the source from the options:

 

 

  • Internet - The rule only applies to files downloaded from the internet.
     
  • Removable Media - The rule only applies to items copied from external devices. For example, from a USB drive, CD/DVD, or external storage.
     
  • Intranet - The rule only applies to items downloaded from the local network.

Repeat the process to add more sources

Files which have a specific trust rating

  • Applies the rule to files that have the trust rating you set.
     
  • Click the 'Select' button in the 'File Rating' stripe

 

  • You can choose from the following trust ratings:
     
    • Trusted - Applications that are safe to run. A file is trusted if:
       
      • The file is on the global whitelist of safe files
         
      • The file is signed by a vendor with 'Trusted' rating in CCS vendor List
         
      • The file was installed by a trusted installer
         
      • The file was given a trusted rating by an admin ('Settings' > 'Application Control')
         
    • Malicious - Malware files. These files are on the blacklist of known harmful files.
       
    • Unrecognized - Files that do not have a current trust rating. These files are not on the blacklist nor the whitelist, so are given an 'unknown' trust rating.

Set the file age as filter criteria

  • Applies the rule to files based on their created date, or their age.
     
  • Click the 'Select' button in the 'File age' stripe.

There are two ways to specify file age:

  • File Creation Date - Apply the rule to files created before or after a certain date.
     
  • File age - Apply the rule to files less than, or greater than, a certain number of days old.

Click 'OK' once you have selected your filters. All filters you added will be listed in the ‘Criteria’ tab:

Step 3 – Select the options

The next step is to choose additional options and restrictions on items contained by the rule.

  • Click the 'Options' tab.

The options available depend on the action chosen in step 1.

Here are the options for each action:

  • Ignore:
     
    • Log when this action is performed - A CCS containment log is created whenever this rule is triggered.
       
    • Don't apply the selected action to child processes - Child processes are those started by the target application.
       
      • This option is disabled by default, so the ignore rule also applies to child processes.
         
      • If enabled, the ignore rule does not apply to child processes. Each child process will be inspected individually and all relevant rules applied.
         
  • Run Restricted and Run Virtually:
     
    • Log when this action is performed – See above.
       
    • Set Restriction Level - The available restriction levels are:
       
      • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.
         
      • Limited - The application can only access selected operating system resources. The application is not allowed to execute more than 10 processes at a time and is run without admin privileges.
         
      • Restricted - The application is allowed to access even fewer operating system resources than the ‘Limited’ option. The application is not allowed to execute more than 10 processes at a time. Some applications, like computer games, may not work properly under this setting.
         
      • Untrusted - The application is not allowed to access any operating system resources and cannot execute more than 10 processes at a time. Some applications that require user interaction may not work properly under this setting.
         
    • Limit maximum memory consumption to - Specify how much RAM the application can use.
       
    • Limit program execution time to - The maximum time the program can run. The program is terminated after the specified length of time.
       
  • Block:
     
    • Log when this action is performed - See above.
       
    • Quarantine program - If checked, the blocked file will be automatically moved to quarantine on the device.
       

Click 'OK' to save your rule. Use the ‘On/Off’ switch to activate or deactivate the rule:

  • Repeat the process to add more rules
     
  • You can drag-and-drop the rules to re-prioritize them. Rules at the top of the table have a higher priority than those underneath. The setting in the rule nearer the top will prevail in the event of a conflict between rules.
     
  • You can edit or remove rules using the options at the right.