- Jun 22, 2014
- 864
Other solutions might detect it but would they have dealt with it as well as CFW seeing that the alert was ignored ?
Regards Eck
Regards Eck
Comodo Firewall vs a new Data Stealer
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
You should also agree that route of infection is important testing products full abilities. Pre-execution detection is a preferred method and or should be. Regardless you wouldn't just perform a context scan on a inert file and call it a test would you? Then why is testing that bypasses many modules of products considered the same?I've shared other screenshots showing Avast, Norton, Microsoft Defender (with Machine Learning detection) and Bitdefender also blocking this malware
Comodo sandboxes anything unknown, that much we know. VirusScope's detection was, for me, logical, given that the malware launches various Powershell commands at runtime.
But I agree with you on one point: Comodo isn't the only one capable of blocking this type of malware
- Feb 7, 2023
- 2,349
There were no alerts, prompts, ifs and buts. Upon launch, Norton, Avast, Bitdefender and Check Point Harmony automatically remediated the malware, with Harmony going as far as identifying the malware type, and not some generic name. Some of its components were first seen 20 days ago.Other solutions might detect it but would they have dealt with it as well as CFW seeing that the alert was ignored ?
Regards Eck
Trend Micro would have issued a warning not to run the file. The user can’t ignore this warning unless they try to run it second time, which they shouldn’t.
Kaspersky with a properly set-up application control/IDS would have blocked execution.
Microsoft Defender also dealt with the malware and tools from Andy Ful could have stopped the execution of LOLBins which is essential for the malware logical flow.
In addition, many products can be configured to display these prompts whether or not something is allowed to connect to the internet, it is not something unique to Comodo.
So I do not agree that only Comodo dealt with the malware or the way of dealing was in any way superior.
- Sep 2, 2021
- 2,586
1. No
2.
I don't know why these testers bother with contextual analysis.
Personally, on a sample pack (that I create myself), I do a 1st analysis to see if the engine can recognize several samples. You should know that signature recognition is totally OBSOLETE these days, given the millions of new malware being created every day.
Next, I run the unrecognized samples to see if the antivirus will be able to block malicious actions when confronted with the malware. This is what we call behavioral (or pro-active) protection, and it's an added bonus for antivirus programs to stop a potential infection.
Contextual click testing alone is clearly useless.
- Jun 22, 2014
- 864
Never said that Comodo was the only one that would detect itseeing that it was detected by viruscope making detection by others very likely.
Comodo`s more foolproof than superior which helps fools like me have a nice warm fuzzy feeling deep down inside.
Regards Eck
- Mar 17, 2023
- 503
Harmony blocked a part of War thunder update yesterday and marked a file as malware with confidence of high.
. First time it started doing that. So whatever update they did recently upped their sensitivity. It also blocked sniper elite 5 as malware with high confidence; that I understand do to Denuvo encryption/ copy protection which is basically a rootkit. Just fyi that whatever update it got. It became more zealous. Lots hope it doesn't go CrowdStrike on us.
- Feb 7, 2023
- 2,349
You’ll need to open a service request here and report your findings.Harmony blocked a part of War thunder update yesterday and marked a file as malware with confidence of high.
It also blocked sniper elite 5 as malware with high confidence; that I understand do to Denuvo encryption/ copy protection which is basically a rootkit. Just fyi that whatever update it got. It became more zealous. Lots hope it doesn't go CrowdStrike on us.
For business products it is normal not to cope too well with game updates, they haven’t got many customers updating games so these executables remain unknown for a prolonged period of time.
As to CrowdStrike, they update internal behavioural monitoring logics daily. Check Point does not do that. The EFR monitoring and capturing logics are updated as part of a product update. If you are worried about CrowdStrike situation, you can stay one version behind, or use the recommended client version.
Signature based scanning, heuristic analysis, URL filtering/web filtering, IPS detection, packet inspection, reputation analysis, real time threat intelligence, collective intelligence. These are all examples of pre-execution methods.
These are typically bolstered in many products but rarely tested. It's fine to test separate modules to see how they perform but not fine to state a product is unable if you do not test it fully. I'm not sure why that can not be understood here but by a few.
- Feb 7, 2023
- 2,349
The malware distribution method must always be taken into account. Majority of malware does not just come like that, out of the blue. It needs to be downloaded or saved from an email. Very few malware families possess automatic spreading mechanisms (such as the Dinihou worm that used to replace files on flash drive with malicious shortcut to these files and installed NJRAT).
Whilst any other test may be interesting to geeks, you cannot state that a product is “oblivious to malware” when you did not test products using the realistic distribution method.
- Mar 17, 2023
- 503
Will do but honestly been gaming up with it for the past 1.5 years and this is basically the first time it detected two legit game files (I double checked them and they were all signed by respective companies). In the past it picked up a trainer or a memory value scanner which was totally understandable since neither one of those files were signed and the functions they performed (patch memory of another process) are part of the MiTRE attack framework.
And honestly they xan crowdstrike my system away. At least maybe I can act as a warning beacon (due to my unusual use case) for them to investigate before major infrastructure gets affected. So I do not worry about it going all bottoms up on me (daily backups).
- Feb 7, 2023
- 2,349
I see a lot of tension and love here. Am I still on MalwareTips?I've set an alarm, tied a string around my finger, and even hired my girlfriend, just to make sure I don't miss a single episode of this new Comodo season - it's pure gold!Thank you for the exclusive access, @Lynx!
tofargone
Level 4
- Jun 24, 2024
- 174
I'm always confused by the fight that exists between good and evil.
One one side we have the evil intention of infecting a server or PC. This then is the bad person.
One the other side is the vendor / business, who creates a solution to protect the server or PC, while seeking a profit for his efforts. This is the good person.
Sadly with ALL the companies, who must be counted in the multitudes, we don't have even one, that all the great minds here at MWT's can proclaim to be a winner, the best at his craft.
You would think the winner would be the one with the most revenue, or customer base, maybe Norton, or Microsoft. But that isn't true.
Even AI has been able to make a virus that can't be detected, can they not make a solution that can win at every turn? Can't someone make a tool that can overcome.?
I'm sure we would all use it.
One one side we have the evil intention of infecting a server or PC. This then is the bad person.
One the other side is the vendor / business, who creates a solution to protect the server or PC, while seeking a profit for his efforts. This is the good person.
Sadly with ALL the companies, who must be counted in the multitudes, we don't have even one, that all the great minds here at MWT's can proclaim to be a winner, the best at his craft.
You would think the winner would be the one with the most revenue, or customer base, maybe Norton, or Microsoft. But that isn't true.
Even AI has been able to make a virus that can't be detected, can they not make a solution that can win at every turn? Can't someone make a tool that can overcome.?
I'm sure we would all use it.
- Feb 7, 2023
- 2,349
They are the true winners because end of the day, they’ve invested in R&D, they’ve established what’s hot on the market, they’ve developed it and paid to market it. They then extract sweet profits out of it and couldn’t care less who will be proclaimed a winner and where.
Now, getting on to what’s hot on the market, users like convenience and automation and for that, they are ready to pay. This has been proven times and times again, this has been the business model historically of many companies and products and generates billions.
The “let me ask the user” approach is not preferred. Majority of users don’t care whether or not wuaclt.exe will inject a module into svchost.exe.
This approach works only for a very small audience and it is up to a vendor to decide whether they want to cater for a football game in a Dutch village or for the UEFA final game (Hopefully at Wembley Stadium one day).
Vendors have developed automated and layered solutions that provide sufficient security to real people, encountering real-life situations. This method has not been proven to not work.
I invite everyone who believes that asking the user is better than automation, to go and do their laundry at the river as well, with the laundry soap. This is more “effective” than using a washer. But does more effective always equal better? I’ll let you answer that for yourself.
lokamoka820
Level 22
- Mar 1, 2024
- 1,140
So in the end, Comodo Firewall will block it, or it will be user dependent?
rashmi
Level 12
- Jan 15, 2024
- 551
They created it with their bare hands... "COMODO!"
The birth of Comodo marked the beginning of an epic clash between the forces of good and evil - a clash as legendary as the creation itself! The Comodo antivirus module is garbage… useless.
And the Containment module, it's not a virus/malware detector, it's just a dumb binary blocker (full of dangerous unfixed bugs), it allows "known" files, and blocks "unknown" ones.
Viruscope also does not detect virus/malware, it only (sometimes) detects (some) behaviors.
Therefore, Comodo depends 100% on the user's final decision to allow or block a file. It's good to remember that Melih and the entire Comodo' staff have already said a thousand times that "they are not user babysitters" (users are the ones who make the final decisions).
The million dollar question is: If the security of a computer always depends on the user... then Comodo is unnecessary... elemental logic!
Last edited:
rashmi
Level 12
- Jan 15, 2024
- 551
Comodo Firewall will run it in containment. The firewall alert will depend on your settings. According to @cruelsister and some users in different discussions, her suggested "restricted" setting prevents network connections. However, I haven't tested it, and the help files don't mention it.
- Mar 17, 2023
- 503
It's all well and good but what if svchost.exe doesn't want to be injected by wuaclt.exe? I mean fine you both live in the same environment but did wuaclt.exe buy svchost.exe dinner first?!!! You can't just willy nilly go around and injecting yourself into strange processes without their consent that just plain rude!
Last edited:
- Feb 26, 2021
- 949
Sorry for the dense question. Today's not been a good day. That "stealer" CPF was tested against was correctly signed, was it not? If that was the case, then apps like Cyberlock, Spyshelter, etc., which rely on signing verification will be of little to no use here. Am I right? Maybe it's time to look elsewhere if they can be circumvented so easily.
Similar threads
