Nestor

Level 8
I, instead, never expect them to perform well because according to my experience, they never give a clean result especially for sophos
Their signatures are so bad that is a reason for infection. If they signatures are better, they would have had better results
also, I was disappointed with WD VPN bandwidth consumption. It consumed 150MB yesterday while bitdefender free only consumed 15MB, sophos 18MB
During the test, WD uploaded everything to the cloud => privacy concern???

I think there are some ways to get a clean result in this test
- avast hardened mode + syshardener/H_C blocking all scripts
- Block all scripts + Run everything .exe with smartscreen
- any anti-exe, comodo firewall (not preferred as they always work)
- Kaspersky's trusted application mode
Evjl's Rain when you testing CF in hub, did you ever notice system infection from malicious files running in containment?I am asking because of a discussion about how safe is "partially limited"mode in CF containment.Thanks
 

Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
Evjl's Rain when you testing CF in hub, did you ever notice system infection from malicious files running in containment?I am asking because of a discussion about how safe is "partially limited"mode in CF containment.Thanks
I don't really understand what you mean!? In my test everything was sandboxed/contained and there was no malware escaping the sandbox so the VM was totally protected
I was using the default sandbox settings (no limit)
I never use any restriction for the containment because if I want to monitor the behavior of a sandboxed process to determine if it's safe or unsafe, I must let it run unrestricted. Any restriction will cause a program to malfunction
 

Nestor

Level 8
I don't really understand what you mean!? In my test everything was sandboxed/contained and there was no malware escaping the sandbox so the VM was totally protected
I was using the default sandbox settings (no limit)
I never use any restriction for the containment because if I want to monitor the behavior of a sandboxed process to determine if it's safe or unsafe, I must let it run unrestricted. Any restriction will cause a program to malfunction
Ok thanks,thats really i want to understand because there was a fear that running a malicious app in containment maybe sometimes will infect the system, although it was contained.Since that was not the case,even with (no limit) in containment that's really nice.
 

Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
Ok thanks,thats really i want to understand because there was a fear that running a malicious app in containment maybe sometimes will infect the system, although it was contained.Since that was not the case,even with (no limit) in containment that's really nice.
there was no problem running the sandbox unrestricted because if there is any sandbox escape, people would report it to comodo and they will fix it quickly (because it's their priority)

partially limited is fine IMO if you block the internet connection of the sandboxed processes

you can read the description here
  • Set Restriction Level - When 'Run Restricted' is selected as 'Action' in Step 1, then this option is automatically selected and cannot be unchecked. If 'Run Virtually' action is selected, then this option can be checked or unchecked.
  • You can select the 'Restriction Level' from the following options:
  • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)
  • Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
  • Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
  • Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.
 

shmu26

Level 83
Verified
Trusted
Content Creator
there was no problem running the sandbox unrestricted because if there is any sandbox escape, people would report it to comodo and they will fix it quickly (because it's their priority)

partially limited is fine IMO if you block the internet connection of the sandboxed processes

you can read the description here
Please remind me how do you block internet connection of the sandboxed processes?
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
I noticed that SRP is incompatible with Microsoft Child Account. When I added the child account via 'Add a family member' option on Windows 10 (ver. 1803) and applied the restrictions to applications (child age limit) + the restrictions to the content of web pages, then SRP stopped working on all accounts.:devil:
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
...
VoodooShield in AutoPilot mode will allow all true 0-day malware.
...
Because of the false positives, most non-advanced users will probably use one or two on-demand scanners for checking the 0-day malware and infect the computer anyway. Nothing is perfect.
Dan (VS developer) mailed to me that my first sentence above may be misleading. I agree with him.
Bypassing VS by the true 0-day malware (never seen before) will require in many cases the user interaction. The average user will be mostly fooled by the very low or 0 detection on Virus Total, so the VS detection of non-VT modules (AI, anti-script, etc) will be treated as a false positive. That is why I prefer the Forced SmartScreen solution for application installers in Hard_Configurator (much less false positives).
Anyway, the chance of silently bypassing VS is very low. Here is the Dan's explanation:
"In order for a zero day to slip through AutoPilot… It would have to…
  1. Be an executable (scripts and the like are auto blocked unless they are spawned from certain parents)
  2. Not be an unknown on VT
  3. Trick all VT engines that do not have a high FP rate on VT (and are not part of VS’s FP detection)… there are around 40 of them
  4. Trick VoodooAi (which is slightly more aggressive than the other ML/Ai engines). Most ML/Ai engines will have roughly the same result since we all use very similar algos and models (trust me, the is no exaggeration… they are very, very, very similar. But VS was designed to be slightly more aggressive. Some of the other ML/Ai engines have a better false positive with a roughly 90-95% detection ratio (Cylance, CrowdStrike, etc), whereas VS was designed to have a roughly 99.5% detection ratio, with higher false positives.
  5. There are other checks as well… but these checks alone would block almost all zero days."
 
Last edited:

oldschool

Level 35
Verified
That will be also the case for many home user computers.:)
Using Hard_Configurator with recommended settings is not complicated, but the user needs some learning when using more advanced settings (like <Block Sponsors>).(y)
@Andy Ful can you please expand/explain in more detail as it relates to Blocked Sponsors? I see in the manual it suggests using this setting when on an unsecured network. :notworthy::)

Edit: OK, I see the discussion continues in Post #433 and on re: MS Office 2007, which explains more. I can see well enough that I need not enable a feature like Blocked Sponsors unless in unsecure environment.
 
Last edited:
  • Like
Reactions: Andy Ful and Nestor

Sunshine-boy

Level 27
Verified
The average user will be mostly fooled by the very low or 0 detection on Virus Total,
Even SYSADMINs will be fooled!
Not be an unknown on VT
whereas VS was designed to have a roughly 99.5% detection ratio, with higher false positives.
I remember when Opcode bypassed Voodoo Ai with his malware:notworthy: the file had no detection in VT(all green) and the Voodoo Ai also showed the file is safe(again green)! how can I decide? if AI and VT tell me the file is safe I will allow it!even most paranoid users will allow it.
There are other checks as well… but these checks alone would block almost all zero days.
only marketing words without evidence. what are these checks? ask him, Ty.
I'm not saying vs is bad. its good in Alway on mode and that Cuckoo Sandbox is enough for my need but its far from great.also the free version has a lot of limitation! even the paid version lack some useful features.
There are better free alternatives:
Hard_Configurator
Avast Hardened Mode
Smart Screen
ERP Beta
Rehips.
 

shmu26

Level 83
Verified
Trusted
Content Creator
@Andy Ful can you please expand/explain in more detail as it relates to Blocked Sponsors? I see in the manual it suggests using this setting when on an unsecured network. :notworthy::)

Edit: OK, I see the discussion continues in Post #433 and on re: MS Office 2007, which explains more. I can see well enough that I need not enable a feature like Blocked Sponsors unless in unsecure environment.
"Sponsors" is roughly the same as "vulnerable processes", a concept you might be familiar with from other security softs.
It's things like powershell, wscript, mshta, cmd, etc.