Video Malware bypass Comodo Firewall @ CS settings

Av Gurus

Level 29
AV-Tester
Verified
Joined
Sep 22, 2014
Messages
1,806
OS
Windows 10
#1
Comodo firewall is set to Cruelsister settings.
I think that this malware is bypased that settings (maybe I'm wrong).
What do you think?

Video summary:
1. check Comodo firewall settings
2. delete all trusted vendors
3. add some malware to see if Comodo is working OK
4. check that one malware at VT
5. run malware and watch:
- C:\Users\Av-Gurus\AppData\Local
- Task manager startup
- network connection

 
Last edited:

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,228
OS
Windows 10
Antivirus
Default-Deny
#2
from what i see, the sandbox wasn't able to catch it.
Anyway , CS settings isn't the tightest one, it is a mix between usability and security focusing on the sandbox as main defense by disabling (silencing) the HIPS; with my settings i would be alerted by a prompt from the HIPS.

Edit: For those that doesn't want to read the whole thread, Comodo rated the malware as "Trusted" so it wasn't sandboxed or blocked by the HIPS.
 
Last edited:

Av Gurus

Level 29
AV-Tester
Verified
Joined
Sep 22, 2014
Messages
1,806
OS
Windows 10
#4
from what i see, the sandbox wasn't able to catch it.
Anyway , CS settings isn't the tightest one, it is a mix between usability and security focusing on the sandbox as main defense by disabling the HIPS; with my settings i would be alerted by a prompt from the HIPS.
@Av Gurus , Just for the record, could you please enable HIPS, and run the test again? It's important to know if HIPS helps or not. I am sure that @Umbra's super-max settings will catch anything, but I still want to know if HIPS at default settings is any good.
I just put HIPS to Safe Mode and results are the same.
Check pictures:

1.png 2.png 3.png 4.png
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,228
OS
Windows 10
Antivirus
Default-Deny
#5
@Av Gurus can you run the malware under file rating, because if the file is flagged as trusted , it will bypass all protection (except the HIPS and in paranoid mode only ).

you can use Killswitch to do a second verification.

I saw it undetected in VT by Comodo , may be a reason.
 

Evjl's Rain

Level 38
Content Creator
AV-Tester
Verified
Joined
Apr 18, 2016
Messages
2,715
OS
Windows 8.1
Antivirus
Avast
#12
hi, did you enable Cloud lookup (file rating settings)?

if you did, I doubt that that malware is marked as safe on valkyrie by someone that's why it can bypass the sandbox. I had 1 malware which bypassed CCAV by the same reason

if you disable cloud lookup, perhaps it won't be able to bypass
 

Av Gurus

Level 29
AV-Tester
Verified
Joined
Sep 22, 2014
Messages
1,806
OS
Windows 10
#14
Via Rating scan , the widget or use Killswitch as i described.
The malware must be launched first.

(i dont have CIS installed so i can't give you detailed procedure ^^ )
Aha, so first run malware and then check "Rating Scan" to see if the file is there?

1.png

hi, did you enable Cloud lookup (file rating settings)?

if you did, I doubt that that malware is marked as safe on valkyrie by someone that's why it can bypass the sandbox. I had 1 malware which bypassed CCAV by the same reason

if you disable cloud lookup, perhaps it won't be able to bypass
Cloud is enable by default.

2.png
 
Likes: AtlBo

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,228
OS
Windows 10
Antivirus
Default-Deny
#17