Advice Request Is CCAV enough against 99% of ransomwares?

[Evjl's Rain]

Hi everyone,

I would like to ask about CCAV with default sandbox settings
I'm not a fan of highly restricted/untrusted rules, I prefer partially limited (CF& CIS) or a bit higher than partial but less than highly restricted (CCAV)

In this case of CCAV, can it protect agaisnt most ransomwares which are not able to bypass CCAV's sandbox?

thank you

 

[Wave]

If the sample is executed within the sandbox and the sample does not manage to circumvent the sandboxing mechanisms then yes, you will stay protected from it (since it'd be isolated)... It may depend on your configuration though.

It will depend on the rules for the sandbox and how the sample works - that being said, you should always have a backup to use, and then you wouldn't need to worry about this too much.

One of the best remediation techniques when it comes to ransomware would be using a backup, since you won't need to pay for any decryption key or hope a vendor analyses the sample and can reverse the encryption for a custom tool...

 

[Janl1992l]

Yes it should be enough. But there is always the 1% who will brake any security.

 

[Ink]

@cruelsister Has some information about using CCAV.

 

[Evjl's Rain]

@cruelsister Has some information about using CCAV.

yes, I read most of her comments about CCAV and it turns out she doesn't like it because CCAV is less customizable and she prefers to set the autosandbox rule to untrusted, which CCAV cannot

I'm thinking about replacing tweaked avast by CCAV for my family but the problem is they don't understand english and completely inexperienced, cannot perform many easy tasks + they are happy clickers, default-allow
everything I tell them, they will forget within 5 minutes

 

[MalwareBlockerYT]

It should be enough but I would always use other software as well. This is how my config works:

KIS 2017: Detection via Real Time Protection, Firewall, etc
ZAL: Demand Scanner & Real Time Protection
VoodooShield: Whitelisting & prevention - great against Ransomware & Malicious applications
MBAM Premium: URL, Real time, Ransomware, Exploit protection
Avira Browser Safety: URL Blocking

So for me to get infected:

1) If it was a malicious URL then it would have to get past Avira Browser Safety - unlikely for most URLs but possible.
2) Then the URL would have to get past KIS 2017 & MBAM as well...
3) If it managed to do that then well it's likely that either MBAM, KIS 2017 or ZAL will pick it up with Real Time Protection.
4) If it wasn't detected by any of those applications then when I came time execute it then I would have to Allow the file through with VoodooShield.
5) VoodooShield automatically quarantines any file which has a detection ratio of over 3/57 on VirusTotal.

I have actually tested my config in a VM & will be uploading a video on it soon!

This is how I think when I put together a security config:

1) Will URLs get past?
2) Will downloads get past?
3) Will the file manage to execute?

And if the answer is yes & you are a paranoid user/over the top user (like me) then you may want to update your config. There is no need to be paranoid if you know what you're doing but since I took up malware testing & since I do it regularly I decided to be extra safe - better safe than sorry

CCAV should prevent any harm coming to your PC but I personally wouldn't use it on it's own. If you want to be paranoid then you use a bunch of security applications in combination. That way nothing should manage to get past your security - especially if you are asked to confirm that you want to allow the application to execute.

 

[Evjl's Rain]

The PC I have only have 1Gb of RAM
I already install bitdefender trafficlight or avira browser safety (I forgot which one) with avast in a good settings. the PC never got infected before

because the PC is so weak and how my family members use PC, many security products are out of the list

I'm ~9000km away from the PC so I cannot do much about it

 

[FleischmannTV]

KIS 2017: Detection via Real Time Protection, Firewall, etc
ZAL: Demand Scanner & Real Time Protection
VoodooShield: Whitelisting & prevention - great against Ransomware & Malicious applications
MBAM Premium: URL, Real time, Ransomware, Exploit protection
Avira Browser Safety: URL Blocking

There is still room for Excubits MemProtect and FIDES + Shadow Defender. On top of that you could run that setup inside a VM and install the same setup on the host as well and you would be impenetrable.

 

[SHvFl]

The PC I have only have 1Gb of RAM
I already install bitdefender trafficlight or avira browser safety (I forgot which one) with avast in a good settings. the PC never got infected before

because the PC is so weak and how my family members use PC, many security products are out of the list

I'm ~9000km away from the PC so I cannot do much about it

I tried CCAV recently. Go for it but disable everything else than the sandbox and you will be safe without the crap they have that do nothing else than load.
Also make sure the setting is to sandbox everything unknown and you surpass the protection of most software. Issue is that you will still have to educate them if they install software or do it alone with Teamviewer because some software will run sandboxed because they have lazy devs that don't sign their stuff.

 

[SHvFl]

It should be enough but I would always use other software as well. This is how my config works:

KIS 2017: Detection via Real Time Protection, Firewall, etc
ZAL: Demand Scanner & Real Time Protection
VoodooShield: Whitelisting & prevention - great against Ransomware & Malicious applications
MBAM Premium: URL, Real time, Ransomware, Exploit protection
Avira Browser Safety: URL Blocking

So for me to get infected:

1) If it was a malicious URL then it would have to get past Avira Browser Safety - unlikely for most URLs but possible.
2) Then the URL would have to get past KIS 2017 & MBAM as well...
3) If it managed to do that then well it's likely that either MBAM, KIS 2017 or ZAL will pick it up with Real Time Protection.
4) If it wasn't detected by any of those applications then when I came time execute it then I would have to Allow the file through with VoodooShield.
5) VoodooShield automatically quarantines any file which has a detection ratio of over 3/57 on VirusTotal.

I have actually tested my config in a VM & will be uploading a video on it soon!

This is how I think when I put together a security config:

1) Will URLs get past?
2) Will downloads get past?
3) Will the file manage to execute?

And if the answer is yes & you are a paranoid user/over the top user (like me) then you may want to update your config. There is no need to be paranoid if you know what you're doing but since I took up malware testing & since I do it regularly I decided to be extra safe - better safe than sorry

CCAV should prevent any harm coming to your PC but I personally wouldn't use it on it's own. If you want to be paranoid then you use a bunch of security applications in combination. That way nothing should manage to get past your security - especially if you are asked to confirm that you want to allow the application to execute.

Or one of those software you use which are many has a bug/bypass and the malware escalated using its permission and bypasses every other software you have.

 

[shmu26]

the sandbox of CCAV does not protect the system as well as the regular COMODO sandbox.
but look, the AV of any COMODO product is next to useless. So if you are limited in RAM, why not just install CFW, and leave it at that? Or add HitmanPro.Alert. Both use very little RAM.

 

[Evjl's Rain]

the sandbox of CCAV does not protect the system as well as the regular COMODO sandbox.
but look, the AV of any COMODO product is next to useless. So if you are limited in RAM, why not just install CFW, and leave it at that? Or add HitmanPro.Alert. Both use very little RAM.

I knew comodo AV is close to useless. I want CCAV because the sandbox rule is >partially restrited but < highly restricted, which will block some of the softwares in my language used to manage the business

thank you to mention HMPA. I think I will keep avast with high settings + HMPA or something else then

 

[SHvFl]

the sandbox of CCAV does not protect the system as well as the regular COMODO sandbox.
but look, the AV of any COMODO product is next to useless. So if you are limited in RAM, why not just install CFW, and leave it at that? Or add HitmanPro.Alert. Both use very little RAM.

Assuming you are asking me :S
The protection is similar, it will still sandbox and just change a few things but no lost files. You can remote connect and fix those in 2 minutes. Comodo Firewall is way heavier at least for me and it really doesn't offer something groundbreaking over CCAV for the average user.
I think for the average user on a low end machine CCAV is the better option.

 

[MalwareBlockerYT]

There is still room for Excubits MemProtect and FIDES + Shadow Defender. On top of that you could run that setup inside a VM and install the same setup on the host as well and you would be impenetrable.

Thanks for the really amazing video -_- lol

Yes there is still room for all of that but from what I've seen in tests & in my personal tests my setup is pretty darn good. I'd like to see your security setup tested in comparison & we will see who has a better setup in terms of protection.

 

[MalwareBlockerYT]

Or one of those software you use which are many has a bug/bypass and the malware escalated using its permission and bypasses every other software you have.

I don't understand what you've written. Please could you rephrase your reply.

 

[SHvFl]

I don't understand what you've written. Please could you rephrase your reply.

Sure will try. So one of the arguments lots in the industry have is that security software not only can't protect you but it will create security problems. The reason for that is that all of them run as system applications and have full control to do anything. Let's say someone manages to take control of Kaspersky. Immediately he has access to everything and can force other security application to die. Because it has permissions the same level as the other security applications because of the escalation forced by taking over Kaspersky.

So the more programs you stuck together doesn't necessarily mean you are better protected.

 

[harlan4096]

@SHvFl: could You give a better info about Kaspersky "supposed" vulnerability and source info about it?

 

[shmu26]

AVAST hardened mode/aggressive
HMP.A
set UAC at high
smartscreen enabled
put the user on a standard user account
use process lasso to block wscript, powershell, etc.
this is very light on system resources, and it's very, very hard to infect the system this way

 

[Wave]

@SHvFl: could You give a better info about Kaspersky "supposed" vulnerability and source info about it?

He's not saying that there is a new vulnerability within Kaspersky, but he is trying to make a point that all software will have vulnerabilities somewhere along the lines which will be usable by an attacker as an advantage to do things that the attacker may not have been able to necessarily do if the specific software was not installed on the system altogether.

In other words, he is saying that the more security software you have does not necessarily mean you are "better" protected, but can also cause more problems than good deep-down... And he speaks the truth, actually.

An example is given in the below spoiler...

Spoiler

In terms of security software, there are services/processes (executed by another service so it is running under SYSTEM) running under the NT Authority Account (SYSTEM). This causes more privileges to be given, which results in more control over the system.

In some scenarios, an attacker can take advantage of this functionality to compromise the system by exploiting the security software to leverage it's own privileges higher, so it too can be ran under SYSTEM without needing to obtain the correct consent to do this (since if UAC is enabled then you'll need to have been provided consent to create/start the service, etc).

 

[SHvFl]

@SHvFl: could You give a better info about Kaspersky "supposed" vulnerability and source info about it?

It was an example. I didn't say Kaspersky actually has one now even though it might have like any other security software.

@Wave explains it better to might want to check his reply. I suck at explaining things.

Question - Is CCAV enough against 99% of ransomwares?