cruelsister

Level 36
Verified
Trusted
Content Creator
1). I had a bit of time while I was waiting for people, so did a VERY quick test of OSA (at default) with CF (at mine). I really did not see any advantage to having OSA running concurrently. About the only thing that I did see were popups for wscript for that which was already contained by CF.

I do have a question for any OSA experts- I did go into Advanced OSA settings and enabled "Block execution of processes on Documents folder". I then ran a RedEye ransomware file. Quick as a Bunny the Documents were encrypted with nary a peep from OSA. If I missed some setting please let me know as I find the result odd.

2). Also about the Comodo HIPS- with my settings the HIPS module is redundant. For instance, running a recent Crab encryptor/info stealer:

1). With my setting the thing is immediately contained and actually deleted. No harm done, no user input required.
2). With my setting AND the HIPS active- Obviously no peep from the HIPS as the file is gone.
3). Sandbox at PL with HIPS active- Other than the initial "Explorer.exe is trying to execute Whatever" popup no other HIPS alerts at all (Fun Fact- running a RedEye at restricted just kills the malware; at PL one will actually hear the creepy child laughing mp3 that arises from RedEye. Other than that no issue).
4). Sandbox disabled, HIPS enabled (Safe Mode)- you will get multiple HIPS alerts including an alert to both a ScreenLogger and keylogger, then a couple of other popups. A person can just Block and terminate at the initial popup, of course. But allowing all the popups to present and blocking all will leave the system clean.

Point being, if you like HIPS popups knock yourself out! But the HIPS really isn't adding anything to protection.
 

Nightwalker

Level 17
Verified
Content Creator
1). I had a bit of time while I was waiting for people, so did a VERY quick test of OSA (at default) with CF (at mine). I really did not see any advantage to having OSA running concurrently. About the only thing that I did see were popups for wscript for that which was already contained by CF.

I do have a question for any OSA experts- I did go into Advanced OSA settings and enabled "Block execution of processes on Documents folder". I then ran a RedEye ransomware file. Quick as a Bunny the Documents were encrypted with nary a peep from OSA. If I missed some setting please let me know as I find the result odd.

2). Also about the Comodo HIPS- with my settings the HIPS module is redundant. For instance, running a recent Crab encryptor/info stealer:

1). With my setting the thing is immediately contained and actually deleted. No harm done, no user input required.
2). With my setting AND the HIPS active- Obviously no peep from the HIPS as the file is gone.
3). Sandbox at PL with HIPS active- Other than the initial "Explorer.exe is trying to execute Whatever" popup no other HIPS alerts at all (Fun Fact- running a RedEye at restricted just kills the malware; at PL one will actually hear the creepy child laughing mp3 that arises from RedEye. Other than that no issue).
4). Sandbox disabled, HIPS enabled (Safe Mode)- you will get multiple HIPS alerts including an alert to both a ScreenLogger and keylogger, then a couple of other popups. A person can just Block and terminate at the initial popup, of course. But allowing all the popups to present and blocking all will leave the system clean.

Point being, if you like HIPS popups knock yourself out! But the HIPS really isn't adding anything to protection.
Where was the RedEye ransomware localizated? Was it in Documents Folder?

If it was localizated in another folder than the result isnt odd, this rule simple block the execution in that specific Documents Folder, like a anti executable.

I did try in my machine and it worked like it should ...
 

shmu26

Level 82
Verified
Trusted
Content Creator
No, it was the entire Doc folder (and pictures) that were encrypted. Thanks for checking it out- I'm certain that it had to be some flaw in my setup.
It doesn't matter where the docs are, it matters where the malware is executed from. The setting that you tested is intended to block EXECUTION from documents folder. If the malware sample is executed from anywhere else, that setting is not gonna help you any, because that is not its purpose.

Anyone who takes even a cursory look at OSA can see that it is a dedicated app to protect against malicious scripts of various types. You won't find this kind of dedicated anti-script protection in Comodo, unless you tweak it out, at the risk of your sanity.

I am not a fanboy of OSA or other NVT products. I change my security setup at least as often as my wife buys shoes. Sometimes I use OSA, sometimes not. Sometimes I use a 3rd party AV, sometimes not. Sometimes I use Comodo Firewall, sometimes not. But I must give credit where it is due.
 
Last edited: