Comodo Cloud detection

[Kate_L]

Hello, as old COMODO fan I wanna know how the online Cloud detection works. I notice in @cruelsister video that COMODO detected some files with the cloud engine and I wanna know if I use CIS in internet security mode, will I get the same result ? Do i need to check CAMAS ?

I am asking this because on my home PC COMODO never detects files using the Cloud. I am thinking to replace AVAST on my work PC and Tencent on my laptop.

 

[Deleted member 2913]

Comodo Cloud option is under File Rating option.
Its enabled by default.
Yes Comodo Internet Security mode will detect with Cloud too.

The reason you see cloud detection alert in cruelsister video is she uses Comodo Firewall only.
No AV is installed but as Cloud connection is there so malware are detected & Cloud detection alert is there.

With CIS, as AV is there too, mostly local AV will detect & you will get AV alert.
But if the new detection is added to the Cloud & local AV hasn't updated yet then you will get Cloud alert if the malware detection was found in the cloud.

 

[Moose]

Salutations,

Is Comodo Firewall ready for Windows 10?

 

[Ink]

Salutations,

Is Comodo Firewall ready for Windows 10?

Yes, Comodo Internet Security 8.2 has Windows 10 support (Source)

 

[Rolo]

I'm testing it on a Win10 VM right now--so far, so good in that it hasn't blown up.

MBAE seems to interfere with it and Qihoo; MBAE doesn't seem quite ready for prime time..or Win10--either way, I can't use it.

I'll have to test this again to be certain but Comodo's scanner (not sure which) found my test malware to be clean and didn't sandbox it:
https://www.virustotal.com/en/file/...b4df9de28886ffdfe925a941/analysis/1434521848/
It actually sandboxed it the first time I ran it but it declared it "clean" an hour later when I ran it again. Perhaps one day we'll be able to use a cloud aggregate (or an aggregate cloud, like VirusTotal) and set a threshold...

This is why I will be testing Qihoo w/BD&Avira with Comodo FW sans AV/cloud scanner. So far, I have learned that Qihoo's sandbox has to be disabled (does it even auto-sandbox?) or it will interfere with Comodo's ability to terminate malware in Comodo's own sandbox. Strange.

The other issue is getting Comodo to stop virtualizing Win10 processes. (Shouldn't they already be whitelisted?)

 

[hjlbx]

Hello, as old COMODO fan I wanna know how the online Cloud detection works. I notice in @cruelsister video that COMODO detected some files with the cloud engine and I wanna know if I use CIS in internet security mode, will I get the same result ? Do i need to check CAMAS ?

I am asking this because on my home PC COMODO never detects files using the Cloud. I am thinking to replace AVAST on my work PC and Tencent on my laptop.

Comodo Cloud query just supplements the local AV signature database. When it is polled it returns a file rating of Trusted, Unrecognized or Malicious. It works as an additional detection method during the period of time when Comodo makes a Malicious verdict, but before permanent malware signatures are created and added to AV updates.

Comodo Cloud only will "detect" a very small fraction of files as Malicious. For example, when I was testing CIS (both IS and Proactive modes) against the most recent Virussign malware packs, Comodo Cloud blocked less than 5 % of the files as malicious. I have no exact figure, but I would estimate it closer to 2 % or less...

If you mess about with malware packs you will eventually see Comodo Cloud in action. In fact, it is working all the time in the background - but you wouldn't know it - since CIS does not generate alerts for Trusted applications... In other words, CIS queries the Cloud constantly to verify objects in active memory.

With Unrecognized files it may take a very long time before a Comodo Cloud query returns a Trusted or Malicious rating - from 15 mins to many months... Comodo's speed with finalized file ratings of Unrecognized files is screwy - something that a lot of users complain about - but to CIS' credit - the system remains protected if the user just leaves the rating as Unrecognized...

In the case where a user rates an Unrecognized (and actually Malicious) file as Trusted - to avoid alerts or blocks - is obviously problematic. I thoroughly verify a file before changing the rating from Unrecognized to Trusted - or - just let it ride as Unrecognized on my system until Comodo returns a Trusted rating...

Hope this clarifies...

 

[hjlbx]

I'm testing it on a Win10 VM right now--so far, so good in that it hasn't blown up.

MBAE seems to interfere with it and Qihoo; MBAE doesn't seem quite ready for prime time..or Win10--either way, I can't use it.

I'll have to test this again to be certain but Comodo's scanner (not sure which) found my test malware to be clean and didn't sandbox it:
https://www.virustotal.com/en/file/...b4df9de28886ffdfe925a941/analysis/1434521848/
It actually sandboxed it the first time I ran it but it declared it "clean" an hour later when I ran it again. Perhaps one day we'll be able to use a cloud aggregate (or an aggregate cloud, like VirusTotal) and set a threshold...

This is why I will be testing Qihoo w/BD&Avira with Comodo FW sans AV/cloud scanner. So far, I have learned that Qihoo's sandbox has to be disabled (does it even auto-sandbox?) or it will interfere with Comodo's ability to terminate malware in Comodo's own sandbox. Strange.

The other issue is getting Comodo to stop virtualizing Win10 processes. (Shouldn't they already be whitelisted?)

Comodo sandbox does not automatically terminate anything... that is not how it works.

Unless a file is digitally signed by Microsoft, it will be treated as Unrecognized by Comodo. You will find that many System32 and SysWOW64 files are digitally unsigned - and consequently - rated as Unrecognized and then auto-sandboxed when loaded into active memory. Automatically white-listed = digitally signed by a vendor included on the Trusted Vendor List (TVL).

Comodo does not white-list the System32 and SysWOW64 directories.

You can use SysInternals' SigCheck to verify that files are digitally signed - is not necessary but rather a handy little tool that will help in figuring out why Comodo treats certain files as Unrecognized.

 

[Rolo]

Comodo can be configured to terminate unrecognized executables, no? If not technically, pragmatically (i.e. it is sandboxed first, then terminated...the effect is the same assuming the sandbox is configured properly, to deny access to everything)

It shouldn't whitelist a directory; that would be a vulnerability. I have to look further (Is there some mandate that security software must have an awful UI? They're pretty much all guilty of that) but it has rules for OS files, etc. In spite of that, some OS files are getting sandboxed but I am running Win10.

Wouldn't train mode in Comodo perform the same function as VoodoShield's training function (off)?

It looks like I found the same issue you did: https://forums.comodo.com/bug-repor...abledefaultdeny-settings-rules-t110645.0.html
I use SoftOrganizer when installing everything and that causes Comodo to not even look at anything run by it and I can't see how to configure Comodo to do otherwise (no way to call SoftOrganizer "Trusted" but not an "Installer" since the toggle specifically made for that isn't working).

"Default deny....sometimes" isn't going to work!

 

[Malware1]

It's just hash based, totally useless.

 

[Rolo]

I'm not so sure it's only hash-based; there's one option to use the cloud and another dependent on it to upload unknown files (I assume unknown hashes) for analysis. With those enabled, I've had an unknown file sandboxed/jailed and the same file an hour later run normally due to the cloud scan saying it was clean.

The issue is that I know it isn't clean and 15/57 engines on VirusTotal don't think it is after VT analysed it. The problem is that we have to leave it entirely up to Comodo's cloud mechanism rather than setting a threshold.

 

[Malware1]

I'm not so sure it's only hash-based; there's one option to use the cloud and another dependent on it to upload unknown files (I assume unknown hashes) for analysis. With those enabled, I've had an unknown file sandboxed/jailed and the same file an hour later run normally due to the cloud scan saying it was clean.

The issue is that I know it isn't clean and 15/57 engines on VirusTotal don't think it is after VT analysed it. The problem is that we have to leave it entirely up to Comodo's cloud mechanism rather than setting a threshold.

When it uploads files for analysis and the file is found to be malicious, then only the file with that hash will be detected later without having to reupload it.

 

[hjlbx]

Comodo can be configured to terminate unrecognized executables, no? If not technically, pragmatically (i.e. it is sandboxed first, then terminated...the effect is the same assuming the sandbox is configured properly, to deny access to everything)

It shouldn't whitelist a directory; that would be a vulnerability. I have to look further (Is there some mandate that security software must have an awful UI? They're pretty much all guilty of that) but it has rules for OS files, etc. In spite of that, some OS files are getting sandboxed but I am running Win10.

Wouldn't train mode in Comodo perform the same function as VoodoShield's training function (off)?

It looks like I found the same issue you did: https://forums.comodo.com/bug-repor...abledefaultdeny-settings-rules-t110645.0.html
I use SoftOrganizer when installing everything and that causes Comodo to not even look at anything run by it and I can't see how to configure Comodo to do otherwise (no way to call SoftOrganizer "Trusted" but not an "Installer" since the toggle specifically made for that isn't working).

"Default deny....sometimes" isn't going to work!

Futuretech's directions to disable Cloud query and elevated installer privileges have absolutely nothing to do with configuring Comodo for default deny. The default deny doesn't block some file and installer types - for example portable (.pfa) - because they are not included in Comodo's list of file types.

Turning off Cloud Lookup is really no big deal - as it adds very little to overall protection. However, it does not affect the sandbox rules set by the user.

Detect elevated privileges\installers just enables sandbox alerts for installers - that's it.

Maybe won't fix it - but they are certainly aware of it...

 

[hjlbx]

One can use Comodo's Training Mode - but this is to be used only on a 100 % clean system. In other words, Training Mode exposes your system to a persistent infection. Training Mode is meant to create HIPS allow rules - and not "white-list" files. There is a fine nuance to the difference between the two.

I don't use Training Mode. Instead I manually add Windows and Program directories to Trusted file list - and only after a file verification on my part.

I suppose there are multiple ways to accomplish the same thing in Comodo - which some find to be maddening...

 

[hjlbx]

@Malware1 is actively submitting files to Comodo to help improve the product. He has lots of experience in this regard. You can bet if he states "hash-based, useless" - then - it is so...

Remember, Comodo Cloud is for file rating lookup - not malicious file detection per se - although it can and does block malicious files if enabled.

 

[Rolo]

Perhaps we're not using "default deny" in the same manner.

When configured as such, for a locally unknown file, Comodo will deny it by default. If you enable Comodo's cloud query, unknowns are still denied by default..until the cloud query clears the file as trusted, making the file no longer unknown, or marks it as malicious and will deny it for that reason. Default/Implicit is used when there are no specific/explicit rules, such as "trusted" or "malicious", etc.

The two options don't affect the default deny rule itself but they do affect the scope of the default deny rule by explicitly stating that files deemed clean by the cloud are allowed to run and files launched by an installer process are allowed to run.

I configured Comodo per futuretech's instructions and Comodo behaved as he said it would and as I wanted it to: Comodo now dealt with unknown files run by the SoftOrganizer installer with those not-so-intuitively-named options set correctly. As for your .pfa files, those must be proprietary since PFA extension is used for printer font files. Can you link the application you're using? Did you try what futretech suggested and it still didn't work?

If you say Comodo cloud is only hash-based, then what does the, "Analyze unknown files in the cloud by uploading them for instant analysis" do? I infer that it uploads the file, analyzes it (like VirusTotal does) and responds based on that file's analysis. As far as the cloud's usefulness is concerned, that depends on one's purpose: reduce nags/user-decisionmaking/false-positives or hardening, so it's useful for the former, not for the latter.

 

[hjlbx]

Futuretech's configuration has nothing to do with anti-executable default-deny. Disabling cloud lookup and installer detection will not block them. That configuration does not work. Anti-executable rules should block any newly introduced file - Trusted, Unrecognized or Malicious - introduced to system. Rules will treat Trusted files as Unrecognized and auto-sandbox will block them with AE rules.

PFA is typo, should be .paf - portable applications. It has been confirmed that certain files will bypass Comodo's AE configuration...

I have been submitting bug reports to Comodo for long time...

 

[Rolo]

Disabling cloud lookup and installer detection will not block them.

Nobody said that they would; he (and I, now) say that you have to have those options disabled in order to get the result that you want (in addition to all the other configuring you have to do, which I don't think what you've posted is complete for what you want to do).

Anti-Executable and default deny aren't interchangeable terms; to get the former, you have to deal with the file rating groups/rules and sandbox rules which trump default deny. I presume you could make an "Allow" group for all your executables you've deemed acceptable and ignore them (allow) and just block * (all) with no reputation attribute as the second sandbox rule. Comodo should then ignore what's on your list and block everything else.

Oh PortableApps.com type stuff. I don't know of a PAF file; I only know of *.paf.exe, which is still just an .exe. cf. http://downloads.sourceforge.net/project/portableapps/PortableApps.com Platform/PortableApps.com_Platform_Setup_12.0.5.paf.exe?r=&ts=1434589273&use_mirror=iweb
and
https://en.wikipedia.org/wiki/PortableApps.com

 

[Rolo]

Comodo says cloud scanning isn't just hash-based: https://help.comodo.com/topic-72-1-623-7755-Unknown-Files---The-Scanning-Processes.html

If the file's hash isn't found...

Unrecognized files are simultaneously uploaded to Comodo's Instant Malware Analysis servers for further checks:

• Firstly, the files undergo another antivirus scan on our servers.

• If the scan discovers the file to be malicious (for example, heuristics discover it is a brand new variant) then it is designated as malware. This result is sent back to the local installation of CIS and the local and global black-list is updated.

• If the scan does not detect that the file is malicious then it passes onto the next stage of inspection - behavior monitoring.

• The behavior analysis system is a cloud based service that is used to help determine whether a file exhibits malicious behavior. Once submitted to the system, the unknown executable will be automatically run in a virtual environment and all actions that it takes will be monitored. For example, processes spawned, files and registry key modifications, host state changes and network activity will be recorded.

• If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list.

• If no malicious behavior is recorded then the file is placed into 'Unrecognized Files' and will be submitted to our technicians for further checks. Note: Behavior Analysis can identify malicious files and add to the global black list, but it cannot declare that a file is 'safe'. The status of 'safe' can only be given to a file after more in-depth checks by our technicians.

• In either case, the result is reported back to your CIS installation in approximately 15 minutes. If the executable was not found to be malicious then it will be run in the auto-sandbox. It will simultaneously be added to the 'Unrecognized Files' list and uploaded to our technicians for analysis. If it is discovered to be a threat then CIS will show an AV alert to the user. From this alert the user can opt to quarantine, clean (delete) or disinfect the malicious file. This new threat will be automatically added to the global black list database and therefore benefit all CIS users.

 

[hjlbx]

Comodo says cloud scanning isn't just hash-based: https://help.comodo.com/topic-72-1-623-7755-Unknown-Files---The-Scanning-Processes.html

If the file's hash isn't found...

That's what the CIS manual says - but you will find that, in actuality, it does not work that way\function as-described.

After submitting literally thousands of Unrecognized (malicious) files, Comodo's behavioral monitoring\heuristics has not returned a single malicious file verdict to my local CIS installation.

You will find in 99% of cases, the file will be submitted to Comodo - it will be added to Unrecognized file list - and two years later a file verdict still has not been returned to your system.

 

[Rolo]

I have witnessed it functioning precisely as described. It analysed/returned within an hour (I only checked an hour later, so I don't know how long it actually took).

Whether it is accurate or not is a separate issue. In my case, it deemed the malware "clean" heh. That's why I have Qihoo and MBAM installed. If something gets by Comodo cloud/firewall/HIPS/auto-sandbox, MBAM, BD engine, Avira engine, QVMII engine, Qihoo cloud scanner/BB and a layer 8 scan, then somebody earned it! Songs will be sung...festivals thrown...today is a good day to die and all that...