App Review Comodo Internet Security vs ChineseRarypt ransomware

[[correlate]]

Content source

https://www.youtube.com/watch?v=hF2TeN5Ha6A&feature=em-uploademail

Comodo Internet Security 12.0.0.6882 (latest version)
ChineseRarypt does not encrypt the files as the typical ransomware does, instead, it places them in password-protected files, which users cannot access unless they pay the ransom fee demanded by the attackers, (the test was performed with the default setting of Comodo), I really thought that the Comodo sandbox would protect the files, I'm not sure what could have happened, maybe it could be due to a defect in the Comodo sandbox, one thing I could see was that only the files on the desktop were affected, (the same location where the ransomware was run), other locations such as the images / videos / documents folder, were not affected by the ransomware.

 

[imuade]

That's why I suggest to block unknown files instead of sandboxing them.
And switching to Proactive Security Configuration is another must

 

[bribon77]

This with the default values. No wonder it fails.

 

[Elpibe]

That's why I suggest to block unknown files instead of sandboxing them.
And switching to Proactive Security Configuration is another must

Theres an answer in his video:

Yes, I tried to reset the sandbox but the files were not recovered, I also changed the configuration to proactive mode and only got a notification from the HIPS module, maybe making other changes in the configuration could have protected the files, I do not know, equally I think the sandbox has some defect, I did a test with Sandboxie with this ransomware and was able to protect all files.

 

[imuade]

Theres an answer in his video:

This is what's written on Comodo Forums:

The video description says the test was done using the latest CIS version of 12.0.0.6882 but in the video, you can see the virusscope recognizer is 12.0.0.6780, so it is kinda misleading. I have the sample used and I tested againts 12.0.0.6882, and I didn't see any files get deleted like in the video and the how to decrypt your files txt document was not saved to the real desktop. So maybe the issue did affect 6870 but is now fixed in 6882, which might mean the sample used the vulnerabilities that were disclosed that affected 6870 to bypass the sandbox

Comodo Forum

Comodo community forum to discuss and help people using security products

forums.comodo.com

 

[Brahman]

Settings>containment>containment settings> un check " do not virtualize access to" option. if that option is checked The folders in that settings will not be virtualized.

 

[[correlate]]

Comodo Internet Security is a free comprehensive security solution. Includes antivirus, anti-spyware, firewall with content filter, proactive HIPS protection, protection box and safe shopping.
**Overall, it is a good solution compared to other free solutions**
Key components of Comodo Internet Security Premium
• Antivirus and antispyware • Personal firewall
• Behavioral Analysis • HIPS
• Viruscope System • Content Filter
• Automatic sandbox • Virtual desktop
• Comodo Secure DNS • Rescue Disk
• Comodo Cleaning Essentials • Process Manager
• Comodo Dragon Web Browser • Safe Shopping
• Internet Security Essentials

 

[Syafiq]

Comodo Internet Security is a free comprehensive security solution. Includes antivirus, anti-spyware, firewall with content filter, proactive HIPS protection, protection box and safe shopping.
**Overall, it is a good solution compared to other free solutions**
Key components of Comodo Internet Security Premium
• Antivirus and antispyware • Personal firewall
• Behavioral Analysis • HIPS
• Viruscope System • Content Filter
• Automatic sandbox • Virtual desktop
• Comodo Secure DNS • Rescue Disk
• Comodo Cleaning Essentials • Process Manager
• Comodo Dragon Web Browser • Safe Shopping
• Internet Security Essentials

Their av engine is useless, however. Another free av has much better detection rate than comodo. But, comodo does have its unbeatable sandbox, if configured with @cruelsister's config

 

[ZeroDay]

CS settings or similar would have stopped this in it's tracks. It's a well known fact that CIS/CF has to be tweaked properly and once that is donne it's rock solid. I would like to have seen this tested at CS settings and with block all unknown files checked. I personally use similar settings to CS with the firewall also set to safe mode>block unknown connections, Sandbox set to untrusted, the relevant boxes to not virtualize access to certain areas, Command line analise tweaks and a few other tweaks. Comodo has never really been much good at default settings.
To get the full benefits offered by Comodo it needs to be tweaked and once tweaked it's as solid as protection as you're going to get free of paid. I know I'm only pointing out what we all know here but some testers just aren't aware of how strong a tweaked CIS/CF is.

CS settings - Problem solved.

 

[Decopi]

Command line analise tweaks and a few other tweaks.

Hi @ZeroDay !

I have CF+CS' settings.
Please, if possible, can you explain (step by step) what different "tweaks" you added to your CF?

Also please, I would like to know if CF/CS has any protection against SPECTRE/MELTDOWN.

Thank you

 

[bribon77]

This is the configuration that I use.



And this is a variation to virtualize browsers, which I also use
In the minute 3:46

 

[ZeroDay]

Hi @ZeroDay !

I have CF+CS' settings.
Please, if possible, can you explain (step by step) what different "tweaks" you added to your CF?

Also please, I would like to know if CF/CS has any protection against SPECTRE/MELTDOWN.

Thank you

I pretty much use the same settings @bribon77 posted above with a few extra tweaks I've added myself. Some of the tweaks I've added are in Command line analysis , some are in the firewall settings. I haven't got CF installed on this machine but I have it on a laptop so I will post a few screenshots of the extra settings I've added on top of what CS uses and @bribon77 posted above./ Be careful when changing setting in command line analysis because some of those settings can interfere with certain software that you may use and I may not. They want cause any major problems if any at all just minor announces. I'll boot my laptop up after I've had my lunch and post those screenshots for you.

 

[bribon77]

I have also made some additional changes, which I don't publish because it would be full of captures and explaining it costs me because my English is from Google Translate, but basically anyone who wants to use this setting will be protected.

 

[Decopi]

@ZeroDay and @bribon77 ... thank you both.
I'm interested only in CS' tweaks (that not change CS' settings, preserve CS' settings, complement CS' settings etc).
There's no need to post videos, details, screenshots etc about CS' settings... please, just your tweaks (variations of CS' settings).
Please, post your CS' tweaks only if you want/can, and only when you want/can.
Thank you

 

[mike6688]

Comodo Forum

Comodo community forum to discuss and help people using security products

forums.comodo.com

This is also being discussed on Comodo forum. Tests suggest latest versions of Comodo at default settings aren't vulnerable to this.

 

[mike6688]

Comodo against ChineseRarypt

Correct link for my above comment to the topic.

 

[darko999]

Comodo HIPS "Training mode" broken on Windows 10 1903 build 18632. It won't generate any rule for any program or software you use, it's literally dead, you have to ues Safe Mode with "create rules for safe applications" instead in order to generate allowed rules for apps for the HIPS.

 

[oldschool]

Comodo HIPS "Training mode" broken on Windows 10 1903 build 18632. It won't generate any rule for any program or software you use, it's literally dead, you have to ues Safe Mode with "create rules for safe applications" instead in order to generate allowed rules for apps for the HIPS.

Comodo down the comode?

 

[Burrito]

Comodo down the comode?

This referencing of the fine product Comodo as the Commode is shocking.