App Review Comodo Firewall 10 vs Ransomware

[cruelsister]

Part 4 of the Ransomware series. (and my last one for a while). Note that the ransom screens that popped up on occasion were the extent of what the ransomware could do (nothing at all encrypted); but if you didn't even want the ransom screens, just up the sandbox level to Untrusted.

Music: Lisa Gerrard- Elegy

 

[codswollip]

And to think, I just left CFW to run Kaspersky Total Security. I do hope "Total" means total. Great vid. Thanks!

 

[ctrlz]

My settings are different, but I'm quite confident the result would be similar:
- I don't auto-block firewall requests: anyway the downloaded file would be sandboxed
- I have HIPS enabled: in Safe Mode it doesn't generate many popups
- I don't suppress privilege elevation alerts by default: this could be the only problem, just in case I manually choose to run outside the sandbox

Thanks for the test @cruelsister

 

[lab34]

Hello,
as always a very informative test.

Today, with this video, I realized something : the notifications are mastered by Windows on Win 10. Not exactly the same menu on the general options.
Every time I saw your videos, I thought "she have a different version of CFW" but now I understand that your videos are on Win7

(sorry for the noob remark)

Win10:

Win7:

 

[ctrlz]

I prefer the old notification style (the one of the video) because it allows to click on the filename being sandboxed.
This is not possible on WIN 10 notifications, they are more system integrated but contain only "plain text" messages.

 

[lab34]

Yes, that what was bothering me. I was searching how to have this notification !

 

[shmu26]

And to think, I just left CFW to run Kaspersky Total Security. I do hope "Total" means total. Great vid. Thanks!

Kaspersky, too, performed amazingly well in MT testing hub. Both products are good.

 

[cruelsister]

Kaspersky properly set is excellent. The only main deficiency I had found was in Boot Time protection, soon fixed.

Lab- the reason I use Win7 in my videos is that it still has about a 50% market share. Personally I use W10 and love it (with StartIsBack++).

 

[lab34]

Hello sis, yes no problem, it was just me: I was searching how to manage the notifs ! since a few weeks !
Just today I realized the difference between 7 and 10 !

 

[1qay1qay]

Thank you for your video. You are trully a reference for antiransomware fight , keep doin good work !

 

[cruelsister]

The good thing about CF is that it will blow off other forms of malware- Separately but Equally. Scriptors like Worms, keyloggers, etc would be handled with the same contempt as would a Cerber ransomware file.

 

[Tiny]

@cruelsister I assume you set "Do not show privilege alerts: Run inside container" for demonstration purposes at 00:00:53 in the video? It can be interchangeable with the "Block" option I believe?

 

[Arequire]

@cruelsister I assume you set "Do not show privilege alerts: Run inside container" for demonstration purposes at 00:00:53 in the video? It can be interchangeable with the "Block" option I believe?

Either option will achieve the same result in the end.
If you had it set to block the ransomware's initial execution would be completely blocked due to it requesting privilege elevation from the get-go and because it's unrecognised by Comodo. Even if it didn't initially request privilege elevation it would be sandboxed until it requested said privilege elevation and then subsequently terminated by Comodo.
With it set to run inside container you'd get a notification that the ransomware had been sandboxed and it would just sit inside the sandbox unable to do anything of note. The ransomware would eventually self-terminate or be terminated when you either clear the sandbox or restart your PC.

Edit: I reworded it so it was easier to understand.

Sorry for hijacking your question @cruelsister. You'll probably be able to explain it better than I have.

 

[cruelsister]

No issues! The only reason that I had that option checked is that it will suppress popups for unknown and unsigned applications from giving the user a choice to give that application privilege escalation. For those that have UAC enabled, this would just be duplication. For those with UAC disabled, a rule of thumb should be to NEVER EVER allow PE for an unknown. Checking this box just will remove that popup option, but otherwise will not really add anything to protection.

 

[Av Gurus]

@cruelsister
I have one file that (think) maybe bypass Comodo with your settings.
Would you like to check it?

 

[erreale]

@cruelsister
I have one file that (think) maybe bypass Comodo with your settings.
Would you like to check it?

I think it will be interesting.

 

[TheMalwareMaster]

I think it will be interesting.

I agree

 

[woodrowbone]

Hmm, the plot thickens... cmon sis!

/W

 

[cruelsister]

AV Gurus- Yeah, send me a link. I'm on the road now for quite a while but I'll check it when I can. By the way, would the file happen to be signed?

 

[Av Gurus]

AV Gurus- Yeah, send me a link. I'm on the road now for quite a while but I'll check it when I can. By the way, would the file happen to be signed?

Malware is from malware pack from Malware Hub (can you go there?)...if can't then i will send you that file.
File is not signed.

I could not wait so I made a video.
I will post it in new thread.
Here is a new thread:
Video Review - Malware bypass Comodo Firewall @ CS settings