- Jan 9, 2017
- 468
@Umbra. Sure! & Soon it block you power on your PC 
- Sorry Offtopic.
- Sorry Offtopic.
Comodo Firewall 10 Setup
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Apr 13, 2013
- 3,224
Please note the caveat by Comodo about the HIPS- "in the absence of virtualization". With the settings used in this video all a HIPS will do is react to things running virtualized in the Box, so essentially would be of no value. Certainly there will be no popups!
@cruelsister just for clarity sake , Comodo HIPS, from what i recall , doesn't monitor the sandbox, so no alerts obviously.
Why does Comodo HIPS not working or not show alerts when apps is sandboxed? - Defense+ / Sandbox Help - CIS
Impossible to stop blocking program in sandbox mode? - Defense+ / Sandbox Help - CIS
Why does Comodo HIPS not working or not show alerts when apps is sandboxed? - Defense+ / Sandbox Help - CIS
Impossible to stop blocking program in sandbox mode? - Defense+ / Sandbox Help - CIS
Last edited by a moderator:
- Apr 13, 2013
- 3,224
About sandboxing browsers- Yes, Comodo does offer this, but its usefulness depends on how you have the rest of CF setup. With my settings, sandboxing the browsers does not really offer very much.
For example, let's consider a recently popular exploit- this one actually composed of two items, ransomware AND a Pony info stealer. What must be remembered (and all too often is not) is that any exploit, in order to infect your system, MUST act locally By this I mean that some payload(s) have to be transferred onto your system to have the desired malicious effect. In this case we would have two separate payloads, the ransomware and pony, both of which will be sandboxed no matter if the browser is virtualized or not. I've shown enough in the past that CF just laughs at ransomware, so tis will not be any issue; and the info stealer being in the box cannot transmit out. And as with any malware of the info stealing type, it can collect all the information it wants. but as long as it cannot transmit this information to me (I mean the Blackhat), who really cares?
For example, let's consider a recently popular exploit- this one actually composed of two items, ransomware AND a Pony info stealer. What must be remembered (and all too often is not) is that any exploit, in order to infect your system, MUST act locally By this I mean that some payload(s) have to be transferred onto your system to have the desired malicious effect. In this case we would have two separate payloads, the ransomware and pony, both of which will be sandboxed no matter if the browser is virtualized or not. I've shown enough in the past that CF just laughs at ransomware, so tis will not be any issue; and the info stealer being in the box cannot transmit out. And as with any malware of the info stealing type, it can collect all the information it wants. but as long as it cannot transmit this information to me (I mean the Blackhat), who really cares?
- Sep 9, 2012
- 470
And what about the exploit that runs only in memory can somehow stop Comodo in this case? Thank you for clarifying use your settings.
- Jul 3, 2015
- 8,153
this is a valid concern.
a browser exploit utilizing a flash vulnerability, for instance, could potentially access and run a command line tool like powershell. It could then compromise the system in various ways. Here are a few that I know about:
1 disable COMODO and other defenses
2 load DLLs, which COMODO does not monitor
3 schedule a payload to run at the next reboot, as service, before COMODO protection kicks in.
- Sep 9, 2012
- 470
this is a valid concern.
a browser exploit utilizing a flash vulnerability, for instance, could potentially access and run a command line tool like powershell. It could then compromise the system in various ways. Here are a few that I know about:
1 disable COMODO and other defenses
2 load DLLs, which COMODO does not monitor
3 schedule a payload to run at the next reboot, as service, before COMODO protection kicks in.
Hi, as a defense against you suggest .-)
a browser exploit utilizing a flash vulnerability, for instance, could potentially access and run a command line tool like powershell. It could then compromise the system in various ways. Here are a few that I know about:
1 disable COMODO and other defenses
2 load DLLs, which COMODO does not monitor
3 schedule a payload to run at the next reboot, as service, before COMODO protection kicks in.
Hi, as a defense against you suggest .-)
- Jul 3, 2015
- 8,153
if your software and OS are updated, you don't have a lot to worry about.
but in any case, HitmanPro.Alert is good defense against exploits.
You can also run your browser in sandbox, if you want, and also other exploitable apps.
If you want to really be paranoid about exploits, use ReHIPS instead of COMODO
NVT ERP offers a certain amount of exploit protection, and also Voodoo does.
COMODO HIPS will help in certain situations, too.
- Apr 13, 2013
- 3,224
Actually this is not a valid concern. Before malware can do any of those things a payload must be able to run. As things like Powershell are just triggers for the payload, they can run as much as they want as long as anything that follows is virtualized.
However I think that Shmu may be referring to a RAT that I coded and used in previous videos. This one did indeed drop a dll and stopped Comodo on reboot. But as this file was signed with a High liberated certificate it would have gotten past anything. This guy was the Nightmare Scenario and only existed for the purpose of my videos (and has long since been deleted from reality).
However I think that Shmu may be referring to a RAT that I coded and used in previous videos. This one did indeed drop a dll and stopped Comodo on reboot. But as this file was signed with a High liberated certificate it would have gotten past anything. This guy was the Nightmare Scenario and only existed for the purpose of my videos (and has long since been deleted from reality).
- Aug 2, 2015
- 4,286
Yeah, I remember, but all credit due sis, if you can do it, others can too, there are no exclusive
rights on creativity in the world of the hats, no matter the color
- Apr 13, 2013
- 3,224
Yes and no- The technique is no big deal at all. But the manner of the drop is just a wee bit easier to acquire than powdered Unicorn Horn. Trust me in this- if CF could be readily breached I would never use it myself.
But about dll's and just to alleviate any concerns- for a malicious dll to cause harm it just can't be dropped. I has to be registered and CF will sandbox the process doing so. Even my former fav CreateProcess API hook will be stopped.
But about dll's and just to alleviate any concerns- for a malicious dll to cause harm it just can't be dropped. I has to be registered and CF will sandbox the process doing so. Even my former fav CreateProcess API hook will be stopped.
- Jul 3, 2015
- 8,153
if I had better sense, I would not argue with people who know a lot more than I do, and CS is definitely one of those people.
but... my understanding of the following two articles, and of a lot of other material as well, leads me to believe that fileless attacks are indeed capable of compromising a system through memory, without executing a file on the hard drive in a way that COMODO autosandbox would be able to detect.
Understanding Fileless Malware Infections – The Full Guide - Heimdal Security Blog
Fileless Infections: An Overview - Malwarebytes Labs
EDIT: I think I will leave it to those who have the MT "Trusted" label next to their handle, to hash this one out.
I don't have a sufficient IT background to get into the nitty-gritty of it all.
Last edited:
- May 11, 2011
- 444
Are there any specific videos/tutorials addressing the above issues?
Last edited:
- Nov 17, 2016
- 1,242
I believe Custom's pure default-deny and Safe Mode has Comodo's whitelist but I never really tested it since I found it too annoying and I just stuck to minor deviations from defaults.
Specific videos you can find at cruelsister's settings. Just click load more.
- May 11, 2011
- 444
- Apr 13, 2013
- 3,224
Shmu- Sorry- I just saw your post today. CF has a number of layers of protection that will render things like Powerliks/PowerSniff (discussed in your references) harmless. Please understand that I'm not married to Comodo- if I was able to breach it as easily as this I wouldn't use in on my production system.
An when viewing discussions on malware at various other sites, authors tend to make out that whatever they are writing about is the Worst Thing Ever. In today's world, sensationalism is the key to publication.
An when viewing discussions on malware at various other sites, authors tend to make out that whatever they are writing about is the Worst Thing Ever. In today's world, sensationalism is the key to publication.
Similar threads
