- Apr 13, 2013
- 3,224
Grandmother sent me an Email
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Oct 22, 2016
- 409
Wow great video. So configured CIS is even "deny by default, allow by exception" without many user requests.
Ps. you have to tell your grandmother to be careful about what to send mail ...
Ps. you have to tell your grandmother to be careful about what to send mail ...
- Jan 27, 2017
- 139
Please thank your Grandmother for the education she provided us!
- Oct 2, 2011
- 1,553
You say CCAV is inferior compared to CIS...Even if it is (though I dont agree as both are different level products & shouldn't be compared IMO), it is grandfather of all these AVs you test so please test CCAV too
And in one of you test, you showed CIS sandbox default bypass with your own sample, please test CCAV with that sample too...CCAV sandbox default is better/stricter compared to CIS sandbox default...would like to see how CCAV does or CCAV protected & beat CIS in your private test
), it is grandfather of all these AVs you test so please test CCAV tooAnd in one of you test, you showed CIS sandbox default bypass with your own sample, please test CCAV with that sample too...CCAV sandbox default is better/stricter compared to CIS sandbox default...would like to see how CCAV does
or CCAV protected & beat CIS in your private test
- Apr 25, 2013
- 5,356
free software this is when the goods - you
Question? Does CFW or CIS sandbox this in default mode?
- Sep 22, 2014
- 1,767
- Sep 22, 2016
- 412
- Jan 29, 2017
- 1,201
So... we're not having Linzer Tarts today? #bummed
Will the default config portect the user as well?
Does it use some kind of script which is captured by the new CIS technology for fileless malware?
BTW Nice video. Will you test other security products to see how they cope with this?
Does it use some kind of script which is captured by the new CIS technology for fileless malware?
BTW Nice video. Will you test other security products to see how they cope with this?
- Feb 21, 2015
- 456
What a
- Aug 18, 2016
- 561
She probably just added the wrong recipe guys... chill haha
- Jul 28, 2016
- 950
You have one naughty grandmother sis! Good to see that foul tasting recipe got incinnerated in the comodo backing oven
- Apr 13, 2013
- 3,224
Hi Guys! I'm glad you liked the video as I was uncertain how it would be received. Too many security videos are too dammed serious!
To answer some of the questions-
1). Aside from the protection aspect, the elegance of the coding is important to me. For although my computer(s) are quite fast, the same is not true for everyone else. So if I have to decide on two identical products, I would choose (and highlight in my videos) the one that will run on the biggest POS machine imaginable. CF will do this, CCAV will not. Also why would I want to use a product that highlights an AV which is inferior to most others; compounding this with the fact that CCAV does not have an Outbound firewall is the reason that I don't even want to speak of it anymore. It's just does not compare overall with the protection afforded by Comodo Firewall.
2). As to the default protection- I will only us CF at the settings that I demonstrated in my Setup video. I personally would never ever use Comodo at default. And as the setup will take about 30 seconds, it really isn't a great burden on anyone to do.
3). Yash- Notice I NEVER use CIS. CIS has the local AV scanner which is essentially worthless. And the bypass I coded really had nothing to do with the sandbox. It took advantage of the lower security level to fool the system into thinking that the file did not need to be sandboxed. I will not get into any specifics but the method is kinda-sorta similar to the way UAC at Max can by bypassed. But with CF at the proactive level I can't use that or any other trick- if I could I personally would Never use Comodo at all.
4). Morphius- God, you are good! So far, although I understand and appreciate what Comodo is trying to do about detecting future fileless malware of currently unknown mechanisms, right now it is just leading to misunderstanding by the regular user ("what are all these damn bat files!!!"). The methodology currently is still immature and eventually (hopefully) will become more specific, but right now CF will cover any fileless threats currently extent without it. As to other products doing the same job- traditional based security solutions wouldn't have a chance against these if they are true zero-days. It would be like a knife through soft butter.
To answer some of the questions-
1). Aside from the protection aspect, the elegance of the coding is important to me. For although my computer(s) are quite fast, the same is not true for everyone else. So if I have to decide on two identical products, I would choose (and highlight in my videos) the one that will run on the biggest POS machine imaginable. CF will do this, CCAV will not. Also why would I want to use a product that highlights an AV which is inferior to most others; compounding this with the fact that CCAV does not have an Outbound firewall is the reason that I don't even want to speak of it anymore. It's just does not compare overall with the protection afforded by Comodo Firewall.
2). As to the default protection- I will only us CF at the settings that I demonstrated in my Setup video. I personally would never ever use Comodo at default. And as the setup will take about 30 seconds, it really isn't a great burden on anyone to do.
3). Yash- Notice I NEVER use CIS. CIS has the local AV scanner which is essentially worthless. And the bypass I coded really had nothing to do with the sandbox. It took advantage of the lower security level to fool the system into thinking that the file did not need to be sandboxed. I will not get into any specifics but the method is kinda-sorta similar to the way UAC at Max can by bypassed. But with CF at the proactive level I can't use that or any other trick- if I could I personally would Never use Comodo at all.
4). Morphius- God, you are good! So far, although I understand and appreciate what Comodo is trying to do about detecting future fileless malware of currently unknown mechanisms, right now it is just leading to misunderstanding by the regular user ("what are all these damn bat files!!!"). The methodology currently is still immature and eventually (hopefully) will become more specific, but right now CF will cover any fileless threats currently extent without it. As to other products doing the same job- traditional based security solutions wouldn't have a chance against these if they are true zero-days. It would be like a knife through soft butter.
- Mar 13, 2016
- 1,298
Mwaahh don't want to spoil this party organized by a fine and respectable lady as @cruelsister
Why not take a shortcut and use trustcenter to harden office?
- Disable all trusted locations
- Disable all add-ons
- Disable all ActiveX
- Disable all Macro's
Add Avast in grand-ma mode (Avast hardened aggressive) and you are fine
N.B. I don't understand why so many AV's (including Avast in hardened mode) fail against poisoned rich content in documents, so keep publishing those video's (an admirer of above mentioned lady )
Why not take a shortcut and use trustcenter to harden office?
- Disable all trusted locations
- Disable all add-ons
- Disable all ActiveX
- Disable all Macro's
Add Avast in grand-ma mode (Avast hardened aggressive) and you are fine
N.B. I don't understand why so many AV's (including Avast in hardened mode) fail against poisoned rich content in documents, so keep publishing those video's (an admirer of above mentioned lady
)
Last edited:
- Sep 9, 2012
- 470
Hello it is necessarily runs in a browser sandbox for an exploit attack? What if a trusted process (chrome or else) Creates Another process it will mallware Stop this setting, in this case ??
- Aug 2, 2015
- 4,286
Your right, this is the solution, but the average user is not going to know this,Mwaahh don't want to spoil this party organized by a fine and respectable lady as @cruelsister
Why not take a shortcut and use trustcenter to harden office?
- Disable all trusted locations
- Disable all add-ons
- Disable all ActiveX
- Disable all Macro's
Add Avast in grand-ma mode (Avast hardened aggressive) and you are fine
N.B. I don't understand why so many AV's (including Avast in hardened mode) fail against poisoned rich content in documents, so keep publishing those video's (an admirer of above mentioned lady
much less how to implement it.
- Jun 12, 2014
- 314
I think you are talking about pseudo-fileless threats which are actually not fileless at all. A true fileless infection is fileless from beginning to end, whereas pseudo-fileless threats always rely on at least one filebased component, a dropper for example, which then establishes the actual fileless persistent infection. The filebased dropper can be stopped by all kinds of tools, like signatures, anti-executables, behavior blockers and of course Comodo's auto-sandbox.
When there is in fact no filebased component involved I sincerely doubt that CF, which sandboxes based on file-rating mechanisms, can protect you.
For example imagine you become the victim of an exploit attack. In this scenario the dropper can exist purely in memory, as shellcode or injected code originating from the initially exploited application. The fileless dropper then creates a fileless persistent infection. In this whole infection chain there is not a single filebased component involved and naturally there will be nothing for a filerating-based auto-sandbox to sandbox.
Malware don't need Coffee: Angler EK : now capable of "fileless" infection (memory malware)
Luckily this mechanism is mainly vulnerability dependent and thus exploit based. The chance of running into a true 0-day exploit which can smash through Edge's or Chrome's excellent own sandboxing mechanisms is almost nonexistent for home-users. The non-0-days can easily be averted by patching. This is why we don't see this more often.
Yet the possible future of Microsoft Office based macro malware shows another interesting non-exploit-based attack vector. See this presentation for further details:
OfficeMalware/Laughing_Mantis-NextGen-Office-Malware-Hushcon-2016.pptx at master · glinares/OfficeMalware · GitHub
The pseudo-fileless stuff that comes in form of an e-mail attachment, which makes up probably almost 100% of all fileless threats we encounter, is taken care of easily by the aforementioned protection mechanisms. The true fileless threats should be covered by (list not complete):
- Sandboxie, which already sandboxes the initially exploited application, hence all memory based dropper activities are contained as well.
- AppGuard's guarded app and inheritance principle. AppGuard may not stop the shellcode from running or parent-to-child code injection attacks, but if the initially exploited application is running guarded, the application itself and all it's child process will run guarded and thus cannot establish a fileless persistent infection.
- HitmanPro.Alert's excellent exploit and hollow process detection mechanisms.
- Possibly Excubits MemProtect, but that depends on the configuration and attack mechanism. If the initially exploited application has to be allowed access to itself in order to function, it can spawn another instance of itself, inject the dropper into that and then the dropper can establish the fileless persistent infection
- HIPS rules can be created to restrict the initially exploited application from creating autoruns or injection code into other applications
Of course you could argue that you could run the initially exploited application also inside Comodo's auto-sandbox, but with all the restrictions in place, that would probably lead to a malfunction of that app more sooner than later.
All that being said, the chances of becoming the victim of a true fileless infection is very slim at the moment, but I assume this will change in the future, though primarily for corporations. For home-users, there is currently no immediate need to protect against this.
Last edited:
- Apr 13, 2013
- 3,224
F TV- Any malware, no matter what type, has to act locally on your system to do whatever damage it is intended to do. I personally like to avoid the use of the term "fileless" as one can easily (and rightfully) infer that no payload will ever exist that will act locally, which is not the case at all.The Angler infection routine should be more properly termed quasi-fileless malware as it will run the payload within whatever exploitable legitimate process (like Flash, Java, Chrome, etc) it can find (or more properly, as it is coded to find).
But in no case is a "fileless malware" truly fileless. The malware has to act somehow- and these actions will cause changes can be detected by superior protection routines.
You bring up some fine products in your post, each excellent. But the issue that I have with them would be:
1), SBIE- absolutely excellent sandbox, no question. The problem here is that it is on-demand. I'm sure I'm not the only person that gets distracted and clicks without thought. An auto-sandbox will catch you here; on demand, no so much.
2), AG- when used properly the user is safe (unless a highly signed malware encountered). But outside of Lockdown Mode and stuff coded by trusted vendors I have my doubts that absolute protection can be afforded. Old hands will have no issue, but rookies may make mistakes (like opening a recipe from Granny).
3). HMPA is a fine application and the Loman boys take it seriously. But it is fairly specific in its protection routines and can be bypassed even then.
Finally, true zero-days are what are being pumped out hour after hour. They can come as web exploits, email attachments, infected downloads. True protection will cover all of the eventualities and obviously the traditional definition method would be without value.
But in no case is a "fileless malware" truly fileless. The malware has to act somehow- and these actions will cause changes can be detected by superior protection routines.
You bring up some fine products in your post, each excellent. But the issue that I have with them would be:
1), SBIE- absolutely excellent sandbox, no question. The problem here is that it is on-demand. I'm sure I'm not the only person that gets distracted and clicks without thought. An auto-sandbox will catch you here; on demand, no so much.
2), AG- when used properly the user is safe (unless a highly signed malware encountered). But outside of Lockdown Mode and stuff coded by trusted vendors I have my doubts that absolute protection can be afforded. Old hands will have no issue, but rookies may make mistakes (like opening a recipe from Granny).
3). HMPA is a fine application and the Loman boys take it seriously. But it is fairly specific in its protection routines and can be bypassed even then.
Finally, true zero-days are what are being pumped out hour after hour. They can come as web exploits, email attachments, infected downloads. True protection will cover all of the eventualities and obviously the traditional definition method would be without value.
Similar threads
