In2an3_PpG

Level 17
Content Creator
Verified
Joined
Nov 15, 2016
Messages
813
Operating System
Windows 10
Antivirus
#2
@cruelsister settings would work better in this case then default. What if and this is a big What if that the user just so happens to believe the executable for flash is legit and runs it unlimited? Instead of choosing the default "Run inside the Container (Default)".

With the settings from cruelsister i believe the user would not have a choice and the ransomware would run restricted. Therefor saving the user from making a risky choice.

Good job nevertheless from Comodo on trapping BadRabbit.
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,575
#3
The first video is incorrect on one thing- after running the original Malware vector (install Flash) it WILL encrypt stuff, but only certain things (God knows why). Although Doc and Text files will be unaffected, 7Zip and jpg files will be corrupted within 30 seconds of run, and no reboot needed for this.

With my settings (or with only Containment enabled) the sandbox alone will contain the malware. Please note that this will be done in spite of the original vector (the false flash app) being doubly signed by Symantec and with Symantec being on the list of Trusted Vendors. Why? Because the certificates used could not be verified as legitimate by Comodo, so it was treated like any other trash ransomware out there and blown away.

And CF stopping this bugger is no small feat. The specific anti-ransomware applications that I like are having great difficulties with this variant of Notpetya, and obviously the traditional AV when this sucker was zero-day stood no chance.

Comodo really should leave the Videos to me (and all I want is something that sparkles green...)
 

EASTER

Level 3
Verified
Joined
May 9, 2017
Messages
113
Operating System
Windows 10
Antivirus
Windows Defender
#6
How about that Comodo. It's a menace to ransomwares of all sorts.

And as for "BadRabbit". That's one bad rabbit alright but no match for the Force of Comodo!
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,214
#10
My opinions.

So far I have been watching these malware test videos showing the malware defeated by the prowess of Comodo's sandbox. The problems here are

1) The malware being tested are non-sandbox evading type. Try testing Comodo's sandbox with some sandbox-evading malware and see whether it can stop the malware.
2) In real life, how many people actually would download some software and run in a sandbox before committing to disk? And especially for those legit software. Take the recent CCleaner infection for example. A legit software resulting in an APT that took a long time before it was discovered. Would you run this in a sandbox before committing to disk?
3) In such malware tests the test subjects are already known i.e. they are malware. In real life how many people really know that the downloaded file is a malware because such file may masquerade as a needed legit file

So, is a sandbox REALLY useful in everyday use for a normal user?
 
Last edited:

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,708
Operating System
Windows 10
Antivirus
#11
My opinions.

So far I have been watching these malware test videos showing the malware defeated by the prowess of Comodo's sandbox. The problems here are

1) The malware being tested are non-sandbox evading type. Try testing Comodo's sandbox with some sandbox-evading malware and see whether it can stop the malware.
When we say sandbox-evading, it doesn't mean the malware will go out, it means the malware will shut down itself because it recognizes being in a sandbox. And for Comodo, if the malware managed to get out, you still have the BB and HIPS.

2) In real life, how many people actually would download some software and run in a sandbox before committing to disk? And especially for those legit software. Take the recent CCleaner infection for example. A legit software resulting in an APT that took a long time before it was discovered. Would you run this in a sandbox before committing to disk?
All depend of the user paranoia level, generally those installing a sandbox, do it for a reason, not just to look at it.

3) In such malware tests the test subjects are already known i.e. they are malware. In real life how many people really know that the downloaded file is a malware because such file may masquerade as a needed legit file
The purpose of a sandbox, is to isolate ANY files (not only malware) first, check them, and if clean, commit them.

So, is a sandbox REALLY useful in everyday use for a normal user?
Yes, i installed a sandbox for some friends, told them how to use it, and how to check files they download via Virus total, they stopped getting infected.
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,214
#12
When we say sandbox-evading, it doesn't mean the malware will go out, it means the malware will shut down itself because it recognizes being in a sandbox. And for Comodo, if the malware managed to get out, you still have the BB and HIPS.


All depend of the user paranoia level, generally those installing a sandbox, do it for a reason, not just to look at it.


The purpose of a sandbox, is to isolate ANY files (not only malware) first, check them, and if clean, commit them.


Yes, i installed a sandbox for some friends, told them how to use it, and how to check files they download via Virus total, they stopped getting infected.
But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.

Correct. Like I mentioned how many would do that especially for legit software

I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
 
Last edited:

bribon77

Level 18
Verified
Joined
Jul 6, 2017
Messages
894
Operating System
Linux
#13
But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.

Correct. Like I mentioned how many would do that especially for legit software

I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
it's easy if people take 2 minutes to scan on Virus Total. you'll have an idea what it's all about.
 
Likes: AtlBo

Slyguy

Level 39
Content Creator
Verified
Joined
Jan 27, 2017
Messages
2,836
Operating System
Other OS
#15
Any sandbox is a good mechanism against ransomware.
FortiSandbox snagged this day one on download when we tested it. (recently industry certification FSBX was hitting 99.5% on incoming zero days) The pre-screen flagged it for further evaluation, it was bounced around the FortiSandbox and blocked as a potential new outbreak. I sometimes wonder if Sandboxes/APT evaluation appliances/services will be in consumer grade gear in the future to stop trash like this.
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,214
#16
FortiSandbox snagged this day one on download when we tested it. (recently industry certification FSBX was hitting 99.5% on incoming zero days) The pre-screen flagged it for further evaluation, it was bounced around the FortiSandbox and blocked as a potential new outbreak. I sometimes wonder if Sandboxes/APT evaluation appliances/services will be in consumer grade gear in the future to stop trash like this.
That's provided the sandbox don't meet a sandbox-evading ransomware
 
Likes: AtlBo

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,708
Operating System
Windows 10
Antivirus
#17
But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.
The HIPS isn't really shut down, it can only be put a sleep and will react if the BB can't give a solution.

Correct. Like I mentioned how many would do that especially for legit software
HIPS and BB would detect unusual behavior.

I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
Those are layers, all depend of the user to use them or not.
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,214
#18
The HIPS isn't really shut down, it can only be put a sleep and will react if the BB can't give a solution.


HIPS and BB would detect unusual behavior.


Those are layers, all depend of the user to use them or not.
Comodo's BB is weak. Can it compare to BB from EAM, BitDefender, Norton etc?
 
Likes: AtlBo

bribon77

Level 18
Verified
Joined
Jul 6, 2017
Messages
894
Operating System
Linux
#19
It's easier and faster for your HIPS and/or BB to kick in and warn you of a malware when you run a software. No need 2 minutes.
Let's see if the translator lets me express what I mean.
I have been testing malware today. The first thing I did was upload them to Virus Total. "The execution" Emsisoft were left without detecting 3 malwares, because they were malwares, however, Comodo put them in the Sandbox. then scan with Hitman pro and effectively Kaspersky's base gave it as malware. In other words, the litter box is stronger for me than a behavior detector.
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,214
#20
Let's see if the translator lets me express what I mean.
I have been testing malware today. The first thing I did was upload them to Virus Total. "The execution" Emsisoft were left without detecting 3 malwares, because they were malwares, however, Comodo put them in the Sandbox. then scan with Hitman pro and effectively Kaspersky's base gave it as malware. In other words, the litter box is stronger for me than a behavior detector.
So you are saying EAM failed to detect your 3 malware? Did you re-code the existing malware or are they the latest zero-days?

Are you using Comodo FW? If yes, can you test by disabling your sandbox and use HIPS + BB. See whether HIPS + BB can detect it?

I think @Umbra would be interested in this :)
 
Last edited: