- Jun 22, 2014
- 878
Other solutions might detect it but would they have dealt with it as well as CFW seeing that the alert was ignored ?
Regards Eck
Regards Eck
You should also agree that route of infection is important testing products full abilities. Pre-execution detection is a preferred method and or should be. Regardless you wouldn't just perform a context scan on a inert file and call it a test would you? Then why is testing that bypasses many modules of products considered the same?I've shared other screenshots showing Avast, Norton, Microsoft Defender (with Machine Learning detection) and Bitdefender also blocking this malware
Comodo sandboxes anything unknown, that much we know. VirusScope's detection was, for me, logical, given that the malware launches various Powershell commands at runtime.
But I agree with you on one point: Comodo isn't the only one capable of blocking this type of malware
There were no alerts, prompts, ifs and buts. Upon launch, Norton, Avast, Bitdefender and Check Point Harmony automatically remediated the malware, with Harmony going as far as identifying the malware type, and not some generic name. Some of its components were first seen 20 days ago.Other solutions might detect it but would they have dealt with it as well as CFW seeing that the alert was ignored ?
Regards Eck
1. NoRegardless you wouldn't just perform a context scan on a inert file and call it a test would you? Then why is testing that bypasses many modules of products considered the same?
Never said that Comodo was the only one that would detect itseeing that it was detected by viruscope making detection by others very likely.So I do not agree that only Comodo dealt with the malware or the way of dealing was in any way superior.
Harmony blocked a part of War thunder update yesterday and marked a file as malware with confidence of high. . First time it started doing that. So whatever update they did recently upped their sensitivity.What triggers the detection here for most software is the abuse of the name svchost.exe. No useful software has any genuine reason to doppelgäng a native Windows executable.
Yes, the launch of high number of LOLBins is also highly suspicious. In Harmony, we saw that not only that the malware was blocked, but it was also correctly identified as Nova Stealer.
Many other products that we didn’t test would have also blocked the malware.
You’ll need to open a service request here and report your findings.Harmony blocked a part of War thunder update yesterday and marked a file as malware with confidence of high. . First time it started doing that. So whatever update they did recently upped their sensitivity.
It also blocked sniper elite 5 as malware with high confidence; that I understand do to Denuvo encryption/ copy protection which is basically a rootkit. Just fyi that whatever update it got. It became more zealous. Lots hope it doesn't go CrowdStrike on us.
Signature based scanning, heuristic analysis, URL filtering/web filtering, IPS detection, packet inspection, reputation analysis, real time threat intelligence, collective intelligence. These are all examples of pre-execution methods.1. No
2.
I don't know why these testers bother with contextual analysis.
Personally, on a sample pack (that I create myself), I do a 1st analysis to see if the engine can recognize several samples. You should know that signature recognition is totally OBSOLETE these days, given the millions of new malware being created every day.
Next, I run the unrecognized samples to see if the antivirus will be able to block malicious actions when confronted with the malware. This is what we call behavioral (or pro-active) protection, and it's an added bonus for antivirus programs to stop a potential infection.
Contextual click testing alone is clearly useless.
The malware distribution method must always be taken into account. Majority of malware does not just come like that, out of the blue. It needs to be downloaded or saved from an email. Very few malware families possess automatic spreading mechanisms (such as the Dinihou worm that used to replace files on flash drive with malicious shortcut to these files and installed NJRAT).These are typically bolstered in many products but rarely tested. It's fine to test separate modules to see how they perform but not fine to state a product is unable if you do not test it fully. I'm not sure why that can not be understood here but by a few.
Will do but honestly been gaming up with it for the past 1.5 years and this is basically the first time it detected two legit game files (I double checked them and they were all signed by respective companies). In the past it picked up a trainer or a memory value scanner which was totally understandable since neither one of those files were signed and the functions they performed (patch memory of another process) are part of the MiTRE attack framework.You’ll need to open a service request here and report your findings.
For business products it is normal not to cope too well with game updates, they haven’t got many customers updating games so these executables remain unknown for a prolonged period of time.
As to CrowdStrike, they update internal behavioural monitoring logics daily. Check Point does not do that. The EFR monitoring and capturing logics are updated as part of a product update. If you are worried about CrowdStrike situation, you can stay one version behind, or use the recommended client version.
I've set an alarm, tied a string around my finger, and even hired my girlfriend, just to make sure I don't miss a single episode of this new Comodo season - it's pure gold! Thank you for the exclusive access, @Lynx!Personally I was only fulfilling a request by @rashmi who seemed to be bored with the lack of entertainment here now days.
I see a lot of tension and love here. Am I still on MalwareTips?I've set an alarm, tied a string around my finger, and even hired my girlfriend, just to make sure I don't miss a single episode of this new Comodo season - it's pure gold! Thank you for the exclusive access, @Lynx!
They are the true winners because end of the day, they’ve invested in R&D, they’ve established what’s hot on the market, they’ve developed it and paid to market it. They then extract sweet profits out of it and couldn’t care less who will be proclaimed a winner and where.You would think the winner would be the one with the most revenue, or customer base, maybe Norton, or Microsoft. But that isn't true.
They created it with their bare hands... "COMODO!" The birth of Comodo marked the beginning of an epic clash between the forces of good and evil - a clash as legendary as the creation itself!I'm always confused by the fight that exists between good and evil.
can they not make a solution that can win at every turn?
So in the end, Comodo Firewall will block it, or it will be user dependent?
Comodo Firewall will run it in containment. The firewall alert will depend on your settings. According to @cruelsister and some users in different discussions, her suggested "restricted" setting prevents network connections. However, I haven't tested it, and the help files don't mention it.So in the end, Comodo Firewall will block it, or it will be user dependent?
It's all well and good but what if svchost.exe doesn't want to be injected by wuaclt.exe? I mean fine you both live in the same environment but did wuaclt.exe buy svchost.exe dinner first?!!! You can't just willy nilly go around and injecting yourself into strange processes without their consent that just plain rude!They are the true winners because end of the day, they’ve invested in R&D, they’ve established what’s hot on the market, they’ve developed it and paid to market it. They then extract sweet profits out of it and couldn’t care less who will be proclaimed a winner and where.
Now, getting on to what’s hot on the market, users like convenience and automation and for that, they are ready to pay. This has been proven times and times again, this has been the business model historically of many companies and products and generates billions.
The “let me ask the user” approach is not preferred. Majority of users don’t care whether or not wuaclt.exe will inject a module into svchost.exe.
This approach works only for a very small audience and it is up to a vendor to decide whether they want to cater for a football game in a Dutch village or for the UEFA final game (Hopefully at Wembley Stadium one day).
Vendors have developed automated and layered solutions that provide sufficient security to real people, encountering real-life situations. This method has not been proven to not work.
I invite everyone who believes that asking the user is better than automation, to go and do their laundry at the river as well, with the laundry soap. This is more “effective” than using a washer. But does more effective always equal better? I’ll let you answer that for yourself.