App Review Comodo Cloud AV - Autosandbox only - petya bypassed

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
W

Wave

Thanks for sharing! :)

Mr.Pr said:
you think Petya is able to bypass SD and encrypt host machine?
Click to expand...
No, it can't.

In fact, Petya itself contains no functionality to bypass sandbox mechanisms/virtual environments to attack the host system - it targets the Master Boot Record and overwrites it, therefore if the security product does not isolate the sample so it cannot access the boot sector (or monitors attempts for write requests to it and blocks them for the sample as it's running dynamically) then the system will become compromised.

Therefore, even though Petya was not blocked in the first video, the Petya sample itself did not "bypass" Comodo Sandbox - nothing like this occurred. It was the fault of Comodo.
 
  • Like
Reactions: Solarquest, Deleted Member 3a5v73x, Butterfly and 7 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,143
Spawm- CCAV is totally inferior to the other Comodo products. With it, they are just pandering to the masses who are hung up on the antiquated "Anti-Virus" method of protection. CF is much more elegant and will provide superior protection.

Just my opinion, but I am always correct...
 
  • Like
Reactions: Solarquest, Deleted Member 3a5v73x, harlan4096 and 10 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
what will happen if you set the CCAV sandbox to block unknowns, rather than virtualize them? Will it then protect the system properly?

EDIT: the advantage to CCAV is that you can combo it much more freely, because no HIPS. For instance, you can combo it with KIS.
 
Last edited:
  • Like
Reactions: Der.Reisende, Solarquest, AtlBo and 2 others
D

Deleted member 2913

shmu26 said:
what will happen if you set the CCAV sandbox to block unknowns, rather than virtualize them? Will it then protect the system properly?

EDIT: the advantage to CCAV is that you can combo it much more freely, because no HIPS. For instance, you can combo it with KIS.
Click to expand...
I think sandbox set to block unknown should protect the system as the sample would be blocked/stopped from running...Evjl's Rain & cruelsister?
 
  • Like
Reactions: Der.Reisende, Deleted Member 3a5v73x, Wave and 2 others
E

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Yash Khan said:
I think sandbox set to block unknown should protect the system as the sample would be blocked/stopped from running...Evjl's Rain & cruelsister?
Click to expand...
there is no option to block unknown app in CCAV
perhaps CF has but this is a very risky option. and may cause an unbootable system, break usability
 
  • Like
Reactions: Der.Reisende, Deleted Member 3a5v73x, Wave and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Evjl's Rain said:
perhaps CF has but this is a very risky option. and may cause an unbootable system, break usability
Click to expand...
once you get yourself settled in with CCAV, and all your important files are already recognized and trusted, then you could try switching to block unknowns, because at that point, it is kind of unlikely that you will get a new critical boot file that is unsigned by microsoft or your graphics vendor.

but it could happen, theoretically. Then you would have to boot into safe mode, start up CCAV, and mark the new file as trusted.
 
  • Like
Reactions: Der.Reisende, Deleted Member 3a5v73x, SHvFl and 3 others
AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Thanks for helpful test videos again.

I question why the sandbox functions differently in CCAV that CFW. I feel this shouldn't be the case.

On the topic of MBR protection, does HIPs monitoring of "Protected Objects" (see pic) protect against MBR alterations/protect the master file table?

Protected Objects.jpg


This is a question I have had for about two weeks I guess. Haven't had an opportunity to inquire, so maybe now is the best time or I hope so :). Don't want to confuse any CCAV users!
 
  • Like
Reactions: Parsh, Der.Reisende, Ink and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
AtlBo said:
Thanks for helpful test videos again.

I question why the sandbox functions differently in CCAV that CFW. I feel this shouldn't be the case.

On the topic of MBR protection, does HIPs monitoring of "Protected Objects" (see pic) protect against MBR alterations/protect the master file table?

View attachment 133786

This is a question I have had for about two weeks I guess. Haven't had an opportunity to inquire, so maybe now is the best time or I hope so :). Don't want to confuse any CCAV users!
Click to expand...
the heading your screenshot falls under is "protected files". I kinda think the COM interfaces heading is where the MBR protection is at, but I must admit that I am just guessing.
I wouldn't mind at all if someone who really knows can enlighten us...
 
  • Like
Reactions: Der.Reisende, Deleted member 2913 and AtlBo
W

Wave

shmu26 said:
the heading your screenshot falls under is "protected files". I kinda think the COM interfaces heading is where the MBR protection is at, but I must admit that I am just guessing.
I wouldn't mind at all if someone who really knows can enlighten us...
Click to expand...
Not sure why COM would be related to the Master Boot Record - the MBR is the first sector on the disk, it's not even 32-bit/64-bit (but it would be 16-bit ASM since the OS hasn't even loaded yet so the memory is even more limited and the processor can only make use of 16-bit registers)... It's also essential that it's exactly 512 bytes in size and has the boot signature at the end of it (55AA).

All Comodo need to do is use a device driver to restrict access to write to the MBR for the isolated program, problem solved. I'm surprised they didn't do it already for CCAV? Does it protect against MBR modifications in the sandbox from the firewall version?

Or they can just trick programs modifying it into believing they did when it didn't change anything.
 
  • Like
Reactions: Parsh, AtlBo, Der.Reisende and 6 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
AtlBo said:
Thanks for helpful test videos again.

I question why the sandbox functions differently in CCAV that CFW. I feel this shouldn't be the case.

On the topic of MBR protection, does HIPs monitoring of "Protected Objects" (see pic) protect against MBR alterations/protect the master file table?

View attachment 133786

This is a question I have had for about two weeks I guess. Haven't had an opportunity to inquire, so maybe now is the best time or I hope so :). Don't want to confuse any CCAV users!
Click to expand...
@AtlBo, that black fedora hat in your avatar looks a lot like one I wear in real life.
You too?
 
  • Like
Reactions: Der.Reisende, Deleted member 2913, AtlBo and 1 other person

Similar threads

Ink
    • Wow
    • Like
Cloudflare DDoS protections bypassed using Cloudflare flaw [PoC]
Replies
4
Views
1,325
News Archive
Numeriku
Numeriku
BigWrench
    • Like
    • +Reputation
On Sale! ESET Internet Security 2024 - 2 Devices / 1 Year - Download $16 off w/ promo code 2BFCY7374, limited offer $19.99
Replies
3
Views
849
Discounts and Deals
BigWrench
BigWrench
BigWrench
    • Like
On Sale! ESET Internet Security 2024 - 3 Devices / 1 Year - Download $24.99 (with promo code: SWCP46)
Replies
0
Views
347
Discounts and Deals
BigWrench
BigWrench

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top