Advice Request COMODO and vulnerable processes

[shmu26]

Just wondering -- why doesn't COMODO have special protection for vulnerable processes?
There is such protection in NoVirusThanks ERP, Voodooshield, and SecureAPlus.
Is there a reason why COMODO doesn't need it, or maybe it is there, but I don't know about it?

 

[509322]

Just wondering -- why doesn't COMODO have special protection for vulnerable processes?
There is such protection in NoVirusThanks ERP, Voodooshield, and SecureAPlus.
Is there a reason why COMODO doesn't need it, or maybe it is there, but I don't know about it?

Just change file rating of vulnerable process from Trusted to Unrecognized - if you use HIPS. You'll have to decide whether you wish to exclude them from auto-sandboxing as well.

Otherwise you can simply block execution by creating rules for it - either in the HIPS or Sandbox modules.

The problem with creating rules is that CIS still suffers from the "disappearing rules" bug.

So your only effective option is to change the file rating to Unrecognized and use the HIPS. When you see a HIPS alert for any of the vulnerable processes you proceed with caution.

 

[shmu26]

Just change file rating of vulnerable process from Trusted to Unrecognized - if you use HIPS. You'll have to decide whether you wish to exclude them from auto-sandboxing as well.

Otherwise you can simply block execution by creating rules for it - either in the HIPS or Sandbox modules.

The problem with creating rules is that CIS still suffers from the "disappearing rules" bug.

So your only effective option is to change the file rating to Unrecognized and use the HIPS. When you see a HIPS alert for any of the vulnerable processes you proceed with caution.

thanks. I actually employ the strategy you mentioned -- change the file rating to Unrecognized, and use the HIPS, and make ignore rule in autosandbox.

 

[509322]

@shmu26

Vulnerable Processes

The problem with creating a bunch of rules in CIS is that they can randomly disappear. It's a known bug.

 

[shmu26]

@shmu26

Vulnerable Processes

The problem with creating a bunch of rules in CIS is that they can randomly disappear. It's a known bug.

thanks.
With COMODO, it's definitely a good idea to export the rules every once in a while, or have system image backups that you can restore to if need be. It's foolish not to.

 

[509322]

thanks.
With COMODO, it's definitely a good idea to export the rules every once in a while, or have system image backups that you can restore to if need be. It's foolish not to.

I have been advised by COMODO Engineering that the "disappearing rules" bug is to be fixed in upcoming CIS 10.

 

[cruelsister]

Shmu- Remember that the applications that you mention are not sandboxed based so a different way of protecting the system is needed. With Comodo (sandbox set correctly) as well as with something like Sandboxie the rules you refer to are not needed.

By "vulnerable processes" (a term I dislike) is meant either a process that malware can be injected into and/or a valid Windows process that is commanded to run a malicious payload. Very (very, very) basically let's go over both the former and latter:

1). Process injection- Stuff like Botnets just love this method- run the malware file and it will inject (or hook) into something like svchost, which will then be co-opted to send malware to thousands of email addys. With Comodo trhere is no need to obsess over how to make some sort of rule for injected svchost since the sandbox (once again, properly set) will prevent the injection from occurring in the first place (if you want to see malware like this in action, I published an Avast vs Spambot video on Nov 5).

2). Things that are commanded to run a payload- this can range from rundll32 running a payload dll, or wscript.exe running a malicious vbs script (both really popular ransomware mechanisms)- in both of these cases although both rundll32 and wscript can be called up to run the payload, the payload itself will be in the sandbox so activating it won't effect the real system one little bit (see the Nov 12 Comodo vs Ransomware video for these examples).

Anyway, I'm sure one can think up rules for things like this, but why would one even bother to do so? When using Comodo never make things hard on yourself by over thinking things. Simplest is the best, and that has been a real hard concept to get across.

 

[shmu26]

Shmu- Remember that the applications that you mention are not sandboxed based so a different way of protecting the system is needed. With Comodo (sandbox set correctly) as well as with something like Sandboxie the rules you refer to are not needed.

By "vulnerable processes" (a term I dislike) is meant either a process that malware can be injected into and/or a valid Windows process that is commanded to run a malicious payload. Very (very, very) basically let's go over both the former and latter:

1). Process injection- Stuff like Botnets just love this method- run the malware file and it will inject (or hook) into something like svchost, which will then be co-opted to send malware to thousands of email addys. With Comodo trhere is no need to obsess over how to make some sort of rule for injected svchost since the sandbox (once again, properly set) will prevent the injection from occurring in the first place (if you want to see malware like this in action, I published an Avast vs Spambot video on Nov 5).

2). Things that are commanded to run a payload- this can range from rundll32 running a payload dll, or wscript.exe running a malicious vbs script (both really popular ransomware mechanisms)- in both of these cases although both rundll32 and wscript can be called up to run the payload, the payload itself will be in the sandbox so activating it won't effect the real system one little bit (see the Nov 12 Comodo vs Ransomware video for these examples).

Anyway, I'm sure one can think up rules for things like this, but why would one even bother to do so? When using Comodo never make things hard on yourself by over thinking things. Simplest is the best, and that has been a real hard concept to get across.

There is a third scenario, although admittedly it is less common. Instead of downloading a payload -- which will be blocked upon execution by COMODO or another default/deny app -- the exploit goes and messes directly with the PC.

Let's say I browse to the New York Times, and my Chrome hasn't updated yet, so I am missing the patch I need for the type of flash exploit that is hidden in a hosted ad.
The exploit executes powershell or cmd.exe on my computer, and changes all sorts of things, probably the first change it makes is to disable COMODO after the next reboot.

That's why I think certain processes, such as powershell and cmd.exe, need extra protection.

 

[shmu26]

There is a third scenario, although admittedly it is less common. Instead of downloading a payload -- which will be blocked upon execution by COMODO or another default/deny app -- the exploit goes and messes directly with the PC.

Let's say I browse to the New York Times, and my Chrome hasn't updated yet, so I am missing the patch I need for the type of flash exploit that is hidden in a hosted ad.
The exploit executes powershell or cmd.exe on my computer, and changes all sorts of things, probably the first change it makes is to disable COMODO after the next reboot.

That's why I think certain processes, such as powershell and cmd.exe, need extra protection.

To answer my own question: that's why COMODO gives you the option of running browser and other exploitable apps in sandbox. If you do that, you have solved the whole problem.

 

[Davidov]

To answer my own question: that's why COMODO gives you the option of running browser and other exploitable apps in sandbox. If you do that, you have solved the whole problem.

Cruelsister
Please say on this issue if it is necessary sandboxed browser with thanks.It will not be contrary to safety when we use less stringent rules. thanks for the reply.