App Review Comodo Firewall vs a test Keylogger

[cruelsister]

Sometime last week I made the mistake of viewing a number of Videos regarding a Comodo "Breach" by a RAT; as usual the settings of Comodo employed during these tests weren't specified. I wondered how a Show and Tell video could be created to point out the ways something like an unknown RAT could be stopped by Comodo at proper settings. But as RAT's may be difficult to use as examples I am using the excellent Python coded test keylogger developed by Sam Bowne (both RAT's and Keyloggers must establish themselves locally, then connect out onto the Network).

So although nothing really fancy here except another example of using certain Comodo settings may be beneficial and why an Inbound only Firewall is without value.

 

[hjlbx]

+1

Best video yet @cruelsister.

Many thanks...

By the way, just a FYI, the settings for the RAT Comodo-bypass to which you refer were: default Internet Security configuration settings.

The only point the user was attempting to make is that CIS default config and settings provide only mediocre protection. You have to agree he succeeded in establishing a fact which most of us dedicated CIS users are fully aware. Comodo is fully aware of it too... but that is an entirely different matter.

Anyhow...

to his credit, that user has submitted to Comodo, RATs that really mess with CIS and cause it to malfunction - even using hardened settings.

Malware that can boink CIS is not an unheard of thing... as I occasionally find one amongst samples posted on MT and, believe it or not, those ancient Virussign packs.

 

[Kuttz]

As usual good video from cruelsister which is simple and easy to understand the working of key loggers. These days CIS is a must to have security software in a PC. Anti virus alone have its own limits in dealing with unknown threats. To my ignorance I first viewed comodo as a below average security software but after going through opinions of expert MT users and doing my own battery of tests to infect my VM OS found COMODO's strength in defending infection or contamination to the system. Currently I am using Comodo Firewall Proactive mode + Avira Free combination which is smooth and safe

 

[hjlbx]

Currently I am using Comodo Firewall Proactive mode + Avira Free combination which is smooth and safe

@kuttan

+1

What is CPU\RAM usage range on your specific system ?

All you need with Avira is initial system scan and, after that, just use real-time file detection day-to-day. I just scanned system once in a great while... while bored. Avira real-time did the job - although once it detected a file for which there was no signature approximately a month earlier. The file was inactive on the system somewhere in a Temp file... so no big deal.

So this demonstrates, at least to me, that there is some value in performing an occasional full system scan...

 

[kmr1684]

hehehehehe.......... so you have came back with video.

so here goes my ranting, comodo detects that file (keylogger) as unknown file, so i believe any good anti-exe will prevent it from execution on first place, so comodo only will stop it execution. if i say anything more it will be like accusing you. so anyway who uses classical hips like spyshelter can block before the program starts, so (sorry i will stop my "so" syndrome now) do you like to add any new thing to argue.

ps : thanks for the video and new debate

 

[kmr1684]

@kuttan

+1

What is CPU\RAM usage range on your specific system ?

All you need with Avira is initial system scan and, after that, just use real-time file detection day-to-day. I just scanned system once in a great while... while bored. Avira real-time did the job - although once it detected a file for which there was no signature approximately a month earlier. The file was inactive on the system somewhere in a Temp file... so no big deal.

So this demonstrates, at least to me, that there is some value in performing an occasional full system scan...

like always do monthly once with my residential scanner and with second opinion scanner, i should not stay sorry than scan it properly

 

[Kuttz]

@kuttan

+1

What is CPU\RAM usage range on your specific system ?

All you need with Avira is initial system scan and, after that, just use real-time file detection day-to-day. I just scanned system once in a great while... while bored. Avira real-time did the job - although once it detected a file for which there was no signature approximately a month earlier. The file was inactive on the system somewhere in a Temp file... so no big deal.

So this demonstrates, at least to me, that there is some value in performing an occasional full system scan...

My overall CPU/RAM usage with CFW + Avira Free is almost same as that of using a standalone Anitvirus (Avast,AVG) + windows firewall combination. So to me no performance hit anywhere. Actually I found my new combination security software is faster than avast free alone which is shocking to me and its much safer too.

If configured properly COMODO firewall can be extremely helpful in defending some nasty drive by download malwares that unpacks a bucket load of malware to the system all in a second, if the antivirus fails to detect that's it your system is done. With Comodo you have the option of "yes or no" which is crucial for todays internet.

 

[kmr1684]

My overall CPU/RAM usage with CFW + Avira Free is almost same as that of using a standalone Anitvirus (Avast,AVG) + windows firewall combination. So to me no performance hit anywhere. Actually I found my new combination security software is faster than avast free alone which is shocking to me and its much safer too.

If configured properly COMODO firewall can be extremely helpful in defending some nasty drive by download malwares that unpacks a bucket load of malware to the system all in a second, if the antivirus fails to detect that's it your system is done. With Comodo you have the option of "yes or no" which is crucial for todays internet.

sorry to bother you but generally not only comodo do this but classical hips also do that if you know how to set it correctly and use it properly.
ps: i did not answer to your post specifically but i want register my thought as a whole, i think you can understand what i mean

 

[Kuttz]

sorry to bother you but generally not only comodo do this but classical hips also do that if you know how to set it correctly and use it properly.
ps: i did not answer to your post specifically but i want register my thought as a whole, i think you can understand what i mean

No problem bro you can express what you feel about my comment . I was just enlightened about the benefits of having HIPS security, naturally first option came to my mind was Comodo.

 

[hjlbx]

i believe any good anti-exe will prevent it from execution on first place

Set Comodo sandbox to "Block" any Unrecognized files. CIS engineering included that setting to create CIS anti-executable configuration.

Using that setting for the sandbox - any files rated as Unrecognized by CIS - will be blocked.

Here is a perfect example of how the user can configure CIS to behave how they so desire...

 

[Moose]

Wonder how Kompas Antivirus would have did with the above?

http://malwaretips.com/threads/kompas-antivirus.17112/

http://www.softpedia.com/get/Antivirus/Kompas-Antivirus.shtml

Kind regards,

 

[Deleted member 178]

comodo detects that file (keylogger) as unknown file, so i believe any good anti-exe will prevent it from execution on first place, so comodo only will stop it execution.

it is what Comodo supposed to do. Now if you tweak it for max protection. the file isn't able to execute without your consent.

 

[jamescv7]

Default settings are pretty much straightforward as possible to complement even for novice users so that's why custom tweaks of Comodo are way strong which can affect even legitimate ones based on available trusted list signatures.

 

[cruelsister]

A couple of things:

1). I was using this particular keylogger as a surrogate for that type of malware that need Internet access to do their particular damage (RAT's data stealers of diverse type, etc). So stating that Product A or B would stop a keylogger really isn't all that applicable (an anti-logger can stop at keylogger but ignores a RAT).

2). If possible I have a lower regard for Anti-exe's than I do AV's. I have to do a video to demonstrate why, and until then I'll refrain from commenting.

3). Moose- Forget about Kompass. As script based malware can be easily messed with to evade AV's (even very poor ones such as Kompass), definition based protection isn't of much use.

4). Deep down, the strength of the Comodo Sandbox is the extensive white list for which they get very little (if any) credit. The theory being that taking as much decision making out of the hands of the user is a good thing (I agree). Certainly not as robust or elegant as an Enterprise Sandbox with real time forensics, it also doesn't cost 60,000USD.

5). If I ever use/suggest Default settings, please kill me.

 

[Deleted member 2913]

For users who run free AVs like Avast, Bd free, etc... CIS defaults are lot better & effective than those free/free/paid AVs with very good usability.
So IMHO for majority CIS defaults are very strong...the only change I would say set FW to ask for unknown if you like.

 

[kmr1684]

If possible I have a lower regard for Anti-exe's than I do AV's. I have to do a video to demonstrate why, and until then I'll refrain from commenting.

haaaaaa............. well everybody have different approach for the same thing, i.e. how the one programs executing in the system, when they understand the basic of it, then he can able to create a rule accordingly, without the basic idea it will be like blind person try to find the elephant (i believe you already know the story, because in today's scenario most of the products works like this because generally world is like that, doesn't want to know the basic of how things work, wanted everything in ready-made package where they can open it, set it and forget it), i think nothing worth while to argue on this 2 point of yours.

I was using this particular keylogger as a surrogate for that type of malware that need Internet access to do their particular damage (RAT's data stealers of diverse type, etc). So stating that Product A or B would stop a keylogger really isn't all that applicable (an anti-logger can stop at keylogger but ignores a RAT).

if i understand the word surrogate well, you are running as a highly elevated one as possible i.e. in general means you are running it as high privilege user as system (windows) running it. even though you run as such hips kind of program may interfere at some level, if i understand how m$ windows works, i am be wrong though. anyway can you please pour some light on this working detail(aility) of how. so i can update myself what i am missing.

ps: i do not want to talk about av behaving and working methodology it is a ghost story, nothing can be define but it is there, it is there,it is there, i know, i know...............

 

[Deleted member 178]

2). If possible I have a lower regard for Anti-exe's than I do AV's. I have to do a video to demonstrate why, and until then I'll refrain from commenting.

uhm...maybe because of that day ?



don't need to be mad @cruelsister , even you can do mistakes and be infected

 

[hjlbx]

Comodo engineers put block setting options (HIPS, sandbox and firewall) into CIS so that it will function as a "complete" anti-executable... the protection model is premised upon a complete system lock-down while at the same time providing the user with the option to run any Unrecognized files virtually or with user-defined restrictions contained within sandbox (right-click "Run in Comodo sandbox.")

So, in essence, CIS sandbox is multi-functional in that different sandbox policies are applied to any Unrecognized file - dependent upon how the file is executed. In other words, a CIS user can define two sets of rules for the sandbox. The first being for the auto-sandbox and the other for Right-Click "Run in Comodo sandbox"; executed from the desktop or from within a browser = Block by auto-sandbox, while Right-Click "Run in Comodo sandbox" = will run virtually or Limited, Untrusted, etc dependent upon user settings for the sandbox.

This CIS feature isn't explained in the CIS manual... and most users wouldn't know that it exists unless they stumbled upon it...

On top of that, the modules are designed to block any Unrecognized files in cascade fashion should any single module fail: auto-sandbox > HIPS > firewall.

Comodo performed quite a feat of software engineering on that one... perfect trifecta = anti-executable + virtualization + outbound network notifications or Block ... and it is the primary reason I use CIS; everything to lock-down system is included in one complete package

 

[Raul90]

Very very nice video presentation there cruelsister! I have downloaded it for future reference. I will share this one at the office.

 

[done]

thanks great video\info
there is a lot to learn