App Review Malware bypass Comodo Firewall @ CS settings

[Av Gurus]

Comodo firewall is set to Cruelsister settings.
I think that this malware is bypased that settings (maybe I'm wrong).
What do you think?

Video summary:
1. check Comodo firewall settings
2. delete all trusted vendors
3. add some malware to see if Comodo is working OK
4. check that one malware at VT
5. run malware and watch:
- C:\Users\Av-Gurus\AppData\Local
- Task manager startup
- network connection

 

[Deleted member 178]

from what i see, the sandbox wasn't able to catch it.
Anyway , CS settings isn't the tightest one, it is a mix between usability and security focusing on the sandbox as main defense by disabling (silencing) the HIPS; with my settings i would be alerted by a prompt from the HIPS.

Edit: For those that doesn't want to read the whole thread, Comodo rated the malware as "Trusted" so it wasn't sandboxed or blocked by the HIPS.

 

[shmu26]

@Av Gurus , Just for the record, could you please enable HIPS, and run the test again? It's important to know if HIPS helps or not. I am sure that @Umbra's super-max settings will catch anything, but I still want to know if HIPS at default settings is any good.

 

[Av Gurus]

from what i see, the sandbox wasn't able to catch it.
Anyway , CS settings isn't the tightest one, it is a mix between usability and security focusing on the sandbox as main defense by disabling the HIPS; with my settings i would be alerted by a prompt from the HIPS.

@Av Gurus , Just for the record, could you please enable HIPS, and run the test again? It's important to know if HIPS helps or not. I am sure that @Umbra's super-max settings will catch anything, but I still want to know if HIPS at default settings is any good.

I just put HIPS to Safe Mode and results are the same.
Check pictures:

 

[Deleted member 178]

@Av Gurus can you run the malware under file rating, because if the file is flagged as trusted , it will bypass all protection (except the HIPS and in paranoid mode only ).

you can use Killswitch to do a second verification.

I saw it undetected in VT by Comodo , may be a reason.

 

[Av Gurus]

How to do that? I don't understand...

 

[erreale]

...with my settings i would be alerted by a prompt from the HIPS.

What are different kinds of stuff to those used by CS? Can I find them in some post so I can replicate them?

 

[Deleted member 178]

1- run the malware , launch file rating as you did at beginning
2- open killswitch , go to view , show only untrusted processes.

 

[Deleted member 178]

What are different kinds of stuff to those used by CS? Can I find them in some post so I can replicate them?

Comodo Internet Security Setup/configuration thread (Setting Only)

 

[Av Gurus]

1- run the malware , launch file rating as you did at beginning
2- open killswitch , go to view , show only untrusted processes.

In File Rating what tab to select?...trusted vendors or...?

 

[Deleted member 178]

In File Rating what tab to select?

View attachment 148089

Via Rating scan , the widget or use Killswitch as i described.
The malware must be launched first.

(i dont have CIS installed so i can't give you detailed procedure ^^ )

 

[Evjl's Rain]

hi, did you enable Cloud lookup (file rating settings)?

if you did, I doubt that that malware is marked as safe on valkyrie by someone that's why it can bypass the sandbox. I had 1 malware which bypassed CCAV by the same reason

if you disable cloud lookup, perhaps it won't be able to bypass

 

[Deleted member 178]

@Evjl's Rain yes it is why i ask him to do a rating scan of the malware.

 

[Av Gurus]

Via Rating scan , the widget or use Killswitch as i described.
The malware must be launched first.

(i dont have CIS installed so i can't give you detailed procedure ^^ )

Aha, so first run malware and then check "Rating Scan" to see if the file is there?

hi, did you enable Cloud lookup (file rating settings)?

if you did, I doubt that that malware is marked as safe on valkyrie by someone that's why it can bypass the sandbox. I had 1 malware which bypassed CCAV by the same reason

if you disable cloud lookup, perhaps it won't be able to bypass

Cloud is enable by default.

 

[Deleted member 178]

Aha, so first run malware and then check "Rating Scan" to see if the file is there?

View attachment 148090



Cloud is enable by default.

View attachment 148091

Did you launched the malware before the scan?

Then can you do the killswitch procedure with the malware launched?

 

[Av Gurus]

Looks like that malware is Trusted, but why?

 

[Deleted member 178]

Looks like that malware is Trusted, but why?

View attachment 148092

Because surely an idiot whitelisted it. So now you know why it bypass all protection. Only my settings would protected you .

Comodo's Myths & Facts

Umbra is the best (for those who didn't know yet)

 

[Evjl's Rain]

Looks like that malware is Trusted, but why?

View attachment 148092

because an analyst marked it as safe
human error. @vivid explained to me

can you try again with cloud lookup disable?

 

[erreale]

@Umbra Many thanks

 

[shmu26]

because an analyst marked it as safe
human error. @vivid explained to me

can you try again with cloud lookup disable?

If it already got onto the trusted list, disabling cloud lookup afterwards might not change its status.