Announcement

Collapse
No announcement yet.

Auto-Sandbox for PDFs from Emails

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Auto-Sandbox for PDFs from Emails

    Hi All,

    I have just rolled out Comodo End-point Security Management, everything seems to working great. However, almost all PDF documents that are opened from an email are run in sandbox.
    The issue with this is that the users are unable to print or save the PDFs without first saving and opening the PDF to their file system - due to the volume of users/pdfs this causes a significant time increase.

    I have attempted to add an exclusion group (containing the path to adobe) to the sandbox settings, however, the PDFs are still getting sandboxed. I can move the pdf to be Trusted, however, this is impractical.

    Is there a way that I can allow all pdfs from emails?

    Thank you for your advice.

    Kind Regards,
    Ricky Kunde

  • #2
    Hello Ricky@314.Technology

    In order to avoid infections that are being sent through macros and attachments, Comodo has increased the detection level and added another method of prevention.

    The reason why the .pdf files opened from Outlook (and other applications) are sand-boxed is because the files are actually opened from a temporary location that is considered as untrusted by default.

    There are a couple of workarounds for avoiding this matter:

    Instead of opening the file directly, save in another location different from the %temp% folder for the specific user, since the process is sand-boxed and not the file (Adobe is a safe application), the .pdf file will not be sand-boxed afterwards

    Or to fully disable the .pdf sandboxing, you can disable the "Do heuristic command-line analysis for certain applications" from the profile / profiles that you have applied on the targeted devices; this can be found in ITSM > Profiles > Profile list > -Open Profile in question- > HIPS > HIPS Settings.

    We do not recommend the latter option because that means to disable a protective feature meant to increase the security, but you can have this option disabled if the sand-boxing is affecting the end-users' workflow or if the first option is not viable for you.

    Please let us know the outcome.

    Comment


    • #3
      I am having an issue with users not being able to print PDFs Adobe also. I tried printing a PDF saved from Word and same issue. Any way to fix this? I also tried disabling all the security components but it still wouldn't print PDFs. My temporary solution to allow them to print was to uninstall the security client.
      Last edited by MTekhna; 08-10-2016, 07:50 PM. Reason: Updated resolution steps

      Comment


      • #4
        Hello MTekhna ,
        I am assuming you are referring to the same issue Ricky had (.pdf are opening under sandbox when opened as attachments). If they're running under Sandbox (the window of the software will have a green border around it), indeed, the printing process will not work and the workaround for this case is provided in Harvey's reply. If the .pdf file is not opened under Sandbox and you have any issues printing, those could not be related to CES. Please provide us any error messages or print screens in order to help you further.
        Last edited by Andy; 08-10-2016, 07:36 PM.

        Comment


        • #5
          I saw the green box on one machine and that machine was able to print. The machine I was having the issue with didn't display a green box around the adobe window or give any error. The printing screen came up but just hung, only could shut the process down, not cancel it. The printer showed the page as spooling. I was thinking maybe it wasn't the security because I disabled all the modules and it still wouldn't print but after uninstalling the security it works fine as before. The file wasn't saved to temp folder, it was't from an email attachment but from a pdf I saved to the documents folder from a word document I created in the documents folder.
          Last edited by MTekhna; 08-11-2016, 06:20 AM.

          Comment


          • #6
            Hello MTekhna

            If you have reinstalled Comodo Client - Security since then, please disable the "Do heuristic command-line analysis for certain applications" option from the ITSM profile (ITSM > Profiles > Profile list > -Open Profile in question- > HIPS > HIPS Settings), or if you have the identical issue on a different machine, disable it from the profile assigned on that specific device so we can see if the issue is avoided by doing this.

            Looking forward to your reply.

            Comment


            • #7
              We are also working on an improvement to provide you more granular control over PDFs. If you don't want to Contain PDF, you would be able to disable that with one click...

              Comment


              • #8
                Hi team/Ricky@314.Technology - I had this problem in the beginning, but was able to resolve it by ensuring that you are not using the default windows profile which has HIPS(safe mode), Valkyrie and Viruscope disabled by default. I cloned the default profile, renamed it and enabled all these then applied it to the respective machines. I dont have these email pdf being blocked issues anymore. ((I also did not have to disable " Do heuristic command-line analysis for certain applications" as suggested above)).

                Comment


                • #9
                  I think some are missing the boat here so to speak. Anything coming from email should be quarantined. Can't tell you how many times attachments have gotten clients infected from my end. I make clients save the PDF's to desktop or some other place after opening so that the sandbox protects you. Else you will inevitably have some client that opens the infections and the next thing you know you got crypto all over that node. So my advice is to change the process for PDF's for clients and make them understand why it is necessary. Only takes one bad attachment in word or pdf and you hosed a node and possible other nodes (if disease is spread). IMHO the sandboxing is a the right way to approach this not going around it. Nothing from the inet should ever be considered safe until a scan has been done. Same way you cannot run installers on servers without clearing the unsafe property in them before running. It is an extra step but a necessary one to keep users/nodes safe.

                  Comment


                  • #10
                    Originally posted by azon2111 View Post
                    I think some are missing the boat here so to speak. Anything coming from email should be quarantined. Can't tell you how many times attachments have gotten clients infected from my end. I make clients save the PDF's to desktop or some other place after opening so that the sandbox protects you. Else you will inevitably have some client that opens the infections and the next thing you know you got crypto all over that node. So my advice is to change the process for PDF's for clients and make them understand why it is necessary. Only takes one bad attachment in word or pdf and you hosed a node and possible other nodes (if disease is spread). IMHO the sandboxing is a the right way to approach this not going around it. Nothing from the inet should ever be considered safe until a scan has been done. Same way you cannot run installers on servers without clearing the unsafe property in them before running. It is an extra step but a necessary one to keep users/nodes safe.


                    Do you know how our endpoint protection work?

                    Comment


                    • #11
                      Originally posted by melih View Post



                      Do you know how our endpoint protection work?
                      Not sure I understand your question. But auto-sandboxing and HIPS (any place these levels are defined?) I get and I have turned on. I am saying that those bypassing the sandboxing of mail attachments regardless of extension is NOT a good thing. In case what I wrote was confusing.
                      Last edited by azon2111; 08-15-2016, 03:03 PM.

                      Comment


                      • #12
                        Originally posted by azon2111 View Post
                        Not sure I understand your question. But auto-sandboxing and HIPS (any place these levels are defined?) I get and I have turned on. I am saying that those bypassing the sandboxing of mail attachments regardless of extension is NOT a good thing. In case what I wrote was confusing.

                        Any unknown executable would end up running inside containment (sandbox). So even if there is a malicious PDF and that ends up dropping a payload (Unknown executable), it will end up inside containment hence no harm done.

                        Comment


                        • #13
                          Hi Harvey,

                          Thank you for the information. I applied a Group Policy to move the Outlook temp files to a new location, however, this did not help. I have disabled the "Do heuristic command-line analysis for certain applications" for the time being - to keep the users happy.

                          Hi Ferdinand,

                          Thank you for your reply, would you mind exporting and sharing your ITSM computer profile? I'm just looking at the documentation now and setting up a new one, however, i'm interested to see how others have got theirs setup.

                          Kind Regards,
                          Ricky Kunde
                          ‚Äč

                          Comment


                          • #14
                            It seems two issues may be being created here. 1 PDFs and other unknown files are being sandboxed regardless of whether they originated in email or not.I have created PDFs on the system to test this also have seen Adobe itself which was downloaded and installed run in sandbox. I have a machine which I tried to install Cisco packet tracer on which won't even install the program but runs the installer in sandbox. So some more control is needed there to administer effectively. 2 is alerts of processor ram and or disk usage thrashing that seems to occur frequently and I'm witnessing Comodo activity to be the culprit here. 3 Bonus issue - RMM going down intermittently, I have a site completely down now I must visit to see whats's going on..

                            Comment


                            • #15
                              Originally posted by Harvey View Post
                              Hello MTekhna

                              If you have reinstalled Comodo Client - Security since then, please disable the "Do heuristic command-line analysis for certain applications" option from the ITSM profile (ITSM > Profiles > Profile list > -Open Profile in question- > HIPS > HIPS Settings), or if you have the identical issue on a different machine, disable it from the profile assigned on that specific device so we can see if the issue is avoided by doing this.

                              Looking forward to your reply.
                              Harvey I did as suggested and waiting see the outcome but the site I am having issues with is currently inaccessible from RMM.

                              Comment

                              Working...
                              X