Basic Security Rengar's Security Config

Arequire said:
How you finding it? It's extremely light and I really like it's GUI but I don't know if I prefer it over CFW.
If you get the chance I wouldn't mind seeing a test of it. I'm not sure how it handles scripts so I'm curious if it suffers the same problem as Avast's hardened mode and if there's any way to bypass it's protection. I've also heard it's universal AV suffers from some major engine update delays.
Click to expand...
It's very light and so far I like it
it's not annoying like other anti-exes but still effective
It's not easy for me to test it because I have to collect a sufficient number of samples which have low detection rates according to VT so SAP won't block them easily by Universal AVs. I will try to test it behind the screen to pick good samples and then you these for a video

I notice some differences between engines used by universal AVs and the real engines. For example, WD couldn't detect many malwares I scanned but the Microsoft engine detected them as malwares. Avira and BD have delayed signatures which should have detected some samples that were already detected by these engines according to VT
 
  • Like
Reactions: Rengar, Handsome Recluse and given
Evjl's Rain said:
it's not annoying like other anti-exes but still effective
Click to expand...
Yeah, it's nice to not have to keep unblocking legitimate processes having their network access blocked by CFW.

Evjl's Rain said:
It's not easy for me to test it because I have to collect a sufficient number of samples which have low detection rates according to VT so SAP won't block them easily by Universal AVs. I will try to test it behind the screen to pick good samples and then you these for a video
Click to expand...
Ah right. Didn't think about it being a lot harder to find samples for something that uses multiple engines, even if their sigs are delayed.

Evjl's Rain said:
I notice some differences between engines used by universal AVs and the real engines. For example, WD couldn't detect many malwares I scanned but the Microsoft engine detected them as malwares. Avira and BD have delayed signatures which should have detected some samples that were already detected by these engines according to VT
Click to expand...
I think VDS is a step up in this regard by having a direct link to VT. No out-of-date sigs to worry about in determining if samples are malicious or not.

I'll keep SAP around for now but I'm not all that familiar with it. With CFW I know where I stand and know the protection it affords after using it for a long time but I've never given SAP much of a fair shake and I've only seen one or two tests featuring it so I can't determine how strong its protection is. Especially against signed malware or scripts.

Since SAP were forced to drop VT this is the kind of malware I'd be concerned about when running it:
cppJClV.png

Signed and the universal AV says clean but VT gives a 35/56. What'd happen if someone ran into this kind of sample nowadays when VT isn't there to give you a heads up that it's malicious? As far as I'm aware it doesn't have any kind of behavioural detection so if you unblock it (based on it being signed and the UAV giving it a clean rating) the malware could run indefinitely in theory.

Edit: Sorry for taking over your configuration thread to discuss SAP, @LanDude! :oops: Hope you don't mind.
 
Last edited:
  • Like
Reactions: Sr. Normal 2.0, Rengar, Winter Soldier and 4 others
Good configuration, honestly Comodo components are strong enough which you need to carefully tweak for accuracy and precision.

@Arequire: Well in that instances, a user should always close carefully on the alerts. SAP provides multiple criteria to avoid any bypass on the file so any red marks will halt for execution.

In a close look it may not be user friendly, but as the time you use; it can be a very good supplement for setup.
 
  • Like
Reactions: Sr. Normal 2.0 and Rengar
Arequire said:
cppJClV.png

Signed and the universal AV says clean but VT gives a 35/56. What'd happen if someone ran into this kind of sample nowadays when VT isn't there to give you a heads up that it's malicious? As far as I'm aware it doesn't have any kind of behavioural detection so if you unblock it (based on it being signed and the UAV giving it a clean rating) the malware could run indefinitely in theory.
Click to expand...
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT :)
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access :(
I can only check the detection rate for <10 files at the time
 
Last edited:
  • Like
Reactions: Sr. Normal 2.0, Rengar, Handsome Recluse and 1 other person
Evjl's Rain said:
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untested file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT :)
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access :(
I can only check the detection rate for <10 files at the time
Click to expand...
What are you gonna do then if the 1-year trial expires? If ever it reaches that point...
 
  • Like
Reactions: Sunshine-boy
jamescv7 said:
@Arequire: Well in that instances, a user should always close carefully on the alerts. SAP provides multiple criteria to avoid any bypass on the file so any red marks will halt for execution.

In a close look it may not be user friendly, but as the time you use; it can be a very good supplement for setup.
Click to expand...
Evjl's Rain said:
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP.
Click to expand...
I keep it in lockdown mode so this wouldn't affect me unless I downloaded and ran it myself. All I'd get shown was the file name that had been blocked. Just a little worrying for those that run interactive mode that the UAV's sigs are so out-of-date that none of the AVs included detected it as malware even when almost all did on VT. I guess you could argue it's still better than the traditional approach of having the file run on your system and hoping behavioural detection or HIPS catches it before it does any damage.
 
  • Like
Reactions: Rengar and Evjl's Rain
REMOVED
NetCraft
ADDED
TheGreatSuspender, Norton DNS

I think im protected with this config.
I had problems upgrading to W10. When i decide to format my pc i will do a clean install of W10 :)

Chrome Extensions added: Dont Track Me Google ,Disable HTML5 Autoplay, Stealth Mode.
 
Last edited by a moderator:
  • Like
Reactions: frogboy, mekelek and Winter Soldier
Evjl's Rain said:
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT :)
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access :(
I can only check the detection rate for <10 files at the time
Click to expand...
from my experience, SAP literally made me go crazy with the way it handled the "initial scan".
i haven't seen such a buggy POS for a while.
 
Its possible to enable Malwarebytes as i have a lifetime licence but its a little overkill...We will see...:unsure:
 
Hum... WD + ZAL -> and now MBAM Pro (resident), probably will get some slowdowns in the system, and some issues with the others resident applications...

Try and let us know :)
 
  • Like
Reactions: frogboy and Rengar
You must log in or register to reply here.

You may also like...