- Apr 13, 2013
- 3,224
1). I had a bit of time while I was waiting for people, so did a VERY quick test of OSA (at default) with CF (at mine). I really did not see any advantage to having OSA running concurrently. About the only thing that I did see were popups for wscript for that which was already contained by CF.
I do have a question for any OSA experts- I did go into Advanced OSA settings and enabled "Block execution of processes on Documents folder". I then ran a RedEye ransomware file. Quick as a Bunny the Documents were encrypted with nary a peep from OSA. If I missed some setting please let me know as I find the result odd.
2). Also about the Comodo HIPS- with my settings the HIPS module is redundant. For instance, running a recent Crab encryptor/info stealer:
1). With my setting the thing is immediately contained and actually deleted. No harm done, no user input required.
2). With my setting AND the HIPS active- Obviously no peep from the HIPS as the file is gone.
3). Sandbox at PL with HIPS active- Other than the initial "Explorer.exe is trying to execute Whatever" popup no other HIPS alerts at all (Fun Fact- running a RedEye at restricted just kills the malware; at PL one will actually hear the creepy child laughing mp3 that arises from RedEye. Other than that no issue).
4). Sandbox disabled, HIPS enabled (Safe Mode)- you will get multiple HIPS alerts including an alert to both a ScreenLogger and keylogger, then a couple of other popups. A person can just Block and terminate at the initial popup, of course. But allowing all the popups to present and blocking all will leave the system clean.
Point being, if you like HIPS popups knock yourself out! But the HIPS really isn't adding anything to protection.
I do have a question for any OSA experts- I did go into Advanced OSA settings and enabled "Block execution of processes on Documents folder". I then ran a RedEye ransomware file. Quick as a Bunny the Documents were encrypted with nary a peep from OSA. If I missed some setting please let me know as I find the result odd.
2). Also about the Comodo HIPS- with my settings the HIPS module is redundant. For instance, running a recent Crab encryptor/info stealer:
1). With my setting the thing is immediately contained and actually deleted. No harm done, no user input required.
2). With my setting AND the HIPS active- Obviously no peep from the HIPS as the file is gone.
3). Sandbox at PL with HIPS active- Other than the initial "Explorer.exe is trying to execute Whatever" popup no other HIPS alerts at all (Fun Fact- running a RedEye at restricted just kills the malware; at PL one will actually hear the creepy child laughing mp3 that arises from RedEye. Other than that no issue).
4). Sandbox disabled, HIPS enabled (Safe Mode)- you will get multiple HIPS alerts including an alert to both a ScreenLogger and keylogger, then a couple of other popups. A person can just Block and terminate at the initial popup, of course. But allowing all the popups to present and blocking all will leave the system clean.
Point being, if you like HIPS popups knock yourself out! But the HIPS really isn't adding anything to protection.
