Comodo doing Bad things to Bad Rabbit!

Discussion in 'Comodo' started by Felipe Oliveira, Oct 25, 2017.

  1. Felipe Oliveira

    Felipe Oliveira Level 11

    Jan 17, 2014
    521
    3,146
    Medicine student
    Rio de Janeiro, Brazil
    Windows 10
    Comodo
  2. In2an3_PpG

    In2an3_PpG Level 10

    Nov 15, 2016
    498
    8,300
    IT Jr. Network Admin
    United States
    Windows 10
    Default-Deny
    @cruelsister settings would work better in this case then default. What if and this is a big What if that the user just so happens to believe the executable for flash is legit and runs it unlimited? Instead of choosing the default "Run inside the Container (Default)".

    With the settings from cruelsister i believe the user would not have a choice and the ransomware would run restricted. Therefor saving the user from making a risky choice.

    Good job nevertheless from Comodo on trapping BadRabbit.
     
    AtlBo, Rebsat, frogboy and 7 others like this.
  3. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,418
    NYC
    The first video is incorrect on one thing- after running the original Malware vector (install Flash) it WILL encrypt stuff, but only certain things (God knows why). Although Doc and Text files will be unaffected, 7Zip and jpg files will be corrupted within 30 seconds of run, and no reboot needed for this.

    With my settings (or with only Containment enabled) the sandbox alone will contain the malware. Please note that this will be done in spite of the original vector (the false flash app) being doubly signed by Symantec and with Symantec being on the list of Trusted Vendors. Why? Because the certificates used could not be verified as legitimate by Comodo, so it was treated like any other trash ransomware out there and blown away.

    And CF stopping this bugger is no small feat. The specific anti-ransomware applications that I like are having great difficulties with this variant of Notpetya, and obviously the traditional AV when this sucker was zero-day stood no chance.

    Comodo really should leave the Videos to me (and all I want is something that sparkles green...)
     
    AtlBo, Der.Reisende, Rebsat and 23 others like this.
  4. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,162
    29,619
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    @cruelsister ask Melhi to pay you in return via emerald bracelets or high class pair of shoes fit with it :p
     
    AtlBo, bribon77, erreale and 3 others like this.
  5. Sephiroth Source

    Jul 13, 2015
    46
    180
    In my opinion CF should come with CruelSister settings by default!
     
    AtlBo, Rebsat, bribon77 and 1 other person like this.
  6. EASTER

    EASTER Level 3

    May 9, 2017
    110
    352
    SouthWest Indiana (Evansville)
    Windows 10
    Microsoft
    How about that Comodo. It's a menace to ransomwares of all sorts.

    And as for "BadRabbit". That's one bad rabbit alright but no match for the Force of Comodo!
     
    AtlBo, bribon77 and simmerskool like this.
  7. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,162
    29,619
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Any sandbox is a good mechanism against ransomware.
     
    AtlBo, bribon77, ZeroDay and 4 others like this.
  8. klaken

    klaken Level 2

    Oct 11, 2014
    84
    164
    Student
    Chile
    Windows 7
    Comodo
    But not all security providers have free sandbox and that is activated by default to something unknown.
     
  9. bribon77

    bribon77 Level 10

    Jul 6, 2017
    491
    3,369
    spain
    Windows 7
    Emsisoft
    I totally agree with you.
     
  10. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,748
    Far East
    #10 HarborFront, Oct 28, 2017
    Last edited: Oct 28, 2017
    My opinions.

    So far I have been watching these malware test videos showing the malware defeated by the prowess of Comodo's sandbox. The problems here are

    1) The malware being tested are non-sandbox evading type. Try testing Comodo's sandbox with some sandbox-evading malware and see whether it can stop the malware.
    2) In real life, how many people actually would download some software and run in a sandbox before committing to disk? And especially for those legit software. Take the recent CCleaner infection for example. A legit software resulting in an APT that took a long time before it was discovered. Would you run this in a sandbox before committing to disk?
    3) In such malware tests the test subjects are already known i.e. they are malware. In real life how many people really know that the downloaded file is a malware because such file may masquerade as a needed legit file

    So, is a sandbox REALLY useful in everyday use for a normal user?
     
    AtlBo, insanity and XhenEd like this.
  11. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,162
    29,619
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    When we say sandbox-evading, it doesn't mean the malware will go out, it means the malware will shut down itself because it recognizes being in a sandbox. And for Comodo, if the malware managed to get out, you still have the BB and HIPS.

    All depend of the user paranoia level, generally those installing a sandbox, do it for a reason, not just to look at it.

    The purpose of a sandbox, is to isolate ANY files (not only malware) first, check them, and if clean, commit them.

    Yes, i installed a sandbox for some friends, told them how to use it, and how to check files they download via Virus total, they stopped getting infected.
     
    AtlBo, XhenEd, Azure Phoenix and 2 others like this.
  12. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,748
    Far East
    #12 HarborFront, Oct 28, 2017
    Last edited: Oct 28, 2017
    But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.

    Correct. Like I mentioned how many would do that especially for legit software

    I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
     
    ZeroDay, AtlBo and bribon77 like this.
  13. bribon77

    bribon77 Level 10

    Jul 6, 2017
    491
    3,369
    spain
    Windows 7
    Emsisoft
    it's easy if people take 2 minutes to scan on Virus Total. you'll have an idea what it's all about.
     
    AtlBo likes this.
  14. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,748
    Far East
    It's easier and faster for your HIPS and/or BB to kick in and warn you of a malware when you run a software. No need 2 minutes.
     
    AtlBo likes this.
  15. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,085
    4,350
    Fortinet Engineer
    USA
    Other OS
    FortiSandbox snagged this day one on download when we tested it. (recently industry certification FSBX was hitting 99.5% on incoming zero days) The pre-screen flagged it for further evaluation, it was bounced around the FortiSandbox and blocked as a potential new outbreak. I sometimes wonder if Sandboxes/APT evaluation appliances/services will be in consumer grade gear in the future to stop trash like this.
     
    ZeroDay and TerrakionSmash like this.
  16. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,748
    Far East
    That's provided the sandbox don't meet a sandbox-evading ransomware
     
    AtlBo likes this.
  17. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,162
    29,619
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    The HIPS isn't really shut down, it can only be put a sleep and will react if the BB can't give a solution.

    HIPS and BB would detect unusual behavior.

    Those are layers, all depend of the user to use them or not.
     
    ZeroDay and AtlBo like this.
  18. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,748
    Far East
    Comodo's BB is weak. Can it compare to BB from EAM, BitDefender, Norton etc?
     
    AtlBo likes this.
  19. bribon77

    bribon77 Level 10

    Jul 6, 2017
    491
    3,369
    spain
    Windows 7
    Emsisoft
    Let's see if the translator lets me express what I mean.
    I have been testing malware today. The first thing I did was upload them to Virus Total. "The execution" Emsisoft were left without detecting 3 malwares, because they were malwares, however, Comodo put them in the Sandbox. then scan with Hitman pro and effectively Kaspersky's base gave it as malware. In other words, the litter box is stronger for me than a behavior detector.
     
    AtlBo and TerrakionSmash like this.
  20. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,748
    Far East
    #20 HarborFront, Oct 28, 2017
    Last edited: Oct 28, 2017
    So you are saying EAM failed to detect your 3 malware? Did you re-code the existing malware or are they the latest zero-days?

    Are you using Comodo FW? If yes, can you test by disabling your sandbox and use HIPS + BB. See whether HIPS + BB can detect it?

    I think @Umbra would be interested in this :)
     
    frogboy and AtlBo like this.
Loading...
Similar Threads Forum Date
Update Comodo Internet Security Essentials v.1.3.436779.133 - RC Comodo Jan 4, 2018
Update Comodo Internet Security v10.1.0.6460 - Beta Comodo Dec 23, 2017
Comodo Leak Tests and Emsisoft Anti-Malware Emsisoft Dec 22, 2017