App Review Comodo Firewall 10 Setup

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Please note the caveat by Comodo about the HIPS- "in the absence of virtualization". With the settings used in this video all a HIPS will do is react to things running virtualized in the Box, so essentially would be of no value. Certainly there will be no popups!
 
  • Like
Reactions: reboot and BugCode
D

Deleted member 178

Last edited by a moderator:

Davidov

Level 10
Verified
Well-known
Sep 9, 2012
470
You will also this video from cruelsister to fully configure Comodo (suppliers). So it was nice together .-)

 
  • Like
Reactions: BugCode

Davidov

Level 10
Verified
Well-known
Sep 9, 2012
470
cruelsister

The question should be sandbox browser? To protect against the exploit? Because in this setting does not remove anything from the sandbox thanks.

Unless otherwise permitted some folders virtualize.
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
About sandboxing browsers- Yes, Comodo does offer this, but its usefulness depends on how you have the rest of CF setup. With my settings, sandboxing the browsers does not really offer very much.

For example, let's consider a recently popular exploit- this one actually composed of two items, ransomware AND a Pony info stealer. What must be remembered (and all too often is not) is that any exploit, in order to infect your system, MUST act locally By this I mean that some payload(s) have to be transferred onto your system to have the desired malicious effect. In this case we would have two separate payloads, the ransomware and pony, both of which will be sandboxed no matter if the browser is virtualized or not. I've shown enough in the past that CF just laughs at ransomware, so tis will not be any issue; and the info stealer being in the box cannot transmit out. And as with any malware of the info stealing type, it can collect all the information it wants. but as long as it cannot transmit this information to me (I mean the Blackhat), who really cares?
 

Davidov

Level 10
Verified
Well-known
Sep 9, 2012
470
About sandboxing browsers- Yes, Comodo does offer this, but its usefulness depends on how you have the rest of CF setup. With my settings, sandboxing the browsers does not really offer very much.

For example, let's consider a recently popular exploit- this one actually composed of two items, ransomware AND a Pony info stealer. What must be remembered (and all too often is not) is that any exploit, in order to infect your system, MUST act locally By this I mean that some payload(s) have to be transferred onto your system to have the desired malicious effect. In this case we would have two separate payloads, the ransomware and pony, both of which will be sandboxed no matter if the browser is virtualized or not. I've shown enough in the past that CF just laughs at ransomware, so tis will not be any issue; and the info stealer being in the box cannot transmit out. And as with any malware of the info stealing type, it can collect all the information it wants. but as long as it cannot transmit this information to me (I mean the Blackhat), who really cares?
And what about the exploit that runs only in memory can somehow stop Comodo in this case? Thank you for clarifying use your settings.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
And what about the exploit that runs only in memory
this is a valid concern.
a browser exploit utilizing a flash vulnerability, for instance, could potentially access and run a command line tool like powershell. It could then compromise the system in various ways. Here are a few that I know about:
1 disable COMODO and other defenses
2 load DLLs, which COMODO does not monitor
3 schedule a payload to run at the next reboot, as service, before COMODO protection kicks in.
 
  • Like
Reactions: Davidov

Davidov

Level 10
Verified
Well-known
Sep 9, 2012
470
this is a valid concern.
a browser exploit utilizing a flash vulnerability, for instance, could potentially access and run a command line tool like powershell. It could then compromise the system in various ways. Here are a few that I know about:
1 disable COMODO and other defenses
2 load DLLs, which COMODO does not monitor
3 schedule a payload to run at the next reboot, as service, before COMODO protection kicks in.

Hi, as a defense against you suggest .-)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
this is a valid concern.
a browser exploit utilizing a flash vulnerability, for instance, could potentially access and run a command line tool like powershell. It could then compromise the system in various ways. Here are a few that I know about:
1 disable COMODO and other defenses
2 load DLLs, which COMODO does not monitor
3 schedule a payload to run at the next reboot, as service, before COMODO protection kicks in.

Hi, as a defense against you suggest .-)
if your software and OS are updated, you don't have a lot to worry about.
but in any case, HitmanPro.Alert is good defense against exploits.
You can also run your browser in sandbox, if you want, and also other exploitable apps.
If you want to really be paranoid about exploits, use ReHIPS instead of COMODO

NVT ERP offers a certain amount of exploit protection, and also Voodoo does.
COMODO HIPS will help in certain situations, too.
 
  • Like
Reactions: Davidov and BugCode

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Actually this is not a valid concern. Before malware can do any of those things a payload must be able to run. As things like Powershell are just triggers for the payload, they can run as much as they want as long as anything that follows is virtualized.

However I think that Shmu may be referring to a RAT that I coded and used in previous videos. This one did indeed drop a dll and stopped Comodo on reboot. But as this file was signed with a High liberated certificate it would have gotten past anything. This guy was the Nightmare Scenario and only existed for the purpose of my videos (and has long since been deleted from reality).
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Actually this is not a valid concern. Before malware can do any of those things a payload must be able to run. As things like Powershell are just triggers for the payload, they can run as much as they want as long as anything that follows is virtualized.

However I think that Shmu may be referring to a RAT that I coded and used in previous videos. This one did indeed drop a dll and stopped Comodo on reboot. But as this file was signed with a High liberated certificate it would have gotten past anything. This guy was the Nightmare Scenario and only existed for the purpose of my videos (and has long since been deleted from reality).
Yeah, I remember, but all credit due sis, if you can do it, others can too, there are no exclusive
rights on creativity in the world of the hats, no matter the color ;)
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Yes and no- The technique is no big deal at all. But the manner of the drop is just a wee bit easier to acquire than powdered Unicorn Horn. Trust me in this- if CF could be readily breached I would never use it myself.

But about dll's and just to alleviate any concerns- for a malicious dll to cause harm it just can't be dropped. I has to be registered and CF will sandbox the process doing so. Even my former fav CreateProcess API hook will be stopped.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Actually this is not a valid concern. Before malware can do any of those things a payload must be able to run. As things like Powershell are just triggers for the payload, they can run as much as they want as long as anything that follows is virtualized.

However I think that Shmu may be referring to a RAT that I coded and used in previous videos. This one did indeed drop a dll and stopped Comodo on reboot. But as this file was signed with a High liberated certificate it would have gotten past anything. This guy was the Nightmare Scenario and only existed for the purpose of my videos (and has long since been deleted from reality).
if I had better sense, I would not argue with people who know a lot more than I do, and CS is definitely one of those people.
but... my understanding of the following two articles, and of a lot of other material as well, leads me to believe that fileless attacks are indeed capable of compromising a system through memory, without executing a file on the hard drive in a way that COMODO autosandbox would be able to detect.
Understanding Fileless Malware Infections – The Full Guide - Heimdal Security Blog
Fileless Infections: An Overview - Malwarebytes Labs

EDIT: I think I will leave it to those who have the MT "Trusted" label next to their handle, to hash this one out.
I don't have a sufficient IT background to get into the nitty-gritty of it all.
 
Last edited:

Mercifulrelease

Level 1
Apr 17, 2016
6
Mercy- Trust me in that unticking these boxes (unless a person has a specific need to do so) is not a good thing. It will essentially sandbox anything that you want to use (not really, but close enough to be no nevermind).

Granted, if one comes across malware that uses a stolen signed certificate this would be a bad thing. But these are normally jumped on immediately by security vendors- even Comodo. There are some that would want to limit this method of attack by reducing the amount of Vendors that are trusted. With CF this list can be easily edited. If you have interested in doing this, please google "Comodo and Trusted Vendors List" - with the quotation marks! This will bring up a video I did last July that highlights the process.
Thanks for the info ,...ill leave them ticked :)
 
  • Like
Reactions: Deleted member 2913

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Are there any specific videos/tutorials addressing the above issues?
I believe Custom's pure default-deny and Safe Mode has Comodo's whitelist but I never really tested it since I found it too annoying and I just stuck to minor deviations from defaults.
Specific videos you can find at cruelsister's settings. Just click load more.
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Shmu- Sorry- I just saw your post today. CF has a number of layers of protection that will render things like Powerliks/PowerSniff (discussed in your references) harmless. Please understand that I'm not married to Comodo- if I was able to breach it as easily as this I wouldn't use in on my production system.

An when viewing discussions on malware at various other sites, authors tend to make out that whatever they are writing about is the Worst Thing Ever. In today's world, sensationalism is the key to publication.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top