Advice Request Comodo Embedded Code Detection -- What to Add?

[shmu26]

1. You will never get any alert from COMODO because the interpreters and sponsors are trusted. It's ridiculous that all the AVs treat interpreters and sponsors as trusted. When Microsoft explicitly advises that they be disabled if not needed. Obviously they're running amateur night.

2. The COMODO documentation states the only difference is in the alert and what is attributed.

3. CS' advice to block outbound firewall only applies to sandboxed processes. That means exploit\malicious code can still be downloaded outside of the sandbox on the real system and run, for example in a memory buffer. It will more or less use trusted Windows processes and the system is hacked.

4. Bitsadmin connecting out on the network is attributed as SYSTEM. You have to block SYSTEM.

Bitsadmin is deprecated by Microsoft. It shouldn't even be enabled on anyone's system.

5. There is only one way to protect systems - and that is to follow Microsoft's own advice - which is to disable what is not needed. 99.999 % of home users across the world do not need the usual suspects. Microsoft is irresponsible and negligent in shipping Windows with them enabled or even included at in Windows for the masses.

1 If I remember correctly, CS says to set firewall not to show alerts, and to block automatically, and this works for all unrecognized processes -- in which sandboxed processes are by definition included. They were sandboxed because they are unrecognized.

2 Embedded code detection, when it works, will work even for interpreters that are "trusted" processes. So there will be an alert or a block, depending on settings.

3 So let's say I am using native Windows SRP, and it is configured to block bitsadmin. Will it work? (let's assume for the sake of the question that the malware is not running elevated)

 

[509322]

1 If I remember correctly, CS says to set firewall not to show alerts, and to block automatically, and this works for all unrecognized processes -- in which sandboxed processes are by definition included. They were sandboxed because they are unrecognized.

2 Embedded code detection, when it works, will work even for interpreters that are "trusted" processes. So there will be an alert or a block, depending on settings.

3 So let's say I am using native Windows SRP, and it is configured to block bitsadmin. Will it work?

No. Those settings are not going to work in the case of an exploit. An exploited trusted process just won't be blocked.

The COMODO documentation explicitly states that the only difference is in the alert and the attribution.

Blocking Bitadmin from executing means it cannot connect out. Sorry if you don't understand.

 

[shmu26]

No. Those settings are not going to work in the case of an exploit. An exploited trusted process just won't be blocked.

The COMODO documentation explicitly states that the only difference is in the alert and the attribution.

Blocking Bitadmin from executing means it cannot connect out. Sorry if you don't understand.

Are you sure that the Comodo documentation you read is discussing embedded code detection, it is a relatively new technology for Comodo, whereas a lot of their documentation is really old.
Have you seen the Comodo alerts generated by embedded code detection? I have seen lots of them, and even though powershell or cmd has trusted status, there is an alert.

Regarding bitsadmin, I think you answered my question, if I read between the lines. The execution will still be called bitsadmin.

 

[509322]

Are you sure that the Comodo documentation you read is discussing embedded code detection, it is a relatively new technology for Comodo, whereas a lot of their documentation is really old.
Have you seen the Comodo alerts generated by embedded code detection? I have seen lots of them, and even though powershell or cmd has trusted status, there is an alert.

Regarding bitsadmin, I think you answered my question, if I read between the lines. The execution will still be called bitsadmin.

The COMODO documentation on embedded code explicitly states the difference in ther alerts is between the attributed process; in one the attribution is to the interpreter and in the other the attibution is to the script. Otherwise, there is absolutely no difference whatsoever.

It absolutely does not matter. The interpreter is trusted, and therefore is allowed to run. If it can run, then it can be used to smash the system - regardless of COMODO's embedded code protection, Microsoft's AMSI or ASR, or whatever other claims made by AV publishers.

This is why the first rule handed down by Microsoft is to disable what is not needed. It is called Fundamentals of Security 101. So simple that children and grandmas can understand, implement and adhere to it.

 

[Deleted member 178]

Comodo is like a an exciting Christmas tree, but after you rush to it, you realize half of the gift boxes are empty.

The proof is that even a enthousiast user like CS don't even want to use all its stuff...

The only good thing of Comodo ever made is it's autosandbox

 

[shmu26]

Firewall original purpose was to prevent inbound connections, years ago security vendors implemented outbound monitoring, but it was when calling home malware were simple and easily recognizable.
Now they are so sophisticated that outbound monitoring can barely detect them especially if they use some cryptic Windows processes.

@cruelsister has stated several times that Comodo firewall is smarter than Windows firewall in this respect; it can block sophisticated malware attempts to connect out. However, she did not explain or give any detail. I have always been curious to know what she meant by that. She used to say repeatedly that there is nothing special about Comodo's firewall module, contrary to street wisdom, but lately, she has been saying that it can do something.

 

[shmu26]

Thanks for pointing me in the right direction
I'believe I'm more lucky than smart according to your definitions :
View attachment 201156
Edit: removed all the custom rules.
After a reboot I had to add Kaspersky (avp.exe) and OneDrive to my custom rules because they were blocked by the firewall.
Thanks again @shmu26 Will see how it goes from here...

I gave CFW 11.0.0.6728 a 3rd try on Saturday night, and so far, so good.
I did get a block from OneDrive, but it was for memory access, and that's normal for Comodo, because it has self-protection for when processes randomly access memory of protected Comodo processes. Making exceptions won't even help, if it is memory access. You just ignore it, and go on.

 

[Gandalf_The_Grey]

I gave CFW 11.0.0.6728 a 3rd try, and so far, so good.

It's the most stable version of 11 for now
Had to add 2 more firewall rules: dasHost.exe (windows internal should have been whitelisted) and EEventManager.exe (allows my All in one to scan documents over wifi). No more rules necessary on my system and nothing in containment. So thanks to you I cleaned all my rules

 

[shmu26]

It's the most stable version of 11 for now
Had to add 2 more firewall rules: dasHost.exe (windows internal should have been whitelisted) and EEventManager.exe (allows my All in one to scan documents over wifi). No more rules necessary on my system and nothing in containment. So thanks to you I cleaned all my rules

DasHost = Device Association Framework Provider Host that connects and pairs both wired and wireless devices with Windows OS.
From the description of this process, I can understand why it might trigger an overly nervous network alert.

 

[509322]

@cruelsister has stated several times that Comodo firewall is smarter than Windows firewall in this respect; it can block sophisticated malware attempts to connect out. However, she did not explain or give any detail. I have always been curious to know what she meant by that. She used to say repeatedly that there is nothing special about Comodo's firewall module, contrary to street wisdom, but lately, she has been saying that it can do something.

Yeah, I'll tell you how COMODO's firewall is "smarter" than Windows Firewall... it filters outbound.

However, it isn't going to know the difference between a non-malicious and malicious svchost connection - if the actual trusted process is being used. It isn't going to know to block a trusted process when that process is being used for malicious comms. I'll use the case that everyone seems to scream bloody murder about on the forums... 5.4. whatever CCleaner. COMODO would let CCleaner fly and never stop until the shenanigans were identified, probably by a 3rd party like, gee, CISCO-Talos - one of the more technically inaccurate reporters (or downright disingenuous depending upon how you look at it).

 

[Gandalf_The_Grey]

DasHost = Device Association Framework Provider Host that connects and pairs both wired and wireless devices with Windows OS.
From the description of this process, I can understand why it might trigger an overly nervous network alert.

I found the same info. That's why I allowed it. But shouldn't it be whitelisted automatically?

 

[Eddie Morra]

Comodo is like a an exciting Christmas tree, but after you rush to it, you realize half of the gift boxes are empty.

BBC Headlines from the future: "Naughty boys cry themselves to sleep as a COMODO-protected system was smashed during a Minecraft session after malicious download was used"

"Further investigation led to the discovery that all components apart from Rudolph the Sandbox are half-complete and are the digital equivalent of a sack of coal"

 

[shmu26]

But shouldn't it be whitelisted automatically?

Yes, it should. I don't know enough about the internal firewall rules to figure out what is going wrong.

 

[Gandalf_The_Grey]

Yes, it should. I don't know enough about the internal firewall rules to figure out what is going wrong.

If it's the only one, no worries.
Could also be related to the fact that I'm already on Windows 10 October 2018 Update (version 1809).

 

[Andytay70]

I have gone back to v10 as my ram was sky high and task manager said it was comodo! Everytime i booted my laptop the screen went black for a few seconds whilst it loaded.
None of the above issues have happend since installing v10.
Another thing i found is that even with the "cloud look up" enabled i had well known processes flagged as unknown that v10 logged as trusted!

 

[shmu26]

I have gone back to v10 as my ram was sky high and task manager said it was comodo! Everytime i booted my laptop the screen went black for a few seconds whilst it loaded.
None of the above issues have happend since installing v10.
Another thing i found is that even with the "cloud look up" enabled i had well known processes flagged as unknown that v10 logged as trusted!

Do you have Comodo Internet Essentials installed, as well? It sneaks in together with Comodo Firewall in some of the installers, and people say it can be a resource hog. Just uninstall it, and after a Comodo update, uninstall it again, if necessary.

 

[Andytay70]

@shmu26,
I didnt see it? all i did was look for the culprit that ate my ram!
I'll give it a try later and see if thats the case.

 

[shmu26]

Another thing i found is that even with the "cloud look up" enabled i had well known processes flagged as unknown that v10 logged as trusted!

Are you on version 11.0.0.6728, which (as far as I know) is the latest version?
Because that problem you mentioned, with "known processes flagged as unknown", it is a known issue, but should be fixed on 11.0.0.6728.

 

[Deleted Member 3a5v73x]

I'm reading and just don't understand where you guys have nerves to deal with Comodo software?

 

[Deleted member 178]

I'm reading and just don't understand where you guys have nerves to deal with Comodo software?

Because it is free, if it was paid, no one would waste its time on it.