- Jan 17, 2014
- 627
Without Comodo:
Comodo doing bad things to bad rabbit:
Source:
Thanks!
Comodo doing bad things to bad rabbit:
Source:
Thanks!
Comodo doing Bad things to Bad Rabbit!
- Thread starter Fel Grossi
- Start date
- Status
- Nov 15, 2016
- 867
@cruelsister settings would work better in this case then default. What if and this is a big What if that the user just so happens to believe the executable for flash is legit and runs it unlimited? Instead of choosing the default "Run inside the Container (Default)".
With the settings from cruelsister i believe the user would not have a choice and the ransomware would run restricted. Therefor saving the user from making a risky choice.
Good job nevertheless from Comodo on trapping BadRabbit.
With the settings from cruelsister i believe the user would not have a choice and the ransomware would run restricted. Therefor saving the user from making a risky choice.
Good job nevertheless from Comodo on trapping BadRabbit.
- Apr 13, 2013
- 3,224
The first video is incorrect on one thing- after running the original Malware vector (install Flash) it WILL encrypt stuff, but only certain things (God knows why). Although Doc and Text files will be unaffected, 7Zip and jpg files will be corrupted within 30 seconds of run, and no reboot needed for this.
With my settings (or with only Containment enabled) the sandbox alone will contain the malware. Please note that this will be done in spite of the original vector (the false flash app) being doubly signed by Symantec and with Symantec being on the list of Trusted Vendors. Why? Because the certificates used could not be verified as legitimate by Comodo, so it was treated like any other trash ransomware out there and blown away.
And CF stopping this bugger is no small feat. The specific anti-ransomware applications that I like are having great difficulties with this variant of Notpetya, and obviously the traditional AV when this sucker was zero-day stood no chance.
Comodo really should leave the Videos to me (and all I want is something that sparkles green...)
With my settings (or with only Containment enabled) the sandbox alone will contain the malware. Please note that this will be done in spite of the original vector (the false flash app) being doubly signed by Symantec and with Symantec being on the list of Trusted Vendors. Why? Because the certificates used could not be verified as legitimate by Comodo, so it was treated like any other trash ransomware out there and blown away.
And CF stopping this bugger is no small feat. The specific anti-ransomware applications that I like are having great difficulties with this variant of Notpetya, and obviously the traditional AV when this sucker was zero-day stood no chance.
Comodo really should leave the Videos to me (and all I want is something that sparkles green...)
@cruelsister ask Melhi to pay you in return via emerald bracelets or high class pair of shoes fit with it
- Jul 13, 2015
- 65
In my opinion CF should come with CruelSister settings by default!
- May 9, 2017
- 159
How about that Comodo. It's a menace to ransomwares of all sorts.
And as for "BadRabbit". That's one bad rabbit alright but no match for the Force of Comodo!
And as for "BadRabbit". That's one bad rabbit alright but no match for the Force of Comodo!
Any sandbox is a good mechanism against ransomware.
- Oct 11, 2014
- 112
But not all security providers have free sandbox and that is activated by default to something unknown.
- Jul 6, 2017
- 2,392
I totally agree with you.
My opinions.
So far I have been watching these malware test videos showing the malware defeated by the prowess of Comodo's sandbox. The problems here are
1) The malware being tested are non-sandbox evading type. Try testing Comodo's sandbox with some sandbox-evading malware and see whether it can stop the malware.
2) In real life, how many people actually would download some software and run in a sandbox before committing to disk? And especially for those legit software. Take the recent CCleaner infection for example. A legit software resulting in an APT that took a long time before it was discovered. Would you run this in a sandbox before committing to disk?
3) In such malware tests the test subjects are already known i.e. they are malware. In real life how many people really know that the downloaded file is a malware because such file may masquerade as a needed legit file
So, is a sandbox REALLY useful in everyday use for a normal user?
So far I have been watching these malware test videos showing the malware defeated by the prowess of Comodo's sandbox. The problems here are
1) The malware being tested are non-sandbox evading type. Try testing Comodo's sandbox with some sandbox-evading malware and see whether it can stop the malware.
2) In real life, how many people actually would download some software and run in a sandbox before committing to disk? And especially for those legit software. Take the recent CCleaner infection for example. A legit software resulting in an APT that took a long time before it was discovered. Would you run this in a sandbox before committing to disk?
3) In such malware tests the test subjects are already known i.e. they are malware. In real life how many people really know that the downloaded file is a malware because such file may masquerade as a needed legit file
So, is a sandbox REALLY useful in everyday use for a normal user?
Last edited:
When we say sandbox-evading, it doesn't mean the malware will go out, it means the malware will shut down itself because it recognizes being in a sandbox. And for Comodo, if the malware managed to get out, you still have the BB and HIPS.
All depend of the user paranoia level, generally those installing a sandbox, do it for a reason, not just to look at it.
The purpose of a sandbox, is to isolate ANY files (not only malware) first, check them, and if clean, commit them.
Yes, i installed a sandbox for some friends, told them how to use it, and how to check files they download via Virus total, they stopped getting infected.
But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.
Correct. Like I mentioned how many would do that especially for legit software
I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
Last edited:
- Jul 6, 2017
- 2,392
it's easy if people take 2 minutes to scan on Virus Total. you'll have an idea what it's all about.
It's easier and faster for your HIPS and/or BB to kick in and warn you of a malware when you run a software. No need 2 minutes.
FortiSandbox snagged this day one on download when we tested it. (recently industry certification FSBX was hitting 99.5% on incoming zero days) The pre-screen flagged it for further evaluation, it was bounced around the FortiSandbox and blocked as a potential new outbreak. I sometimes wonder if Sandboxes/APT evaluation appliances/services will be in consumer grade gear in the future to stop trash like this.
That's provided the sandbox don't meet a sandbox-evading ransomware
The HIPS isn't really shut down, it can only be put a sleep and will react if the BB can't give a solution.
HIPS and BB would detect unusual behavior.
Those are layers, all depend of the user to use them or not.
Comodo's BB is weak. Can it compare to BB from EAM, BitDefender, Norton etc?
- Jul 6, 2017
- 2,392
Let's see if the translator lets me express what I mean.
I have been testing malware today. The first thing I did was upload them to Virus Total. "The execution" Emsisoft were left without detecting 3 malwares, because they were malwares, however, Comodo put them in the Sandbox. then scan with Hitman pro and effectively Kaspersky's base gave it as malware. In other words, the litter box is stronger for me than a behavior detector.
So you are saying EAM failed to detect your 3 malware? Did you re-code the existing malware or are they the latest zero-days?
Are you using Comodo FW? If yes, can you test by disabling your sandbox and use HIPS + BB. See whether HIPS + BB can detect it?
I think @Umbra would be interested in this
Last edited:
- Status
Similar threads
-
- Locked
