App Review Comodo Internet Security 11 Review | Test vs Malware

[cruelsister]

Absolutely. If you are installing something that you are CONVINCED is legitimate you WILL install it not matter what a HIPS or a BB says. Never deceive yourself otherwise!!

This is the TERROR of highly signed malware.

 

[security.paranoid]

clean the cert list
add some trusted vendors
disable cloud lookup
use sandbox cs settings and allow manual decision (disable autoblock)
set the hips to paranoid if you are paranoid like me (turn on training mode before to have a trusted list ,only if you are sure that you sys is clean)
don't install unknown file from unknown sources
use basic security extension in web browsers and launch the wb in sandbox mode
tweak the os to have advanced security

and finally use a virtual machine if you are crazy paranoid

 

[security.paranoid]

@cruelsister maybe they should implement cert and thumbprint check to avoid for example a dev cert to be used in malwares

 

[SHvFl]

Absolutely. If you are installing something that you are CONVINCED is legitimate you WILL install it not matter what a HIPS or a BB says. Never deceive yourself otherwise!!

This is the TERROR of highly signed malware.

Who would waste a highly signed malware on me though is the real question. Such files will be used for targetted attacks because the moment you start spreading it randomly your certificate will get axed faster than you think.

 

[imuade]

Who would waste a highly signed malware on me though is the real question. Such files will be used for targetted attacks because the moment you start spreading it randomly your certificate will get axed faster than you think.

What about the CCleaner fiasco? That malware was meant to target a broad audience...

 

[SHvFl]

What about the CCleaner fiasco? That malware was meant to target a broad audience...

The malware got distributed to a broad audience as a matter to get to its optimal targets but anw i don't consider Piriform a highly signer and i don't add those in my trusted vendors.
For me those are adobe, ms, mozilla, google, skype,your antivirus vendor, popular game vendors, intel. You get the idea i guess.

 

[509322]

Absolutely. If you are installing something that you are CONVINCED is legitimate you WILL install it not matter what a HIPS or a BB says. Never deceive yourself otherwise!!

This is the TERROR of highly signed malware.

They install it without ever checking a single thing in the first place.

Click, download, run.

Make it so people cannot do any of that, and that would be one gigantic leap towards solving the malware\data theft problem. No one can deny that fact.

It's a solution that is so stupidly simple that it's brilliant. Positively brilliant.

 

[RoboMan]

What about the CCleaner fiasco? That malware was meant to target a broad audience...

Hence why it was detected so quick lol

 

[Deleted member 178]

Hence why it was detected so quick lol

not really, the writer stupidly let the malware keep calling home. hence it was detected before infecting people.
If he had postponed the calling, no one would have noticed it was weaponized before thousands of machines would have been infected.

 

[RoboMan]

not really, the writer stupidly let the malware keep calling home. hence it was detected before infecting people.
If he had postponed the calling, no one would have noticed it was weaponized before thousands of machines would have been infected.

LOL have we gotten smarter or have devs become more stupid?
By postponed the call do you mean like a logic bomb? Call back home after x time or x action, and not immediatly after launch?

 

[Deleted member 178]

By postponed the call do you mean like a logic bomb? Call back home after x time or x action, and not immediatly after launch?

Yes, the malware was definitely made to be multi-staged: widely propagated then activated remotely. Problem is that the it started to call home to early and too repeatedly , then was flagged.

 

[cruelsister]

Call back home after x time or x action, and not immediatly after launch?

Yes- I personally just love this approach. The two main ways such a delay can be implemented is either by a simple delay in execution (SleepEx [whatever time you want], or an API call (GetLocalTime)- commonly called a Time Trigger- where the malware will activate at some time in the future that the Blackhat will determine. It's a bit complicated but in essence will result in a permanent loop until the time specified would be achieved.

An undocumented variant on this theme is one that Ophelia coded (I never would have thought of it being Kind and Gentle) that was used in my Boot Time Protection series a few years back. The malware would sleep until a certain action was taken (like a reboot), and only then would the payload be dropped and set to restart on system start. The drop would occur at at point too late for an AV to respond, and would start prior to all those AV's without boot time protection to prevent. Sharing this method with my nemesis Kaspersky (I'm firm but fair) led to their inclusion of boot time protection for K products released after 2017.

 

[Tiny]

COMODO HIPS is good learning tool. SpyShelter HIPS is even better. Kaspersky, ESET, other HIPS... too many problems. However, almost no one bothers to learn using a HIPS. Shame. It is one of the best learning tools\methods.

Do you mean Spyshelter is a better learning tool, or would provide better protection?

 

[Deleted member 178]

Do you mean Spyshelter is a better learning tool, or would provide better protection?

Sps has a better command line parser, so better learning tool.