Comodo doing Bad things to Bad Rabbit!

Status
Not open for further replies.

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
@cruelsister settings would work better in this case then default. What if and this is a big What if that the user just so happens to believe the executable for flash is legit and runs it unlimited? Instead of choosing the default "Run inside the Container (Default)".

With the settings from cruelsister i believe the user would not have a choice and the ransomware would run restricted. Therefor saving the user from making a risky choice.

Good job nevertheless from Comodo on trapping BadRabbit.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
The first video is incorrect on one thing- after running the original Malware vector (install Flash) it WILL encrypt stuff, but only certain things (God knows why). Although Doc and Text files will be unaffected, 7Zip and jpg files will be corrupted within 30 seconds of run, and no reboot needed for this.

With my settings (or with only Containment enabled) the sandbox alone will contain the malware. Please note that this will be done in spite of the original vector (the false flash app) being doubly signed by Symantec and with Symantec being on the list of Trusted Vendors. Why? Because the certificates used could not be verified as legitimate by Comodo, so it was treated like any other trash ransomware out there and blown away.

And CF stopping this bugger is no small feat. The specific anti-ransomware applications that I like are having great difficulties with this variant of Notpetya, and obviously the traditional AV when this sucker was zero-day stood no chance.

Comodo really should leave the Videos to me (and all I want is something that sparkles green...)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
My opinions.

So far I have been watching these malware test videos showing the malware defeated by the prowess of Comodo's sandbox. The problems here are

1) The malware being tested are non-sandbox evading type. Try testing Comodo's sandbox with some sandbox-evading malware and see whether it can stop the malware.
2) In real life, how many people actually would download some software and run in a sandbox before committing to disk? And especially for those legit software. Take the recent CCleaner infection for example. A legit software resulting in an APT that took a long time before it was discovered. Would you run this in a sandbox before committing to disk?
3) In such malware tests the test subjects are already known i.e. they are malware. In real life how many people really know that the downloaded file is a malware because such file may masquerade as a needed legit file

So, is a sandbox REALLY useful in everyday use for a normal user?
 
Last edited:
D

Deleted member 178

My opinions.

So far I have been watching these malware test videos showing the malware defeated by the prowess of Comodo's sandbox. The problems here are

1) The malware being tested are non-sandbox evading type. Try testing Comodo's sandbox with some sandbox-evading malware and see whether it can stop the malware.
When we say sandbox-evading, it doesn't mean the malware will go out, it means the malware will shut down itself because it recognizes being in a sandbox. And for Comodo, if the malware managed to get out, you still have the BB and HIPS.

2) In real life, how many people actually would download some software and run in a sandbox before committing to disk? And especially for those legit software. Take the recent CCleaner infection for example. A legit software resulting in an APT that took a long time before it was discovered. Would you run this in a sandbox before committing to disk?
All depend of the user paranoia level, generally those installing a sandbox, do it for a reason, not just to look at it.

3) In such malware tests the test subjects are already known i.e. they are malware. In real life how many people really know that the downloaded file is a malware because such file may masquerade as a needed legit file
The purpose of a sandbox, is to isolate ANY files (not only malware) first, check them, and if clean, commit them.

So, is a sandbox REALLY useful in everyday use for a normal user?
Yes, i installed a sandbox for some friends, told them how to use it, and how to check files they download via Virus total, they stopped getting infected.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
When we say sandbox-evading, it doesn't mean the malware will go out, it means the malware will shut down itself because it recognizes being in a sandbox. And for Comodo, if the malware managed to get out, you still have the BB and HIPS.


All depend of the user paranoia level, generally those installing a sandbox, do it for a reason, not just to look at it.


The purpose of a sandbox, is to isolate ANY files (not only malware) first, check them, and if clean, commit them.


Yes, i installed a sandbox for some friends, told them how to use it, and how to check files they download via Virus total, they stopped getting infected.
But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.

Correct. Like I mentioned how many would do that especially for legit software

I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
 
Last edited:

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.

Correct. Like I mentioned how many would do that especially for legit software

I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
it's easy if people take 2 minutes to scan on Virus Total. you'll have an idea what it's all about.
 
  • Like
Reactions: AtlBo

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
it's easy if people take 2 minutes to scan on Virus Total. you'll have an idea what it's all about.
It's easier and faster for your HIPS and/or BB to kick in and warn you of a malware when you run a software. No need 2 minutes.
 
  • Like
Reactions: AtlBo
F

ForgottenSeer 58943

Any sandbox is a good mechanism against ransomware.

FortiSandbox snagged this day one on download when we tested it. (recently industry certification FSBX was hitting 99.5% on incoming zero days) The pre-screen flagged it for further evaluation, it was bounced around the FortiSandbox and blocked as a potential new outbreak. I sometimes wonder if Sandboxes/APT evaluation appliances/services will be in consumer grade gear in the future to stop trash like this.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
FortiSandbox snagged this day one on download when we tested it. (recently industry certification FSBX was hitting 99.5% on incoming zero days) The pre-screen flagged it for further evaluation, it was bounced around the FortiSandbox and blocked as a potential new outbreak. I sometimes wonder if Sandboxes/APT evaluation appliances/services will be in consumer grade gear in the future to stop trash like this.
That's provided the sandbox don't meet a sandbox-evading ransomware
 
  • Like
Reactions: AtlBo
D

Deleted member 178

But there are users who would shut down Comodo's HIPS and its BB is pretty weak. If I'm not wrong CS's setup disabled the HIPS too.
The HIPS isn't really shut down, it can only be put a sleep and will react if the BB can't give a solution.

Correct. Like I mentioned how many would do that especially for legit software
HIPS and BB would detect unusual behavior.

I'm not saying having a sb is no good. I'm questioning the use practicality aspect of it. IMO a HIPS(heuristics-based) + BB(behavioral-based) is a better and more practical approach than using a sb noting that each technology (sb, HIPS, BB) has its limitations
Those are layers, all depend of the user to use them or not.
 
  • Like
Reactions: ZeroDay and AtlBo

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
The HIPS isn't really shut down, it can only be put a sleep and will react if the BB can't give a solution.


HIPS and BB would detect unusual behavior.


Those are layers, all depend of the user to use them or not.
Comodo's BB is weak. Can it compare to BB from EAM, BitDefender, Norton etc?
 
  • Like
Reactions: AtlBo

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
It's easier and faster for your HIPS and/or BB to kick in and warn you of a malware when you run a software. No need 2 minutes.
Let's see if the translator lets me express what I mean.
I have been testing malware today. The first thing I did was upload them to Virus Total. "The execution" Emsisoft were left without detecting 3 malwares, because they were malwares, however, Comodo put them in the Sandbox. then scan with Hitman pro and effectively Kaspersky's base gave it as malware. In other words, the litter box is stronger for me than a behavior detector.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Let's see if the translator lets me express what I mean.
I have been testing malware today. The first thing I did was upload them to Virus Total. "The execution" Emsisoft were left without detecting 3 malwares, because they were malwares, however, Comodo put them in the Sandbox. then scan with Hitman pro and effectively Kaspersky's base gave it as malware. In other words, the litter box is stronger for me than a behavior detector.
So you are saying EAM failed to detect your 3 malware? Did you re-code the existing malware or are they the latest zero-days?

Are you using Comodo FW? If yes, can you test by disabling your sandbox and use HIPS + BB. See whether HIPS + BB can detect it?

I think @Umbra would be interested in this :)
 
Last edited:
  • Like
Reactions: frogboy and AtlBo
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top