App Review Comodo Firewall vs a new Data Stealer

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister
F

ForgottenSeer 114834

I've shared other screenshots showing Avast, Norton, Microsoft Defender (with Machine Learning detection) and Bitdefender also blocking this malware :)

Comodo sandboxes anything unknown, that much we know. VirusScope's detection was, for me, logical, given that the malware launches various Powershell commands at runtime.

But I agree with you on one point: Comodo isn't the only one capable of blocking this type of malware :)
You should also agree that route of infection is important testing products full abilities. Pre-execution detection is a preferred method and or should be. Regardless you wouldn't just perform a context scan on a inert file and call it a test would you? Then why is testing that bypasses many modules of products considered the same?
 
  • Hundred Points
Reactions: Decopi and Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Other solutions might detect it but would they have dealt with it as well as CFW seeing that the alert was ignored ?

Regards Eck :)
There were no alerts, prompts, ifs and buts. Upon launch, Norton, Avast, Bitdefender and Check Point Harmony automatically remediated the malware, with Harmony going as far as identifying the malware type, and not some generic name. Some of its components were first seen 20 days ago.

Trend Micro would have issued a warning not to run the file. The user can’t ignore this warning unless they try to run it second time, which they shouldn’t.

Kaspersky with a properly set-up application control/IDS would have blocked execution.

Microsoft Defender also dealt with the malware and tools from Andy Ful could have stopped the execution of LOLBins which is essential for the malware logical flow.

In addition, many products can be configured to display these prompts whether or not something is allowed to connect to the internet, it is not something unique to Comodo.

So I do not agree that only Comodo dealt with the malware or the way of dealing was in any way superior.
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
Regardless you wouldn't just perform a context scan on a inert file and call it a test would you? Then why is testing that bypasses many modules of products considered the same?
1. No
2.
I don't know why these testers bother with contextual analysis.

Personally, on a sample pack (that I create myself), I do a 1st analysis to see if the engine can recognize several samples. You should know that signature recognition is totally OBSOLETE these days, given the millions of new malware being created every day.

Next, I run the unrecognized samples to see if the antivirus will be able to block malicious actions when confronted with the malware. This is what we call behavioral (or pro-active) protection, and it's an added bonus for antivirus programs to stop a potential infection.
Contextual click testing alone is clearly useless.
 

Behold Eck

Level 18
Verified
Top Poster
Well-known
Jun 22, 2014
878
So I do not agree that only Comodo dealt with the malware or the way of dealing was in any way superior.
Never said that Comodo was the only one that would detect itseeing that it was detected by viruscope making detection by others very likely.

Comodo`s more foolproof than superior which helps fools like me have a nice warm fuzzy feeling deep down inside.

Regards Eck :)
 

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
536
What triggers the detection here for most software is the abuse of the name svchost.exe. No useful software has any genuine reason to doppelgäng a native Windows executable.

Yes, the launch of high number of LOLBins is also highly suspicious. In Harmony, we saw that not only that the malware was blocked, but it was also correctly identified as Nova Stealer.

Many other products that we didn’t test would have also blocked the malware.
Harmony blocked a part of War thunder update yesterday and marked a file as malware with confidence of high. :). First time it started doing that. So whatever update they did recently upped their sensitivity.

It also blocked sniper elite 5 as malware with high confidence; that I understand do to Denuvo encryption/ copy protection which is basically a rootkit. Just fyi that whatever update it got. It became more zealous. Lots hope it doesn't go CrowdStrike on us.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Harmony blocked a part of War thunder update yesterday and marked a file as malware with confidence of high. :). First time it started doing that. So whatever update they did recently upped their sensitivity.

It also blocked sniper elite 5 as malware with high confidence; that I understand do to Denuvo encryption/ copy protection which is basically a rootkit. Just fyi that whatever update it got. It became more zealous. Lots hope it doesn't go CrowdStrike on us.
You’ll need to open a service request here and report your findings.

For business products it is normal not to cope too well with game updates, they haven’t got many customers updating games so these executables remain unknown for a prolonged period of time.

As to CrowdStrike, they update internal behavioural monitoring logics daily. Check Point does not do that. The EFR monitoring and capturing logics are updated as part of a product update. If you are worried about CrowdStrike situation, you can stay one version behind, or use the recommended client version.
 
F

ForgottenSeer 114834

1. No
2.
I don't know why these testers bother with contextual analysis.

Personally, on a sample pack (that I create myself), I do a 1st analysis to see if the engine can recognize several samples. You should know that signature recognition is totally OBSOLETE these days, given the millions of new malware being created every day.

Next, I run the unrecognized samples to see if the antivirus will be able to block malicious actions when confronted with the malware. This is what we call behavioral (or pro-active) protection, and it's an added bonus for antivirus programs to stop a potential infection.
Contextual click testing alone is clearly useless.
Signature based scanning, heuristic analysis, URL filtering/web filtering, IPS detection, packet inspection, reputation analysis, real time threat intelligence, collective intelligence. These are all examples of pre-execution methods.

These are typically bolstered in many products but rarely tested. It's fine to test separate modules to see how they perform but not fine to state a product is unable if you do not test it fully. I'm not sure why that can not be understood here but by a few.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
These are typically bolstered in many products but rarely tested. It's fine to test separate modules to see how they perform but not fine to state a product is unable if you do not test it fully. I'm not sure why that can not be understood here but by a few.
The malware distribution method must always be taken into account. Majority of malware does not just come like that, out of the blue. It needs to be downloaded or saved from an email. Very few malware families possess automatic spreading mechanisms (such as the Dinihou worm that used to replace files on flash drive with malicious shortcut to these files and installed NJRAT).

Whilst any other test may be interesting to geeks, you cannot state that a product is “oblivious to malware” when you did not test products using the realistic distribution method.
 

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
536
You’ll need to open a service request here and report your findings.

For business products it is normal not to cope too well with game updates, they haven’t got many customers updating games so these executables remain unknown for a prolonged period of time.

As to CrowdStrike, they update internal behavioural monitoring logics daily. Check Point does not do that. The EFR monitoring and capturing logics are updated as part of a product update. If you are worried about CrowdStrike situation, you can stay one version behind, or use the recommended client version.
Will do but honestly been gaming up with it for the past 1.5 years and this is basically the first time it detected two legit game files (I double checked them and they were all signed by respective companies). In the past it picked up a trainer or a memory value scanner which was totally understandable since neither one of those files were signed and the functions they performed (patch memory of another process) are part of the MiTRE attack framework.

And honestly they xan crowdstrike my system away. At least maybe I can act as a warning beacon (due to my unusual use case) for them to investigate before major infrastructure gets affected. So I do not worry about it going all bottoms up on me (daily backups).
 

tofargone

Level 6
Jun 24, 2024
264
I'm always confused by the fight that exists between good and evil.

One one side we have the evil intention of infecting a server or PC. This then is the bad person.

One the other side is the vendor / business, who creates a solution to protect the server or PC, while seeking a profit for his efforts. This is the good person.

Sadly with ALL the companies, who must be counted in the multitudes, we don't have even one, that all the great minds here at MWT's can proclaim to be a winner, the best at his craft.

You would think the winner would be the one with the most revenue, or customer base, maybe Norton, or Microsoft. But that isn't true.

Even AI has been able to make a virus that can't be detected, can they not make a solution that can win at every turn? Can't someone make a tool that can overcome.?

I'm sure we would all use it.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
You would think the winner would be the one with the most revenue, or customer base, maybe Norton, or Microsoft. But that isn't true.
They are the true winners because end of the day, they’ve invested in R&D, they’ve established what’s hot on the market, they’ve developed it and paid to market it. They then extract sweet profits out of it and couldn’t care less who will be proclaimed a winner and where.

Now, getting on to what’s hot on the market, users like convenience and automation and for that, they are ready to pay. This has been proven times and times again, this has been the business model historically of many companies and products and generates billions.

The “let me ask the user” approach is not preferred. Majority of users don’t care whether or not wuaclt.exe will inject a module into svchost.exe.
This approach works only for a very small audience and it is up to a vendor to decide whether they want to cater for a football game in a Dutch village or for the UEFA final game (Hopefully at Wembley Stadium one day).

Vendors have developed automated and layered solutions that provide sufficient security to real people, encountering real-life situations. This method has not been proven to not work.

I invite everyone who believes that asking the user is better than automation, to go and do their laundry at the river as well, with the laundry soap. This is more “effective” than using a washer. But does more effective always equal better? I’ll let you answer that for yourself.
 

Decopi

Level 8
Verified
Oct 29, 2017
361
So in the end, Comodo Firewall will block it, or it will be user dependent?

The Comodo antivirus module is garbage… useless.
And the Containment module, it's not a virus/malware detector, it's just a dumb binary blocker (full of dangerous unfixed bugs), it allows "known" files, and blocks "unknown" ones.
Viruscope also does not detect virus/malware, it only (sometimes) detects (some) behaviors.

Therefore, Comodo depends 100% on the user's final decision to allow or block a file. It's good to remember that Melih and the entire Comodo' staff have already said a thousand times that "they are not user babysitters" (users are the ones who make the final decisions).

The million dollar question is: If the security of a computer always depends on the user... then Comodo is unnecessary... elemental logic!
 
Last edited:

rashmi

Level 12
Jan 15, 2024
577
So in the end, Comodo Firewall will block it, or it will be user dependent?
Comodo Firewall will run it in containment. The firewall alert will depend on your settings. According to @cruelsister and some users in different discussions, her suggested "restricted" setting prevents network connections. However, I haven't tested it, and the help files don't mention it.
 

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
536
They are the true winners because end of the day, they’ve invested in R&D, they’ve established what’s hot on the market, they’ve developed it and paid to market it. They then extract sweet profits out of it and couldn’t care less who will be proclaimed a winner and where.

Now, getting on to what’s hot on the market, users like convenience and automation and for that, they are ready to pay. This has been proven times and times again, this has been the business model historically of many companies and products and generates billions.

The “let me ask the user” approach is not preferred. Majority of users don’t care whether or not wuaclt.exe will inject a module into svchost.exe.
This approach works only for a very small audience and it is up to a vendor to decide whether they want to cater for a football game in a Dutch village or for the UEFA final game (Hopefully at Wembley Stadium one day).

Vendors have developed automated and layered solutions that provide sufficient security to real people, encountering real-life situations. This method has not been proven to not work.

I invite everyone who believes that asking the user is better than automation, to go and do their laundry at the river as well, with the laundry soap. This is more “effective” than using a washer. But does more effective always equal better? I’ll let you answer that for yourself.
It's all well and good but what if svchost.exe doesn't want to be injected by wuaclt.exe? I mean fine you both live in the same environment but did wuaclt.exe buy svchost.exe dinner first?!!! You can't just willy nilly go around and injecting yourself into strange processes without their consent that just plain rude!
 
Last edited:

n8chavez

Level 20
Well-known
Feb 26, 2021
972
Sorry for the dense question. Today's not been a good day. That "stealer" CPF was tested against was correctly signed, was it not? If that was the case, then apps like Cyberlock, Spyshelter, etc., which rely on signing verification will be of little to no use here. Am I right? Maybe it's time to look elsewhere if they can be circumvented so easily.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top