App Review Grandmother sent me an Email

[FleischmannTV]

But in no case is a "fileless malware" truly fileless. The malware has to act somehow- and these actions will cause changes can be detected by superior protection routines.

File-rating based auto-sandboxing is no superior protection routine.

Of course the malware has to act somehow on the disk, like writing to the registry, but it can do so without writing a script or executable to the disk and launching it from there, which then does the writing to the registry. Writing to a file like the registry is fileless in a narrower sense because the file already existed and no additional files have to be dropped and launched from the disk. Abused legitimate processes like Powershell, rundll32 and the likes will only be sandboxed by CF if they execute a script or dll from the disk because those filetypes are covered by the file-rating system.

If Microsoft Word launches another instance of Microsoft Word, this instance will not be auto-sandboxed. This new instance of Word could act as a backdoor, trojan or encrypt all your documents while CF just sits there and does nothing because Word is a trusted process.

Regarding your critique of the aforementioned security programs like Sandboxie, I of course agree. I did not encourage anyone to use them, I just tried to explain how they offer protections which cover (at least to some extent) the abuse of trusted processes independently from file-rating.

 

[Davidov]

This part I'm interested in how to set up CF prevent that from happening ??

"If Microsoft Word launches another instance of Microsoft Word, this instance will not be auto-sandboxed. This new instance of Word could act as a backdoor, trojan or encrypt all your documents while CF just sits there and does nothing because Word is a trusted process."

 

[FleischmannTV]

This part I'm interested in how to set up CF prevent that from happening ??

First things first. CF with cruelsister's recommended settings is excellent protection. I am afraid this might get lost once a discussion becomes too theoretical and paranoia fueled. I also think this is one of the best setups out there, just not a panacea. As a home user, I think this is more than enough at the moment.

In case of Word the best defense still is not to enable macros for documents from untrustworthy sources. If you are a homer user and not inside a big corporation where your job entails opening countless Office documents each day received my e-mail, if possible, don't open those documents at all.

In regards to setting up CF for this kind of threat I can only speculate. Does Office still function properly if the document is run manually inside Comodo's sandbox with tightened settings? I don't know, probably not. HIPS rules constraining Word itself further might help to some extent. But then again this is currently so far of the rails that agonizing over it is not necessary.

 

[reboot]

First things first. CF with cruelsister's recommended settings is excellent protection. I am afraid this might get lost once a discussion becomes too theoretical and paranoia fueled. I also think this is one of the best setups out there, just not a panacea. As a home user, I think this is more than enough at the moment.

In case of Word the best defense still is not to enable macros for documents from untrustworthy sources. If you are a homer user and not inside a big corporation where your job entails opening countless Office documents each day received my e-mail, if possible, don't open those documents at all.

In regards to setting up CF for this kind of threat I can only speculate. Does Office still function properly if the document is run manually inside Comodo's sandbox with tightened settings? I don't know, probably not. HIPS rules constraining Word itself further might help to some extent. But then again this is currently so far of the rails that agonizing over it is not necessary.

I think it should be 'voluntarily mandatory' that everyone in this thread reads your post at least twice. ;-) Thank you for pulling things back into perspective.

 

[Solarquest]

Very interesting!
What program can protect from filess keyloggers?

 

[cruelsister]

Sometimes, especially in Corporate Environments, denying macros in Office applications across the board is not an option. The beauty of CF at my settings is that anything macro-spawned (by whatever) will be detected and isolated, and this procedure will be independent of the use of Office to open and modify legitimate stuff.

Trust me that if there were any specific preclusions I would have noted them (and if it was not the case I wouldn't use CF).

 

[Captain Awesome]

Can you test avast BB in ask always against ransomwares?@cruelsister

 

[Solarquest]

Sometimes, especially in Corporate Environments, denying macros in Office applications across the board is not an option. The beauty of CF at my settings is that anything macro-spawned (by whatever) will be detected and isolated, and this procedure will be independent of the use of Office to open and modify legitimate stuff.

Trust me that if there were any specific preclusions I would have noted them (and if it was not the case I wouldn't use CF).

What about filess keyloggers?
What program could help to detect these?

 

[reboot]

Sometimes, especially in Corporate Environments, denying macros in Office applications across the board is not an option. The beauty of CF at my settings is that anything macro-spawned (by whatever) will be detected and isolated, and this procedure will be independent of the use of Office to open and modify legitimate stuff.

Trust me that if there were any specific preclusions I would have noted them (and if it was not the case I wouldn't use CF).

Thank you for helping make my computer secure and still allowing me to actually use it for other things!

 

[cruelsister]

My pleasure, reboot!

Solar- In order for a keylogger to work, no matter what the vector, it MUST do two things- it must have a presence on your system to log information, and it also must have some mechanism to send this logged info out to the Blackhats where it can be exploited. The latter part is where the Firewall component of Comodo comes into play (and also one reason why I'm not fond of CCAV).

So CF actually can stop keyloggers by a number of mechanisms- possibly by detection by the cloud AV, by preventing the action of some by plopping them in the Sandbox, or finally by preventing the transmission of data by denying access to the network. And for those that just HAVE to have a HIPS enabled, that would be another roadblock for the keylogger.

But even for those that don't want to use Comodo, they should at the least have an Outbound alerting firewall in order to have a chance against zero day forms of this malware. Windows Firewall IS NOT good enough- and DON'T let anyone tell you it is!

 

[reboot]

Forgive me in advance if this is off topic and if it has been covered elsewhere, but would you bother to use an adblocker with your settings? Just curious about your thoughts.

 

[Deleted member 2913]

CS,

I dont agree, your mention of CCAV as an AV, highlighted as an AV, no firewall...

I mean you test quite a few software with no firewall, software that are antivirus with signs/bb, etc...

It doesn't matter however a product is highlighted (though I dont agree CCAV is highlighted as an AV) especially for a reviewer like you, what should matter for you is what all the product has & how effective is the product...

I agree CCAV is not up to the level of CFW BUT certainly it is by no means "inferior" product/compared to CFW...I strongly disagree here. Both products are from same developers but with different target audience & little different logic & internal workings of the modules/mechanism/methodology. And comparison is not good here...

And if I remember correctly, in one of the recent test by a testing organization, CCAV protected the system better than CIS 10.

You say CCAV dont have firewall. CFW settings you show/mention to customize for firewall, if I am correct, "dont show popup messages" check the option & set to block & autosandbox restricted settings...so with your settings...unknown programs connections will be blocked & many programs will not run/function properly/correctly in the sandbox.
The same can be achieved with CCAV simply by setting the sandbox option to "run only safe programs"...unknown programs connection & unknown programs blocked
So no firewall in CCAV is not a prob here...

Rest CFW....sandbox + cloud part
CCAV....sandbox + [true cloud av & not like CFW cloud part (effective or not)]

I understand you find CFW a lot better compared to CCAV but that doesn't make CCAV "inferior", as a product or compared to CFW...& its simply not.

You shouldn't compare CCAV to just CFW...as a reviewer you should compare it to other products too...it may not be good as CFW but it may be a lot better than other products (like you find CFW compared to CCAV) in the market & for free.

You are a respected & looked up to reviewer/person/member here And your review/mention on products many people here follow/apply/take seriously...your continue mention of CCAV "inferior"...many users may not even give it a try...and a good product (a lot better product compared to other products especially for users who understand CFW/CCAV kinda products) may not get a fair chance by the users.

Thank You

 

[erreale]

What a great thread! I think the details and technical explanations of cruelsister, and FleischmannTV are very interesting and fascinating. There really is a lot to learn from them. Thank you

 

[Solarquest]

My pleasure, reboot!

Solar- In order for a keylogger to work, no matter what the vector, it MUST do two things- it must have a presence on your system to log information, and it also must have some mechanism to send this logged info out to the Blackhats where it can be exploited. The latter part is where the Firewall component of Comodo comes into play (and also one reason why I'm not fond of CCAV).

So CF actually can stop keyloggers by a number of mechanisms- possibly by detection by the cloud AV, by preventing the action of some by plopping them in the Sandbox, or finally by preventing the transmission of data by denying access to the network. And for those that just HAVE to have a HIPS enabled, that would be another roadblock for the keylogger.

But even for those that don't want to use Comodo, they should at the least have an Outbound alerting firewall in order to have a chance against zero day forms of this malware. Windows Firewall IS NOT good enough- and DON'T let anyone tell you it is!

Thank you!

 

[woodrowbone]

I just had my first run with CS setting using CFW 10, the problem I am seeing is that windows system files get blocked by the FW. (Outgoing)
Is this a big deal if explorer.exe and svchost.exe for example cant connect out?

/W

 

[cruelsister]

Yash- Excellent post. But just to clarify my stance on CF vs CCAV, please note that I don't consider CCAV as inferior but as not as elegant.

1). The difference here is that although I could run either product on my system without issue, many people do not have computers that are as quick as mine (needless to say, I built my own). So when I evaluate a product, I take into consideration running the product on a sub-optimal hardware setup that many of our Brothers and Sisters may have. Here CF without any doubt will run more efficiently than CCAV.

2). CCAV is really still a work in progress as there will be a greater tie-in with Valkyrie which is also not yet mature. Perhaps once everything is in place CCAV will be the ultimate Cats Meow, but as we exist in the present and not the future I will reserve my accolades. until then.

3). CF is a good deal more customizable. Whenever I get a chance (hopefully soon) I will be pushing out a CF video that can be used by a 6 year old that will provide superb protection without any choices to be made.

So to sum up (and keeping in mind that I am the Number 1 Comodo Fangirl), I prefer CF.

Woodrow- Yes, it is a big deal that these are being detected by Comodo. This should NEVER happen. What I want you to do is to open up task manager and get back to me with the number of Explorer.exe listings you see there (it would be easier in Win 7). You show only see one. Also, the svchost.exe that is being isolated- right click on it where it shows up in the Comodo GUI and look at Properties. Where is the svchost located?

 

[woodrowbone]

Hi CS, they are both legit.
They are also not alone, just two examples that I had to "whitelist".
I think I had to allow 8 files by now.
This would be a major problem, if this will cause Windows not to work properly while they are silently blocked.

/W

 

[Morphius]

@cruelsister Umesh, a Comodo Staff, urges you to contact him about possible sandbox bypass. If you present them with a replicable scenario, it will become his highest priority to fix it.

Thanks in advance

 

[reboot]

I just had my first run with CS setting using CFW 10, the problem I am seeing is that windows system files get blocked by the FW. (Outgoing)
Is this a big deal if explorer.exe and svchost.exe for example cant connect out?

/W

I am having a similar experience. Did you resolve the issue?

 

[Av Gurus]

It's not the problem to allow something through firewall.
Check the pictures: