App Review FortiClient vs Scriptors on Windows 10

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
In my previous video it was shown what had to be done to prevent malicious Scriptors from running on a Windows 7 system, at least for those Scriptors that relied on WSH and PowerShell.

But now in Windows 10 Microsoft has developed and incorporated the Antimalware Scan Interface (AMSI). AMSI essentially is a sort of Dynamic Analysis platform that will inspect at a deep level those Scriptors that use Windows built-in scripting hosts, detecting questionable behavior and passing on this verdict to any Security Solution that calls upon it for information.

Two questions now can be asked:

1). Does AMSI provide any native protection itself, or must an application call on it to be effective?

2). For those applications that can utilize AMSI, will protection be afforded for those Scriptors that do not use Windows' built-in scripting hosts?

I'll try to answer the first question with this Video (music by Chantal Acda), and the second with a review of Windows Defender on Windows 10 later in the week.


 

Moose

Level 22
Jun 14, 2011
2,271
Salutations,

> Could you show Comodo Firewall results with the same test?
> Do you have link for KillSwitch for Windows 10?
> CIS 9 release?
> Your opinion of SpyShelter?

Kind regards,
 
Last edited:
  • Like
Reactions: done

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Moose- 1). Comodo Firewall contains all riff-raffy stuff like this without any issue.

2). I used the current Killswitch version on Windsows 10. Actually I just copied the entire CCE directory from a Win7 system and dropped it onto the Win10 machine.

3). No clue as to version 9 of Comodo. Melih emails me occasionally, but never to divulge the Crown jewels.

4). I really have no opinion of SpyShelter as I rarely ever consider it. CF is totally effective and much broader based, so why bother? The main trick with CF is simplicity- people tend to delve into it too deeply, and come out of it with nothing but bugs and frustration.

M
 

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Morning cruelsister

Can one enable/use the Antimalware Scan Interface on Windows 10 home edition, and would avast! utilize such technology?

Tony :)
 
  • Like
Reactions: Moose
H

hjlbx

CF is totally effective and much broader based, so why bother? The main trick with CF is simplicity- people tend to delve into it too deeply, and come out of it with nothing but bugs and frustration.

I have been hunting and reporting CIS bugs for quite some time.

So from the perspective of experience, let's address the issue of Comodo bugs on a factual, well-measured basis - and some food for thought:

  • A significant portion of CIS bugs, reported or otherwise, are not really bugs. User's that don't fully understand how CIS works frequently interpret unclear and unexpected behavior as a bug. Huge problem in that user frustration gets widely "converted" into CIS bugs. Simple formula: User confusion = bug !
The issue of why CIS is difficult to comprehend for so many is an entirely different issue best not covered here... needless to say anyone who delves into the depths of CIS settings is going to be stumped sooner rather than later. Even some seasoned IT professionals balk and begin to sputter when confronted with the CIS Protected COM and Firewall MAC interfaces.

  • In my experience, one need not go very deep into CIS to discover actual bugs. A case in point are the antivirus alerts, scanner and virtual kiosk (not advocating the use of those modules, just using them to make a point - so please, let's steer clear of the CIS AV\HIPS debate). Anyhow, the more modules you use, the more likely one is to find a bug. This is why CFW is less buggy than CIS.

  • Despite whatever bugs I have discovered, CIS has always provided a means to create a work-around rule and the ability to disable alerts. Alternatively, there is always the option to not use or avoid use of the offending CIS feature or module. I can never understand that some see this as utterly ludicrous security soft heresy. To me, those that adhere to this perspective are way too OCD and have no real, practical understanding of the entire issue. In any case... pardon the micro-rant... I have found no bugs since v 7 that gravely compromise system security.

  • A significant portion of CIS bugs are system specific; there is a wide variation in CIS behavior dependent upon whether it is installed on an AMD or Intel system, the system's processor type, and installed softs - like OEM crapware and custom drivers.

  • If one looks at some of the vulnerabilities (which technically are not bugs) reported on the Comodo forum, a significant portion - while actual vulnerabilities - are so arcane and difficult to exploit that no one in their right mind would bother trying to actually exploit them. So it is no surprise that Comodo engineering groups never fix them as it is pointless other than to satisfy some users' OCD security soft fantasies.
(A criminal that sets out to exploit CIS vulnerabilities isn't going to be financially successful - not one bit).

* * * * *

Bottom line...

@cruelsister is correct regarding CIS and scriptors.

The only viable option is a combination of anti-executable, virtualization and firewall.

One can cobble together a highly effective config using separate apps or just use an app that fully integrates AE-V-FW. The only one I have been able to find that works is CIS...
 
Last edited by a moderator:

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Tony- AMSI is always on- it's up to the 3rd party developer (Avast, Avira, Norton, etc) to recode their products to take advantage of it. With Windows 10 uptake by the consumer recently flatlining at a bit below 6% it may be a very long process.
 
  • Like
Reactions: done and Moose

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top