App Review Comodo Firewall Plays with RATs

[ForgottenSeer 98186]

Various thingies most common being in install/uninstall routines.

If it is such a usability issue, then why does Microsoft block interpreters itself?

How often are cscript, wscript, or powershell needed during install or uninstall routines? Less than 1%? Less than 0.1%?

I guess Whack-A-Mole is fine (as long as one can squish all of those little varmints)

There is no whack-a-mole needed.

The list of core Windows processes abused by threat actors on unmanaged (home) desktop systems has not changed in a long time. The "new" OneNote "malware" would have been stopped before it got started by the Microsoft default blocklist.

but CF is sooo much easier.

The mechanism of auto-sandboxing is easier, but then the Comodo sandbox gives no feeback whatsoever to the user about what is running inside the virtual environment. There is the potential (likely a small one given the type of user who will actually use Comodo) for a user to whitelist a file because it "appears" to do nothing malicious inside the sandbox.

But I do agree with you, with CF configured with your recommended settings it is so easy for those that know Comodo. As far as "ease-of-use." Meh. Just look at the hundreds of users that come here to MT and have to ask questions about Comodo. Your configuration videos are easy enough for a user to follow, and yet still, it is not so easy for some users.

All that said, it is up to the user to decide which solution works best for them personally.

 

[Bumblebee Uncle]

I have been blocking this one for a very long time.
Besides, I like to wacky my mole

Out of curiosity, how did you manage to get hold of Appguard? Is this the appguard website you used for it: Why AppGuard? - AppGuard

 

[ForgottenSeer 69673]

Various thingies most common being in install/uninstall routines.

I guess Whack-A-Mole is fine (as long as one can squish all of those little varmints), but CF is sooo much easier.

I agree with you as far as Comodo goes on protection but as you know, I just can't on account of what they did to Kevin.

The poster above showed a setting in exploit settings for PowerShell. The poster is whacking the mole by doing that because it is not included by default on windows 11 enterprise. It must be added manually. Just sayin.

 

[ForgottenSeer 98186]

The poster above showed a setting in exploit settings for PowerShell. The poster is whacking the mole by doing that because it is not included by default on windows 11 enterprise. It must be added manually. Just sayin.

Hmm. Calling system configuration "whacking the mole." That's just weird. And it's not Enterprise, it is Windows 11 Home. The point of the post was to show that a home user can easily replicate Windows 11 S Mode by adding a short list of processes to Exploit Protection with a specific setting and configuring installs to "Microsoft Store Only."

No SRP, no Applocker, no WDAC needed.

 

[cruelsister]

Calling system configuration "whacking the mole." That's just weird.

I in no way meant any disrespect. My point is that, aside from potential usability issues, one may have a false sense of security that all bases are now covered- and as there are far too many talented malware writers a new vulnerability can occur that would fall outside of such protection (a mole not whacked).

 

[ForgottenSeer 97327]

The point of the post was to show that a home user can easily replicate Windows 11 S Mode

No SRP, no Applocker, no WDAC needed.

Well it would have neen strange when downgrading (from Windows Home to Windows S) one needed tools (SEP, AppLocker, WDAC) of an upgrade (Windows Pro and higher).

 

[ForgottenSeer 98186]

Well it would have neen strange when downgrading (from Windows Home to Windows S) one needed tools (SEP, AppLocker, WDAC) of an upgrade (Windows Pro and higher).

From Windows Home to Windows S is a Microsoft upgrade.

The home user does not need to upgrade to Pro or higher to replicate 11 S mode. The same protection can be achieved entirely without SRP, AppLocker or WDAC.

 

[simmerskool]

Out of curiosity, how did you manage to get hold of Appguard? Is this the appguard website you used for it: Why AppGuard? - AppGuard

AppGuardSolo v6.7.65.4 is available. And tech support replied to my email question! I don't have the exact url at the moment as the price can be $89, or $69, or $39 depending on where you look. I paid $39. Running ok here, but I'm a novice with AG, @ticklemefeet knows it better than me.

 

[ForgottenSeer 98186]

I in no way meant any disrespect. My point is that, aside from potential usability issues, one may have a false sense of security that all bases are now covered- and as there are far too many talented malware writers a new vulnerability can occur that would fall outside of such protection (a mole not whacked).

lol, sorry. My comment was not directed at you but the person who initially said "I like to wacky my mole" and then "the poster is whacking the mole [by configuring something]."

It is just academic discussion about protection paradigms and strategies. There are pros and cons to whatever choices people make. Ultimately it is up to the Minions to decide what works best for them.

 

[Bumblebee Uncle]

AppGuardSolo v6.7.65.4 is available. And tech support replied to my email question! I don't have the exact url at the moment as the price can be $89, or $69, or $39 depending on where you look. I paid $39. Running ok here, but I'm a novice with AG, @ticklemefeet knows it better than me.

thank you for this @simmerskool ! the price model is amusing to say the least! Hope @ticklemefeet can chime in as well to the discussion.

 

[simmerskool]

thank you for this @simmerskool ! the price model is amusing to say the least! Hope @ticklemefeet can chime in as well to the discussion.

IIRC if the link goes to Japan, it's $89, I think there is a US link for Solo and it was $39 perhaps some distinction between enterprise version and Solo version. The $39 URL might be posted on one of the AppGuard threads here at MT...?

 

[Zero Knowledge]

Sorry off topic. Nice video test of Comodo. Nothing more to say.

In regards to AppGuard I wouldn't be surprised if they just pulled the pin on consumer/home users soon. I'm not sure why they even offer a home version.

COVID special prices are not valid anymore and price has gone up nearly 50%.

IIRC if the link goes to Japan, it's $89, I think there is a US link for Solo and it was $39 perhaps some distinction between enterprise version and Solo version. The $39 URL might be posted on one of the AppGuard threads here at MT...?

Endpoint Security Solutions and Cybersecurity Company that's the link. Price has gone up. $39.99 is not valid anymore.

AppGuard Solo CPIA PCQuick Landing Page - AppGuard offers 30 day free trial. Does not say what a full license cost or if it's enterprise or consumer/home.

I hope that helps.

 

[ForgottenSeer 69673]

IIRC if the link goes to Japan, it's $89, I think there is a US link for Solo and it was $39 perhaps some distinction between enterprise version and Solo version. The $39 URL might be posted on one of the AppGuard threads here at MT...?

They have now raised the price where you got it to $ 69.00. Which is very sad.

thank you for this @simmerskool ! the price model is amusing to say the least! Hope @ticklemefeet can chime in as well to the discussion.

Maybe start a new thread?

 

[cruelsister]

The USA price is now 89.99USD; more expensive in the EU at 103,95 €.

Sad thing is a CC is needed to initiate the 30 day trial.

 

[ForgottenSeer 69673]

The USA price is now 89.99USD; more expensive in the EU at 103,95 €.

Sad thing is a CC is needed to initiate the 30 day trial.

Headquarters:
14120 Parke Long Court
Suite 103
Chantilly VA, 20151

Endpoint Security Solutions and Cybersecurity Company

Blue Ridge Networks is a cybersecurity pioneer in protection of critical network operations for some of the largest government, financial, critical infrastructure, and healthcare customers.

www.blueridgenetworks.com

Up until a few weeks ago they were selling it for $ 39.00. Now they are selling it for $ 69.00. Simmerkool got in on it for 39 bucks.

Yes, it is pretty sad. There is quite a few MT users that have Lifetime Lics. Maybe one will let you have theirs.

 

[Trident]

The list of core Windows processes abused by threat actors on unmanaged (home) desktop systems has not changed in a long time. The "new" OneNote "malware" would have been stopped before it got started by the Microsoft default blocklist.

Very true!

You would expect vendors to be proactive and “predict” these attacks, but instead they are mostly playing catch-up and release behavioural protection profiles and various rules after the process has been well abused. At least from what I see by monitoring threat intelligence releases.

I may test Xcitium Open EDR in the upcoming days if I have the time to do so and release a video as well. Unlike Comodo, it is actively in maintenance. I created a configuration profile online already, I just have to deploy the agent on a Windows laptop.

I have few worries about this product - hopefully they don’t get confirmed.

 

[ForgottenSeer 98186]

Very true!

You would expect vendors to be proactive and “predict” these attacks, but instead they are mostly playing catch-up and release behavioural protection profiles and various rules after the process has been well abused. At least from what I see by monitoring threat intelligence releases.

I may test Xcitium Open EDR in the upcoming days if I have the time to do so and release a video as well. Unlike Comodo, it is actively in maintenance. I created a configuration profile online already, I just have to deploy the agent on a Windows laptop.

I have few worries about this product - hopefully they don’t get confirmed.

.one file > c m d, c s c r i p t, w s c r i p t, PoSh > download > execute downloaded file from user space
.one file > PoSh > execute Posh script in-memory

There are 10 easy-to-configure blocks that shut that killchain down immediately, and the best part is the user does not have to create all 10 block policies. They can select 1 or as many additional to fit their desired use-case, without affecting usability at all.

The Golden Rule of Digitial Security: The highest security is provided by not allowing unverified code to execute in the first place.

 

[Bumblebee Uncle]

IIRC if the link goes to Japan, it's $89, I think there is a US link for Solo and it was $39 perhaps some distinction between enterprise version and Solo version. The $39 URL might be posted on one of the AppGuard threads here at MT...?

Going to look for it thank you!

 

[simmerskool]

Going to look for it thank you!

See above, @ticklemefeet looked and said AGSolo is now bumped up to $69! Odd pricing for sure.

 

[ForgottenSeer 69673]

The USA price is now 89.99USD; more expensive in the EU at 103,95 €.

Sad thing is a CC is needed to initiate the 30 day trial.

I do hope you post a video on Appguard with extra settings. It may or may not be an eye opener to the MT community.