App Review Comodo Firewall and the E-File Data Stealer

[ebocious]

@cruelsister "How can Comodo cope with things like this?"
Comodo can, but users can't.

Comodo or cruel or any configuration:
Comodo is not for users who don't want to know how it works.
Comodo is not for "default-allow" security software users.
Comodo is not for the majority.

Just FYI, all you have to do is add silent mode to the CruelCF configuration, and the majority can indeed use it. I have installed it on an 84-year-old's computer and a 25-year-old's computer. Both are doing just fine. The 84yo called me two weeks ago to help him create a bitcoin wallet, so the ATM vendor could return the $3,200 worth of bitcoin that he almost sent to a scammer before he thought twice. I returned to his house on Thursday to sell the bitcoin for USD and wire it back to his bank account. The 25yo (now 27 or 28) hasn't needed my help since I set her up in the summer of 2020.

There have been talks about licensing people to use the Internet, just like we license people to drive. Meanwhile, a lot of jobs are being replaced by automation, and the time will come where most of the jobs left will be coding jobs. Even customer service jobs are being replaced by AI, when no one thought they would. Natural selection is about to take another leap forward. It's up to you which side of evolution you're on. CS is doing a service to society. If you don't appreciate it, give us something better. And make sure it's not "antivirus, updates, and stay off pr0n sites." That approach has failed, which is why this site exists, and as this very thread demonstrates.

 

[ForgottenSeer 100397]

@ebocious

I have been using Comodo since v1. I have tried custom configs with average users. None liked Comodo.

cruelconfig may work on a static system, but Comodo messes up the programs' updates. And setting the firewall to "Block Requests" sometimes blocks connections from trusted programs.

 

[ForgottenSeer 97327]

Sadly those tools would have been inadequate as this was a truly zero-day file and had a legitimate certificate as well (the latter is what could really cause detection issues for some).

This particular attack is troubling as it mimics in many ways how Nation State malicious attacks are created. Those responsible had to code the malware, acquire a certificate, code the popper, setup a Server, and somehow gain Admin control of the website to insert the popper. These things are not done either cheaply or without great organization.

Any person (or cat) can code a stealer, but not many can do this.

Re Hard_Configurator: When Hard_Configurator applies a deny execute in user folders with sponsors blocked for SUA, I fail to see how the executables you launched from your desktop would ever be executed.

Re Comodo FW: As you posted, CF also uses a whitelist based on signatures. Signatures are vetted by CF, but when this signature would already been vetted from a legit application with that signature, CF would have this signer in its cloud whitelist and would also have allowed the executable. So "the sleep well without fear my dear" at the end of your video, is not entirely correct.

 

[oldschool]

Re Hard_Configurator: When Hard_Configurator applies a deny execute in user folders with sponsors blocked for SUA, I fail to see how the executables you launched from your desktop would ever be executed.

That's what I thought.

 

[ebocious]

@ebocious

I have been using Comodo since v1. I have tried custom configs with average users. None liked Comodo.

cruelconfig may work on a static system, but Comodo messes up the programs' updates. And setting the firewall to "Block Requests" sometimes blocks connections from trusted programs.

If you left the HIPS enabled, I wouldn't like it either. I'm not aware of any issues updating apps with auto containment enabled. In fact, I just now checked Firefox, installed update 112.0.1, closed the browser, emptied the container, and checked again. Firefox is up to date. Lastly, if you have apps that need firewall exceptions, and adding them manually isn't within your scope, you can disable the firewall permanently, and use Windows Firewall instead. This may reduce your security, but I imagine it would still be tougher than any default-allow apparatus you're installing on "average" users' systems now.

Edit: if you need to update an application that isn't whitelisted, then you can either temporarily disable auto containment, or designate an ignored folder (separate from the downloads folder), pin it to Quick access, drag installer files from Downloads to the ignored folder, and launch them from there (it's less convoluted than it sounds once you do it). That said, there aren't a lot of applications I'm aware of that aren't already whitelisted by Comodo, as they've been around since 1998, and added a lot of whitelist rules since then to fix false positives. IMO, it's easier to find a workaround for a few false positives, than to repair damage from one false negative. An ounce of prevention is worth a pound of cure.

 

[ForgottenSeer 100397]

I disable HIPS on my machine too. Comodo is for users who know how to work with it or who have help ready for any issue.

I never looked in depth at the Comodo settings.
Can you set your programs as "Ignore" or "Windows Updater Applications" to install their updates unhindered? (I understand the associated risks.)

 

[ebocious]

I disable HIPS on my machine too. Comodo is for users who know how to work with it or who have help ready for any issue.

I never looked in depth at the Comodo settings.
Can you set your programs as "Ignore" or "Windows Updater Applications" to install their updates unhindered? (I understand the associated risks.)

Windows Updates install fine. Comodo allows you to create rules for folders, files, processes, and even hashes. If an app has a dedicated file for updating, you can add an ignore rule in auto containment for that one file, while keeping the rest contained. But that's if you find an application that is actually hindered from doing so.

When I worked for the South Carolina Department of Health and Environmental Control, a lot of seniors were having difficulty getting vaccinated against COVID-19, because providers didn't have dedicated call centers to handle appointment requests and wanted everyone to reserve appointments online. Because of HIPAA, I couldn't go to walgreens.com and enter Aunt Dorothy's Social Security number for her. I could only schedule appointments within the public system, which has limited capacity. If I couldn't find anything outside the private sector, I was asking people if they had kids, grandkids, niblings, or friends in the neighborhood who could help them navigate a website. But most of them wouldn't have called me if they had. Some had only a telephone, and no computer. Trying to compete for time slots with tech-savvy applicants was leaving seniors out in the cold. Note: it did get better when vaccines.gov was launched, which provided phone numbers as well as websites, and even let you filter by product.

Microsoft is doing everything they can to up the ante against malware. Windows 11 is tougher than 10 by enforcing VBS, Secure Boot, and other things. But that mostly protects the kernel from being modified and security apps from being terminated or crippled. It doesn't protect your browser or data files. Likewise, a password alone is not enough to secure an online account, when servers are getting breached every day. People who don't want to use 2FA are getting taken to the cleaners. Automation and AI will have more and more people competing for fewer and fewer jobs, which is why there are so many state-sponsored programs to teach people how to code and hunt bugs. In the next few decades, we won't have as many computer dummies as we do now. People will have to learn if they want to eat. We can't stop technological advancement because some folks aren't ready for it. Natural selection is unforgiving.

 

[ForgottenSeer 100397]

I use a program that is not on the Comodo local and cloud whitelists. I'll set the program to "Ignore" and update it once a new beta or stable is available and post the result.

 

[bobdoe]

That's what I thought.

HC/Sponsors/Help...
Edit: It probably didnt need the bright red box

 

[ebocious]

I use a program that is not on the Comodo local and cloud whitelists. I'll set the program to "Ignore" and update it once a new beta or stable is available and post the result.

It's not an Internet-facing program, is it? Just something you use locally, until it "phones home" for an update? If it accesses the Internet for anything other than updates, I would leave it contained, until it tells you there's a new version. Then disable auto containment for 15 minutes (in case you forget to re-enable), and install the update.

 

[ForgottenSeer 100397]

I use a program that is not on the Comodo local and cloud whitelists. I'll set the program to "Ignore" and update it once a new beta or stable is available and post the result.

I use a portable program that is on the Comodo whitelist. It creates a new (.bat) file when I start it, and Comodo auto-contains the file. Adding the program's executable to Auto-Containment and setting it to "Ignore" allowed the created (.bat) files to run outside containment.

I'll try the same with a program's updates and upgrades and post the result. If Comodo ignores the program's updates and upgrades, I'll then install Comodo on one of my family members' (average user) systems.

The idea is to allow the installed programs, or at least the most used and important programs, to work well, including their updates and upgrades, while blocking unknown programs and unknown program alerts.

 

[ForgottenSeer 100397]

cruelconfig recommends turning off HIPS.
If you are using a download manager that lets you open the downloaded file and you use the function, Comodo allows those files regardless of the rating. Enable HIPS in these kinds of cases to guard against malicious or unrecognized files.

 

[ebocious]

cruelconfig recommends turning off HIPS.
If you are using a download manager that lets you open the downloaded file and you use the function, Comodo allows those files regardless of the rating. Enable HIPS in these kinds of cases to guard against malicious or unrecognized files.

Auto Containment doesn't work as an anti-executable. It allows unknown programs to run from any location (unless you specify otherwise), but restricts them if they are unknown, so any payload should be prevented. Did you set Auto Containment to ignore your download manager? Because, if so, then any file opened by the download manager will be treated as a child process, and therefore allowed to run unrestricted outside the container as well.

I believe you mentioned earlier that Cruel CF prevents apps from running "well." Can you explain what you mean by that? If you're talking about utility apps that make changes to your system, you'll want to figure out how to accommodate them. If they're portable, you could designate an ignored folder to store them in. Otherwise, you might briefly disable Auto Containment from the tray icon, launch the app, and then turn Auto Containment back on; and that one app and any child processes will continue to run unrestricted until you close and attempt to run it again.

When you mention that you have a download manager, I assume you download new software frequently. If you're tinkering with your computer, then I would suggest not using it as your daily driver, and keeping all your data and accounts on a separate, productive machine. If you don't have another computer, then perhaps create a VM, and play around in there. If you have to constantly disable security, that tends to defeat the purpose.

 

[ebocious]

Auto Containment doesn't work as an anti-executable. It allows unknown programs to run from any location (unless you specify otherwise), but restricts them if they are unknown, so any payload should be prevented. Did you set Auto Containment to ignore your download manager? Because, if so, then any file opened by the download manager will be treated as a child process, and therefore allowed to run unrestricted outside the container as well.

I believe you mentioned earlier that Cruel CF prevents apps from running "well." Can you explain what you mean by that? If you're talking about utility apps that make changes to your system, you'll want to figure out how to accommodate them. If they're portable, you could designate an ignored folder to store them in. Otherwise, you might briefly disable Auto Containment from the tray icon, launch the app, and then turn Auto Containment back on; and that one app and any child processes will continue to run unrestricted until you close and attempt to run it again.

When you mention that you have a download manager, I assume you download new software frequently. If you're tinkering with your computer, then I would suggest not using it as your daily driver, and keeping all your data and accounts on a separate, productive machine. If you don't have another computer, then perhaps create a VM, and play around in there. If you have to constantly disable security, that tends to defeat the purpose.

It may actually be possible to restrict child processes, while leaving a parent program unrestricted. But I don't know offhand if this would pose conflicts with a blanket allow rule or not. I know deny ACLs take precedence over allow ACLs, but not sure if Comodo behaves the same way. Anybody know? @cruelsister

 

[ForgottenSeer 100397]

@ebocious

I completely forgot that the download manager wasn't on Comodo's whitelists, and I'd clicked "Don't isolate it again". Appreciate the reminder. I took care of the issue.

I'm very familiar with Comodo since I started using it on its first release.

Comodo, or CruelConfig, is not suitable for those who are unaware of its functionality. Most don't widely recommend Comodo for everyday users because of its usability problems, not its security. CruelConfig is focused on security and doesn't enhance the usability of Comodo.

 

[ebocious]

@ebocious

I completely forgot that the download manager wasn't on Comodo's whitelists, and I'd clicked "Don't isolate it again". Appreciate the reminder. I took care of the issue.

I'm very familiar with Comodo since I started using it on its first release.

Comodo, or CruelConfig, is not suitable for those who are unaware of its functionality. Most don't widely recommend Comodo for everyday users because of its usability problems, not its security. CruelConfig is focused on security and doesn't enhance the usability of Comodo.

Everyday users are not as prolific as you are. There are three flavors in general:

Those who use computers and don't mess with them.
Those who tinker and know what they are doing.
Those who tinker and do not know what they are doing.

The third group might not do well with Cruel CF. The minority fall into the second group. The majority are in the first group, and will have less trouble than you do. If you have buddies who are intermediate, and like downloading tweak programs and download accelerators, best thing to do would be to teach them to right-click on the Comodo tray icon, hover over Auto Containment, click Disabled, go with the 15-minute option, and install that one-off app. You're not teaching ASL to a gorilla; they can learn it.

If they're average users, then it won't matter to them, because average users are not download junkies. They might download Napster and listen to some music, and that doesn't require toggling Auto Containment; it will work just fine with Cruel CF just as it is.

 

[alicCc]

hello for novice users which one to choose comodo vs zonealarm

 

[ForgottenSeer 100397]

Everyday users are not as prolific as you are. There are three flavors in general:

Those who use computers and don't mess with them.
Those who tinker and know what they are doing.
Those who tinker and do not know what they are doing.

The third group might not do well with Cruel CF. The minority fall into the second group. The majority are in the first group, and will have less trouble than you do. If you have buddies who are intermediate, and like downloading tweak programs and download accelerators, best thing to do would be to teach them to right-click on the Comodo tray icon, hover over Auto Containment, click Disabled, go with the 15-minute option, and install that one-off app. You're not teaching ASL to a gorilla; they can learn it.

If they're average users, then it won't matter to them, because average users are not download junkies. They might download Napster and listen to some music, and that doesn't require toggling Auto Containment; it will work just fine with Cruel CF just as it is.

CruelCF and CF don't differ in terms of usability. The user has to handle the primary alerts with both configs. CruelCF comes into effect only after the user takes action on the primary alert.
For example, this E-File Data Stealer video: Users will see the alerts with CF and CruelCF; the protection depends on the user's action on the alerts.
CF, or CruelCF, is suitable for an average user's system only if there is someone to manage it or the user is ready to learn (at least the basics of its features); otherwise, he or she will disable or uninstall it.
You could install CF, or CruelCF, on a static system, but it’ll occasionally alert or isolate a program’s update and corrupt the installation.
CruelCF is extended security with default usability; it doesn’t improve the CF experience for users.

Also, proactive config with default (run virtual) containment is sufficient. CS recommendation to set a "restriction level" appears "optional" to me. Is there a CS video where malware bypassed proactive config with default containment?

The purpose of Comodo Containment is to isolate and analyze unknowns. Users can see the application’s behavior in the containment and decide whether to run it outside. Many applications won’t run in the containment, as the optional restriction level (recommended by CS) allows very limited access rights.

I use proactive config with default (run virtual) containment, as most applications run well in the containment and I can test or see an application's behavior. If there's a video where malware bypassed proactive config with default containment, please let me know.

 

[ebocious]

hello for novice users which one to choose comodo vs zonealarm

CruelCF and CF don't differ in terms of usability. The user has to handle the primary alerts with both configs. CruelCF comes into effect only after the user takes action on the primary alert.
For example, this E-File Data Stealer video: Users will see the alerts with CF and CruelCF; the protection depends on the user's action on the alerts.
CF, or CruelCF, is suitable for an average user's system only if there is someone to manage it or the user is ready to learn (at least the basics of its features); otherwise, he or she will disable or uninstall it.
You could install CF, or CruelCF, on a static system, but it’ll occasionally alert or isolate a program’s update and corrupt the installation.
CruelCF is extended security with default usability; it doesn’t improve the CF experience for users.

Also, proactive config with default (run virtual) containment is sufficient. CS recommendation to set a "restriction level" appears "optional" to me. Is there a CS video where malware bypassed proactive config with default containment?

The purpose of Comodo Containment is to isolate and analyze unknowns. Users can see the application’s behavior in the containment and decide whether to run it outside. Many applications won’t run in the containment, as the optional restriction level (recommended by CS) allows very limited access rights.

I use proactive config with default (run virtual) containment, as most applications run well in the containment and I can test or see an application's behavior. If there's a video where malware bypassed proactive config with default containment, please let me know.

I'm aware that CruelSister does not silence CF. This works for more advanced users, and also serves for demonstration. Someone actually asked her in a previous post (possibly this same thread) what would happen if someone silenced Comodo or didn't respond to the alert. She said something to the effect that, either way, the malware would have sat there dormant and lonely, until the next time someone emptied the sandbox. This isn't verbatim, but basically the same message. Without user input, proactive CF errs on the side of caution.

 

[oldschool]

Someone actually asked her in a previous post (possibly this same thread) what would happen if someone silenced Comodo or didn't respond to the alert. She said something to the effect that, either way, the malware would have sat there dormant and lonely, until the next time someone emptied the sandbox. This isn't verbatim, but basically the same message. Without user input, proactive CF errs on the side of caution.

Post #7:

Also, for those that you feel will disregard alerts (know-it-all IT folk, oblivious Grandpa's and nasty disgusting children), a simple setting will allow one to suppress alerts, so all unknown would be Contained and any Outbound transmission from it blocked. Therefore in this case Ignorance really can be Bliss.