- Aug 19, 2019
- 1,222
Thanks, well spotted. Fix now Still trying to make sense of this Thunderbird slow download of messages thing.Please change "Last updated" in your config.
Thanks, well spotted. Fix now Still trying to make sense of this Thunderbird slow download of messages thing.Please change "Last updated" in your config.
Proactive configuration
Containment - Do Not Virtualize Access to - Unchecked
Auto Containment - Run Virtually - Set Restriction Level - Restricted
---------------------------
I have HIPS enabled for some reason, doesn't cause much issue.
I have IPv6 filtering enabled. I don't need to add ICMP global rules as Proactive Config Stealth Default is "Alert Incoming" but if you want to add rules it's Allow In ICMP - IPv6 ICMP, Packet too big, Time Exceeded, Custom Type 134,0 - 135,0 - 136,0
Regarding Firewall Application rules I have the below set:
explorer.exe - Allow TCP Out - Port 443 (HTTPS)
Allow OUT ICMP IPv6 135,0 (IPv6 Neighbour Solicitation)
searchHost.exe - Allow TCP Out - Port 443 (HTTP)
StartMenuExperienceHost.exe - Allow TCP Out - Port 443 (HTTPS)
AsusSoftwareManager.exe - Allow TCP Out - Port 443 (HTTPS)
svchost.exe - Allow UDP Out - Dest. Port 546 (Router DCHP)
Edge.exe - Web Browser Preset plus
Allow TCP/UDP Out - Port 443 - Amended HTTPS Rule for TCP and UDP
Allow OUT ICMP IPv6 135,0 (IPv6 Neighbour Solicitation)
Allow UDP Out Dest Port 1900 (SSDP)
Allow UDP Out Dest Port 5353 (MDNS)
No, I used to have a spare machine but not these days. MD is good but I won a Emsisoft in January and while I've bounced between products, gone back to it for now. Comodo beta should be out in a couple of months and Hard_Configurator on Beta 3 just now.@ErzCrz Do you test with malware?
I understood, I asked why CIS failed to detect and block a RedLine Stealer, it only blocked it when the hips were active, but after deactivating the hips, CIS was not able to protect it, nor did it go to the sandbox, but the firewall blocked it. No AV is perfect, plus I never saw CIS fail with me until this day, I guess I did something wrong in my testing it just might be.Comodo beta should be out in a couple of months and Hard_Configurator on Beta 3 just now.
Which Redline Stealer? It would only not block one if it was whitlisted in the File Ratings or you haven't unchecked the "Do not virtualize the following..." which if left checked, would ignore files in Download or Recycle bin. You should have @cruelsister test it.I understood, I asked why CIS failed to detect and block a RedLine Stealer, it only blocked it when the hips were active, but after deactivating the hips, CIS was not able to protect it, nor did it go to the sandbox, but the firewall blocked it. No AV is perfect, plus I never saw CIS fail with me until this day, I guess I did something wrong in my testing it just might be.
It was a supposed fake "Game" that is actually stealer malware @Kongo posted here and my credit goes to him too I downloaded sample here. On VT out of 67 AVs only 11 detects follow the url of VirusTotalWhich Redline Stealer? It would only not block one if it was whitlisted in the File Ratings or you haven't unchecked the "Do not virtualize the following..." which if left checked, would ignore files in Download or Recycle bin.
Do you have a video of Comodo not sandboxing the malware? The VT is just the on-demand scanners of each AV and Comodo's scanner isn't the best. What settings did you use with CIS? The default has it's flaws but @cruelsister 's setup is better as Proactive Configuration is complete protection. Wishing I had a testing machine.It was a supposed fake "Game" that is actually stealer malware @Kongo posted here and my credit goes to him too I downloaded sample here. On VT out of 67 AVs only 11 detects follow the url of VirusTotal
So CIS was not able to protect it, MS-Defender did detect it as soon as it extracted the compressed file as Trojan:Win32/Wacatac.B!ml
I don't have video, I just didn't record the video because I did it on the real machine. And then I had to restore a backup image after the test lol, Remembering that I do not test malware is more @Shadowra was a curiosity of mine when @Kongo posted and also because of a giveaway that @BigWrench posted of ZoneAlarm Extreme Security NextGen was that I decided to test if really the ZA would detect and block but no, according to @Trident the ZA was not able to detect this type of threat because it exceeds the file size limit set by the ZA of 20MB and Malware has 63MB.Do you have a video of Comodo not sandboxing the malware?Do you have a video of Comodo not sandboxing the malware?
Yes, I posted the VT URL to show that most AVs will not detect it, only when executed. Only kaspersky, MD could detect it.The VT is just the on-demand scanners of each AV and Comodo's scanner isn't the best.
Proactive configuration activated, even the malware stealer was not contained by CIS.What settings did you use with CIS?
Yes, I know Comodo's default configuration is not good but adjusted it is much better. Yes, it was in the proactive configuration activated, I found strange the malware has microsoft signature, but false and invalid, I think it was for CIS blocked or ending up in containment the stealer malware.The default has it's flaws but @cruelsister 's setup is better as Proactive Configuration is complete protection. Wishing I had a testing machine.
It detected it when I ran the malware and it established a dozen of connections. I provided the forensic reports there on ZA thread. The attack was then remediated. Seems like the C&C has been used in plethora of other malware.according to @Trident the ZA was not able to detect this type of threat because it exceeds the file size limit set by the ZA of 20MB and Malware has 63MB
Let me get this straight, if the hash is the same and this malware is already known why AVs haven't added it to their signatures yet? Yes, it is a specific malware but...It detected it when I ran the malware and it established a dozen of connections. I provided the forensic reports there on ZA thread. The attack was then remediated. Seems like the C&C has been used in plethora of other malware.
It is known to some, including to ZoneAlarm. Problem is it exceeds scan size so before you launch it, this file is not checked at all. Once you run it, many of them will detect by behaviour, including Webroot as you mentioned. There are additional detections for the dropped files. But that’s about it. Some of them still don’t know this stealer exists. I am guessing new versions of it are released at all times. My question is why the hosting provider is not terminating the C&C server? It has been registered almost a year ago. It has just gone under the radar like many others.Let me get this straight, if the hash is the same and this malware is already known why AVs haven't added it to their signatures yet? Yes, it is a specific malware but...
So you were right, if I had used another AV also would not detect, it would be almost minority that would block, I thought it was only ZA that was failing, good let's stop here, because it is private topic of ErzCrz. I apologize @ErzCrz for having invaded your topic and I am not criticizing CIS or comodo I like this CF/CIS product. I am always open to new possibilities. The good news is that I did not use the @cruelsister configuration I even breathe a sigh of relief, for those who use the @cruelsister configuration you are safe.Some of them still don’t know this stealer exists. I am guessing new versions of it are released at all times. My question is why the hosting provider is not terminating the C&C server? It has been registered almost a year ago. It has just gone under the radar like many others.
Quite simply, it was enabled by default on this new laptop I bought in January this year. Plus it being a laptop, encryption is a good idea if it gets stolen No issue with it enabled as far as I can tell so if it's providing extra security I'm all for it.Can give reason(s) why you need BitLocker for home use?