Advice Request How is Your Experience with Comodo CIS/FW v10 so far?

[AtlBo]

But what about attacks that use powershell in memory, and what about attacks that use cmd.exe? (By default, Comodo 10 disables embedded code detection for cmd.exe, because it cripples too many apps.)

Do you have a recollection of which apps are affected by this? Is it mostly browser extensions?

I enabled embedded code detections, and I only get one alert for Qihu webshield.exe for Chrome, which I routinely allow. Then I periodically clean out the tempscrpt folder and then purge the file list. I think this is a place where I would say Comodo needs some creativity. The protections are worth the investment, and I hope they push into this challenge.

 

[shmu26]

Do you have a recollection of which apps are affected by this? Is it mostly browser extensions?

I enabled embedded code detections, and I only get one alert for Qihu webshield.exe for Chrome, which I toutinely allow. Then I periodically clean out the tempscrpt folder and then purge the file list. I think this is a place where I would say Comodo needs some creativity. The protections are worth the investment, and I hope they push into this challenge.

I have a problem with a chrome extension, and also with the desktray icon for my Intel integrated graphics. They both run a temp bat file with a random name.

 

[cruelsister]

Terra- A FireEye appliance is superior. But for the Home user, as long as you aren't in Federal Service or have a Security Clearance, Kaspersky would be a good alternative.

Shmu- Remember that Comodo does NOT have an issue with powershell or cmd themselves, but does with what actually calls them up. A legitimate app that needs cmd.exe to do stuff like restart the system will have no issues, but a malicious app that uses cmd to delete or change files will (if you have time, seen the 3:50 mark of my Comodo Firewall 10 vs Ransomware video published 4/22 and watch the Task manager as the Revenge ransomware is run).

Too often people will make things much more complicated than they are.

 

[shmu26]

Terra- A FireEye appliance is superior. But for the Home user, as long as you aren't in Federal Service or have a Security Clearance, Kaspersky would be a good alternative.

Shmu- Remember that Comodo does NOT have an issue with powershell or cmd themselves, but does with what actually calls them up. A legitimate app that needs cmd.exe to do stuff like restart the system will have no issues, but a malicious app that uses cmd to delete or change files will (if you have time, seen the 3:50 mark of my Comodo Firewall 10 vs Ransomware video published 4/22 and watch the Task manager as the Revenge ransomware is run).

Too often people will make things much more complicated than they are.

Well, they say on the Comodo forum that until embedded code detection came around, Comodo did not have an answer for fileless exploits of the powelik genre (unless you ran your browser in sandbox). So I surmise that exploits of this type, when not covered by embedded code detection, remain problematic.

I will readily admit that such attacks are rare, especially for security geeks, who keep their OS and software updated.

Not only that, but it is virtually impossible to test, because who can find exploits like this in the wild? Your videos are surely not catching this kind of an animal.

 

[Deleted member 178]

Shmu- Remember that Comodo does NOT have an issue with powershell or cmd themselves, but does with what actually calls them up. A legitimate app that needs cmd.exe to do stuff like restart the system will have no issues, but a malicious app that uses cmd to delete or change files will.

Exactly.

 

[shmu26]

Exactly.

+1
But remember, my point is about fileless exploits that abuse legit apps, not about the actions of malicious apps.
ReHIPs, for instance, has a clear and conclusive answer to this problem: isolation.
Voodooshield tries to handle it, too, with a sort of software restriction.
But Comodo's solution is not so clear and comprehensive, at least as far as I can understand.

 

[Deleted member 178]

Fileless malware have to come from somewhere, theydon't popup out of the blue in the memory of the system.

like in this video , a macro is embedded in the doc file, the happy clicker run it, then Powershell is abused and the assailant take over.



Comodo experienced users will find the slight "arrangement" to the settings that made the attack possible which wouldn't be in normal condition.

 

[cruelsister]

Shmu- I love your post if only for the reason that you should not listen to all that you read on the Comodo Forums. Let me explain:

1). SO many people, including those with "authority" on the Comodo Forums feel that fileless malware and web exploits are somewhat magical (like after going to a compromised website the Malware Fairy will touch your computer with her wand and immediately infect it). This is far from the truth (although some have called me the Malware Fairy). Things such as these still MUST somehow have an initial local effect on your computer and Comodo will detect and contain these effects.

2). I'll let you in on a secret here ( secret because I don't want people to know that I am a total Geek)- before I ever make sweeping posts I make it a point to verify what I am posting is true. So prior to my post above about Powershell and cmd.exe, I actually ran Revenge (for cmd.exe efects) and both Powerliks as well as PowerSniff (for the PowerShell effects). All are totally contained and held powerless without respect to the initial source. No system changes are evident.

So next time you read from someone on those Forums that "the browser needs to be sandboxed" please slap them for me because they do not have a (add curse word here)ing clue.


Umbra- You have no idea the glee I have when you agree with me.


(ps- excuse this post. I just dashed the hopes of a Startup and am washing away the Guilt with wine)

 

[cruelsister]

Umbra, Umbra- after I said something nice! I just watched that video. Notice how the author blew off both the Firewall and Sandbox settings that I recommend (remember- NEVER EVER use CF at default!)? Let him try it with my settings and see what will happen. PowerSniff is also an embedded Office malware and is handled quite well by Comodo.

I also really am getting annoyed with the BlackCipher nonsense. They use dual screens and impressive command screens to deceive the unwary. Ask Dan at VS about this...

 

[Deleted member 178]

Umbra, Umbra- after I said something nice! I just watched that video. Notice how the author blew off both the Firewall and Sandbox settings that I recommend (remember- NEVER EVER use CF at default!)? Let him try it with my settings and see what will happen. PowerSniff is also an embedded Office malware and is handled quite well by Comodo.

He even pushes the vice to set paranoid mode but ticking 2 options to make the HIPS auto-allow requests and create rules for safe applications...options ,if my memory is good, unticked in paranoid mode.

I also really am getting annoyed with the BlackCipher nonsense. They use dual screens and impressive command screens to deceive the unwary. Ask Dan at VS about this...

they did the same for NVT ERP, small "adjustement" to the settings claiming because in corporate environment , admins would do that... :Rolleyes:

Btw, "we are hard when it comes to people we appreciate" , but i like to sometimes give cookies

 

[cruelsister]

 

[codswollip]

CS... but how to get rid of the cat? I have to constantly vacuum hair from the keyboard and USB ports.

Apparently it escaped Comodo's sandbox and now I fear it will mistake my lappy for its litter box.

...now where is my mouse?

 

[AtlBo]

cs...what is better Sandbox setting for for unrecognized, run virtual or run restricted? I can see you set All Applications to run restricted, but I have seen some use run virtual.

After installing CFW I saw 3 All Applications rules. One of them was something about newer than 3 days old and then another had to do with browser and e-mail client and then another with locations. Was I correct to delete those rules and replace them with the simple All Applications->Unrecognized->run restricted (virtual is what I am using for now)?...

I had to reinstall CFW last night because some of the dialogs weren't working (internet connections and sandbox). They're working again now, but I was going from memory to set everything up by your settings.

 

[shmu26]

I see that there are differences of opinion on how Comodo's exploit protection works.
And probably there will continue to be...
Bottom line is Comodo Firewall 10 is a great product, whichever way you look at it.

 

[shmu26]

After installing CFW I saw 3 All Applications rules. One of them was something about newer than 3 days old

Sorry for jumping in, but it sounds like you didn't switch to proactive mode. What you are describing is firewall mode.

 

[AtlBo]

shum26...

It installed in FW mode and then I changed it to Proactive. Those rules were still there, so I don't know, but I got rid of them and replaced them with the one. Tried an unrecognized file, and it seemed to work.

Am I correct that "run virtual" is actually more restrictive than "run restricted". Not exactly clear on the difference...

 

[shmu26]

shum26...

It installed in FW mode and then I it changed to Proactive. Those rules were still there, so I don't know, but I got rid of them and replaced them with the one. Tried an unrecognized file, and it seemed to work.

Am I correct that "run virtual" is actually more restrictive than "run restricted". Not exactly clear on the difference...

Run virtual, which is the default setting, is less strict. It allows a certain amount of desktop access, so malware could, for instance, display a ransom message on your desktop. But it is only cosmetic. After rebooting or emptying the sandbox, you can change your desktop picture back to something more boring.

Run restricted is stricter, it will not let malware do hardly anything. The down side is that this setting will decrease the chances that an app will run properly in sandbox.

 

[AtlBo]

Run restricted is stricter, it will not let malware do hardly anything. The down side is that this setting will decrease the chances that an app will run properly in sandbox.

OK. Great information and thanks. I will take your advice and leave the setting, although I believed Virtual was more restrictive. When I tested a little while ago with the new sparse file list, I ran FullEventLogView. I noticed it did not import any events while in the sandbox. If that happens alot maybe I'll go back to restricted to avoid any chance of a mistake on my part. Don't think it would be a problem anyway. I have the CFW settings pdf, so I will look at that again too...

 

[shmu26]

OK. Great information and thanks. I will take your advice and leave the setting, although I believed Virtual was more restrictive. When I tested a little while ago with the new sparse file list, I ran FullEventLogView. I noticed it did not import any events while in the sandbox. If that happens alot maybe I'll go back to restricted to avoid any chance of a mistake on my part. Don't think it would be a problem anyway. I have the CFW settings pdf, so I will look at that again too...

Glad I could help. My main source of info in this matter is CS. I am not much of a tester myself.

 

[AtlBo]

OK thanks again. Here is a quote from Comodo on the restriction levels. This had me believing that Virtual was more restrictive than Restricted, since virtual is mentioned last after restricted:

Auto-containment rules allow you to determine whether programs should be allowed to run with full privileges, ignored, run restricted or run in a fully-virtual environment

Down further, this shows that obviously either of the settings is adequate for protection:

• Run Virtually - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.

• Run Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

• Block - The application is not allowed to run at all.

• Ignore - The application will not be contained and allowed to run with all privileges.

Anyway I don't think it is going to matter much. I am fine with the setting either way. Here is a link to the Comodo help on containment for anyone who would like to look at the options:

Auto-Containment Rules, Containment Security Software | Internet Security | COMODO