App Review Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Click on "Human Expert Analysis" tab. :)

Human Expert Analysis Results
Analysis Start Date: 2016-10-22 22:32:14 ( 8 days ago )
Analysis End Date: 2016-10-22 22:46:34 ( 8 days ago )
File Upload Date: 2016-10-22 20:25:13 ( 8 days ago )
Update Date: 2016-10-30 17:50:55 ( 26 minutes ago )
Human Expert Analyst Feedback: malware
Verdict: Malware
I see. Their summary is flawed then. It should have shown last human expert analyst feedback date.
 
W

Wave

Sandboxie is the answer :) (+ Qihoo with all engines enabled)
Comodo sandbox is much more sophisticated than Sandboxie. If someone can bypass Comodo Sandbox (which most likely evolves around real virtualisation via utilisation of Intel VM-x/AMD SVM - like a real virtual machine does) then they can bypass Sandboxie.

Believe it or not, Sandboxie mostly evolves around user-mode API hooks via DLL injection (like HIPS normally works) and redirects the functions from it's own callback, whilst running the program under a different user account - those sort of things. I doubt it utilises any real virtualisation for it's sandboxing.
 
W

Wave

I know how sandboxie works, that's why I said +Qihoo.
Title of this thread: "Comodo FW bypass the Sandbox...", first part of your post: "Sandboxie is the answer".

Maybe I just misunderstood what you really meant at first, but how I read your post is telling me that you said Sandboxie would be a better alternate to Comodo Sandbox in terms of security (since this is about a bypass).

Sorry if I misunderstood you. :)
 

Davidov

Level 10
Thread author
Verified
Well-known
Sep 9, 2012
470
Title of this thread: "Comodo FW bypass the Sandbox...", first part of your post: "Sandboxie is the answer".

Maybe I just misunderstood what you really meant at first, but how I read your post is telling me that you said Sandboxie would be a better alternate to Comodo Sandbox in terms of security (since this is about a bypass).

Sorry if I misunderstood you. :)
I tried a sample of Sandboxie and outside the video, everything was ok but if you delete trustworthy supplier in Comodo will take all OK. Comodo's whitelist leaky power suppliers and unfortunately had vetted.
 
Y

yigido

@Wave should I reming you some of my PMs ;)

I tried a sample of Sandboxie and outside the video, everything was ok but if you delete trustworthy supplier in Comodo will take all OK. Comodo's whitelist leaky power suppliers and unfortunately had vetted.
Comodo let any file run if the file verdict is "safe". You can the file in Comodo sandbox manually, just like you did with Sandboxie.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
They had to react quickly to the public thing what if this technique nini exploits against corporations using Comodo .-)))
It should be automatic and showing the date of the last verdict. If it's not automatic then it should become automatic. Anw not really important. What i want to know is why the first guy marked it as safe but i am sure no Comodo guy will appear here and tell me.
 

Davidov

Level 10
Thread author
Verified
Well-known
Sep 9, 2012
470
Currently it too me wonder why voodooshield dissembled also lock down hath not such a big whitelist or that it had any same location for collecting data ?? Possible given it out for us men to send him a sample.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You can keep HIPS and Virsucope enabled.
Deselct the option on "Viruscope Settings" #Analyze only sandboxed process
So Virucope will checking its actions. and good new, Viruscope in CIS 10 is more powerful than CIS 8
I can only hope that Viruscope would catch it, because if it has trusted status, then HIPS will stay pretty quiet
 
R

Ramona

Title of this thread: "Comodo FW bypass the Sandbox...", first part of your post: "Sandboxie is the answer".

Maybe I just misunderstood what you really meant at first, but how I read your post is telling me that you said Sandboxie would be a better alternate to Comodo Sandbox in terms of security (since this is about a bypass).

Sorry if I misunderstood you. :)

It is, if you download and install Sandboxie and then download the sample and test it you will see mod edit. I also said Qihoo because it has amazing HIPS/BB so if anything will bypass Qihoo will get it.
 
  • Like
Reactions: Deleted member 2913
W

Wave

It is, if you download and install Sandboxie and then download the sample and test it you will see . I also said Qihoo because it has amazing HIPS/BB so if anything will bypass Qihoo will get it.
I can't believe you just said this... You clearly don't understand how Sandboxie said like you said you did or you wouldn't have said this.

Hmm... I will explain a bit about how Sandboxie works for you:
When Sandboxie runs a program "isolated" it will be executed under a different user account (NT AUTHORITY\ANONYMOUS LOGON). There will be a DLL injected into the address space of this process called SbieDll.dll: Snaggy - easy screenshots

Snaggy - easy screenshots (program being isolated will be under this account also)

Within this DLL (SbieDll.dll) there is an exported function called SbieDll_Hook: Snaggy - easy screenshots - this function is used to hook many functions, even MessageboxA and MessageBoxW (to my surprise).

This SbieDll_Hook function takes in 3 parameters (char*, __int64 and __int64) - __int64 are real data types but I'd have to check the plugin definitions in IDA Pro for more information.

It hooks so many functions it would take me a long time to make you a list. It hooks not only NTAPI functions but many Win32 functions also.

As well as this, Sandboxie has a device driver which it talks to.

Have you read the information in the above spoiler? If not read it, then continue reading. Now you have read the spoiler, I will re-explain myself:
Comodo sandbox is much more sophisticated than Sandboxie. If someone can bypass Comodo Sandbox (which most likely evolves around real virtualisation via utilisation of Intel VM-x/AMD SVM - like a real virtual machine does) then they can bypass Sandboxie.

Let's go through this together say on case you didn't read the above properly:
1. Comodo Sandbox should work via real virtualisation methods (real virtualisation - utilisation of VT-X technology for example).
2. Sandboxie evolves around user-mode hooking like a BB/HIPS system

Therefore, if someone knows how to bypass the Comodo Sandbox, they will also know how to bypass Sandboxie. At NO point did I say the sample will also bypass Sandboxie (the one used in this video). I just stated that Comodo Sandbox is much more sophisticated than Sandboxie due to how the technology works, and that if someone is experienced enough to write code to bypass Comodo Sandbox, they'll know how to bypass Sandboxie also.

I neither even said that the sample in this video did bypass Comodo sandbox. I just replied to your post which implies you are claiming Sandboxie is better in terms of protection:
Sandboxie is the answer :) (+ Qihoo with all engines enabled)

Regardless of what you meant in your post:
Title of this thread: "Comodo FW bypass the Sandbox...", first part of your post: "Sandboxie is the answer".


Also, if you can bypass Sandboxie hooks you can bypass Qihoo the EXACT same way...

Are we on the same page now? ;)
I hope we are, because if we aren't it's too bad, I'm done with this thread... If you don't want to believe me or think I am stupid then that's fine, but it's your loss.

If you think you are the expert and know how things work then please feel free to explain to me how both products work so you can help my knowledge instead, because if I am wrong, it'd be nice for you to correct me and explain why I am wrong instead of just saying I know nothing and assuming you are right.
 
W

Wave

mod edit

This discussion was about Comodo, I quoted you about what you said to explain how Comodo was more advanced than Sandboxie based on how the internals work and how a cat fight has started up which isn't needed because you didn't believe me.

I've just tried to correct you and explain why Comodo is better in terms of how it works but you don't care. You are just interested in causing trouble and you've done this elsewhere in past few weeks... Little posts directed at me, your friends stalking me..


Let's end this now before the thread gets closed.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top