App Review Comodo Firewall Plays with RATs

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Ophelia
F

ForgottenSeer 98186

Various thingies most common being in install/uninstall routines.
If it is such a usability issue, then why does Microsoft block interpreters itself?

How often are cscript, wscript, or powershell needed during install or uninstall routines? Less than 1%? Less than 0.1%?

I guess Whack-A-Mole is fine (as long as one can squish all of those little varmints)
There is no whack-a-mole needed.

1676298356542.png


The list of core Windows processes abused by threat actors on unmanaged (home) desktop systems has not changed in a long time. The "new" OneNote "malware" would have been stopped before it got started by the Microsoft default blocklist.

but CF is sooo much easier.
The mechanism of auto-sandboxing is easier, but then the Comodo sandbox gives no feeback whatsoever to the user about what is running inside the virtual environment. There is the potential (likely a small one given the type of user who will actually use Comodo) for a user to whitelist a file because it "appears" to do nothing malicious inside the sandbox.

But I do agree with you, with CF configured with your recommended settings it is so easy for those that know Comodo. As far as "ease-of-use." Meh. Just look at the hundreds of users that come here to MT and have to ask questions about Comodo. Your configuration videos are easy enough for a user to follow, and yet still, it is not so easy for some users.

All that said, it is up to the user to decide which solution works best for them personally.
 
  • Like
Reactions: Trident
F

ForgottenSeer 69673

Various thingies most common being in install/uninstall routines.

I guess Whack-A-Mole is fine (as long as one can squish all of those little varmints), but CF is sooo much easier.
I agree with you as far as Comodo goes on protection but as you know, I just can't on account of what they did to Kevin.

The poster above showed a setting in exploit settings for PowerShell. The poster is whacking the mole by doing that because it is not included by default on windows 11 enterprise. It must be added manually. Just sayin.
 
  • Like
Reactions: simmerskool
F

ForgottenSeer 98186

The poster above showed a setting in exploit settings for PowerShell. The poster is whacking the mole by doing that because it is not included by default on windows 11 enterprise. It must be added manually. Just sayin.
Hmm. Calling system configuration "whacking the mole." That's just weird. And it's not Enterprise, it is Windows 11 Home. The point of the post was to show that a home user can easily replicate Windows 11 S Mode by adding a short list of processes to Exploit Protection with a specific setting and configuring installs to "Microsoft Store Only."

No SRP, no Applocker, no WDAC needed.
 
Last edited by a moderator:

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Calling system configuration "whacking the mole." That's just weird.
I in no way meant any disrespect. My point is that, aside from potential usability issues, one may have a false sense of security that all bases are now covered- and as there are far too many talented malware writers a new vulnerability can occur that would fall outside of such protection (a mole not whacked).
 
F

ForgottenSeer 97327

The point of the post was to show that a home user can easily replicate Windows 11 S Mode

No SRP, no Applocker, no WDAC needed.
Well it would have neen strange when downgrading (from Windows Home to Windows S) one needed tools (SEP, AppLocker, WDAC) of an upgrade (Windows Pro and higher). :)
 
F

ForgottenSeer 98186

Well it would have neen strange when downgrading (from Windows Home to Windows S) one needed tools (SEP, AppLocker, WDAC) of an upgrade (Windows Pro and higher). :)
From Windows Home to Windows S is a Microsoft upgrade.

The home user does not need to upgrade to Pro or higher to replicate 11 S mode. The same protection can be achieved entirely without SRP, AppLocker or WDAC.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
Out of curiosity, how did you manage to get hold of Appguard? Is this the appguard website you used for it: Why AppGuard? - AppGuard
AppGuardSolo v6.7.65.4 is available. And tech support replied to my email question! I don't have the exact url at the moment as the price can be $89, or $69, or $39 depending on where you look. I paid $39. Running ok here, but I'm a novice with AG, @ticklemefeet knows it better than me.
 
  • Like
Reactions: Zero Knowledge
F

ForgottenSeer 98186

I in no way meant any disrespect. My point is that, aside from potential usability issues, one may have a false sense of security that all bases are now covered- and as there are far too many talented malware writers a new vulnerability can occur that would fall outside of such protection (a mole not whacked).
lol, sorry. My comment was not directed at you but the person who initially said "I like to wacky my mole" and then "the poster is whacking the mole [by configuring something]."

It is just academic discussion about protection paradigms and strategies. There are pros and cons to whatever choices people make. Ultimately it is up to the Minions to decide what works best for them.
 
  • Like
Reactions: Trident

Bumblebee Uncle

Level 3
Well-known
Mar 15, 2022
109
AppGuardSolo v6.7.65.4 is available. And tech support replied to my email question! I don't have the exact url at the moment as the price can be $89, or $69, or $39 depending on where you look. I paid $39. Running ok here, but I'm a novice with AG, @ticklemefeet knows it better than me.
thank you for this @simmerskool ! the price model is amusing to say the least! Hope @ticklemefeet can chime in as well to the discussion.
 
  • Like
Reactions: simmerskool

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,784
thank you for this @simmerskool ! the price model is amusing to say the least! Hope @ticklemefeet can chime in as well to the discussion.
IIRC if the link goes to Japan, it's $89, I think there is a US link for Solo and it was $39 perhaps some distinction between enterprise version and Solo version. The $39 URL might be posted on one of the AppGuard threads here at MT...?
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
869
Sorry off topic. Nice video test of Comodo. Nothing more to say.

In regards to AppGuard I wouldn't be surprised if they just pulled the pin on consumer/home users soon. I'm not sure why they even offer a home version.

COVID special prices are not valid anymore and price has gone up nearly 50%.
IIRC if the link goes to Japan, it's $89, I think there is a US link for Solo and it was $39 perhaps some distinction between enterprise version and Solo version. The $39 URL might be posted on one of the AppGuard threads here at MT...?
Endpoint Security Solutions and Cybersecurity Company that's the link. Price has gone up. $39.99 is not valid anymore.

AppGuard Solo CPIA PCQuick Landing Page - AppGuard offers 30 day free trial. Does not say what a full license cost or if it's enterprise or consumer/home.

I hope that helps.
 
  • Thanks
Reactions: simmerskool
F

ForgottenSeer 69673

IIRC if the link goes to Japan, it's $89, I think there is a US link for Solo and it was $39 perhaps some distinction between enterprise version and Solo version. The $39 URL might be posted on one of the AppGuard threads here at MT...?
They have now raised the price where you got it to $ 69.00. Which is very sad.

thank you for this @simmerskool ! the price model is amusing to say the least! Hope @ticklemefeet can chime in as well to the discussion.
Maybe start a new thread?
 
F

ForgottenSeer 69673

The USA price is now 89.99USD; more expensive in the EU at 103,95 €.

Sad thing is a CC is needed to initiate the 30 day trial.
Headquarters:
14120 Parke Long Court
Suite 103
Chantilly VA, 20151


Up until a few weeks ago they were selling it for $ 39.00. Now they are selling it for $ 69.00. Simmerkool got in on it for 39 bucks.

Yes, it is pretty sad. There is quite a few MT users that have Lifetime Lics. Maybe one will let you have theirs.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
The list of core Windows processes abused by threat actors on unmanaged (home) desktop systems has not changed in a long time. The "new" OneNote "malware" would have been stopped before it got started by the Microsoft default blocklist.
Very true!

You would expect vendors to be proactive and “predict” these attacks, but instead they are mostly playing catch-up and release behavioural protection profiles and various rules after the process has been well abused. At least from what I see by monitoring threat intelligence releases.

I may test Xcitium Open EDR in the upcoming days if I have the time to do so and release a video as well. Unlike Comodo, it is actively in maintenance. I created a configuration profile online already, I just have to deploy the agent on a Windows laptop.

I have few worries about this product - hopefully they don’t get confirmed.
 
F

ForgottenSeer 98186

Very true!

You would expect vendors to be proactive and “predict” these attacks, but instead they are mostly playing catch-up and release behavioural protection profiles and various rules after the process has been well abused. At least from what I see by monitoring threat intelligence releases.

I may test Xcitium Open EDR in the upcoming days if I have the time to do so and release a video as well. Unlike Comodo, it is actively in maintenance. I created a configuration profile online already, I just have to deploy the agent on a Windows laptop.

I have few worries about this product - hopefully they don’t get confirmed.
.one file > c m d, c s c r i p t, w s c r i p t, PoSh > download > execute downloaded file from user space
.one file > PoSh > execute Posh script in-memory

There are 10 easy-to-configure blocks that shut that killchain down immediately, and the best part is the user does not have to create all 10 block policies. They can select 1 or as many additional to fit their desired use-case, without affecting usability at all.

The Golden Rule of Digitial Security: The highest security is provided by not allowing unverified code to execute in the first place.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top