Video Review Malware bypass Comodo Firewall @ CS settings

Discussion in 'Video Reviews' started by Av Gurus, Apr 28, 2017.

  1. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,713
    10,631
    Testing security programs
    Earth
    Windows 10
    #1 Av Gurus, Apr 28, 2017
    Last edited: Apr 28, 2017
    Video Uploaded by:
    Av-Gurus
    Disclaimer:
    Due to the small number of samples used in this tests, you should take results with a grain of salt. I encourage you to compare these results with others and take informed decisions on what security products to use.
    Hub Thread:
    https://malwaretips.com/threads/24-4-2017-19.70847/
    Comodo firewall is set to Cruelsister settings.
    I think that this malware is bypased that settings (maybe I'm wrong).
    What do you think?

    Video summary:
    1. check Comodo firewall settings
    2. delete all trusted vendors
    3. add some malware to see if Comodo is working OK
    4. check that one malware at VT
    5. run malware and watch:
    - C:\Users\Av-Gurus\AppData\Local
    - Task manager startup
    - network connection

     
  2. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #2 Umbra, Apr 28, 2017
    Last edited: May 1, 2017
    from what i see, the sandbox wasn't able to catch it.
    Anyway , CS settings isn't the tightest one, it is a mix between usability and security focusing on the sandbox as main defense by disabling (silencing) the HIPS; with my settings i would be alerted by a prompt from the HIPS.

    Edit: For those that doesn't want to read the whole thread, Comodo rated the malware as "Trusted" so it wasn't sandboxed or blocked by the HIPS.
     
  3. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,243
    13,473
    Utopia
    @Av Gurus , Just for the record, could you please enable HIPS, and run the test again? It's important to know if HIPS helps or not. I am sure that @Umbra's super-max settings will catch anything, but I still want to know if HIPS at default settings is any good.
     
    _CyberGhosT_, AtlBo, shukla44 and 5 others like this.
  4. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,713
    10,631
    Testing security programs
    Earth
    Windows 10
    I just put HIPS to Safe Mode and results are the same.
    Check pictures:

    1.png 2.png 3.png 4.png
     
  5. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    @Av Gurus can you run the malware under file rating, because if the file is flagged as trusted , it will bypass all protection (except the HIPS and in paranoid mode only ).

    you can use Killswitch to do a second verification.

    I saw it undetected in VT by Comodo , may be a reason.
     
    _CyberGhosT_, AtlBo, shukla44 and 6 others like this.
  6. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,713
    10,631
    Testing security programs
    Earth
    Windows 10
    How to do that? I don't understand...
     
    AtlBo likes this.
  7. erreale

    erreale Level 4

    Oct 22, 2016
    191
    791
    Italy
    Windows 10
    Isolation

    What are different kinds of stuff to those used by CS? Can I find them in some post so I can replicate them?
     
    _CyberGhosT_ and AtlBo like this.
  8. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    1- run the malware , launch file rating as you did at beginning
    2- open killswitch , go to view , show only untrusted processes.
     
  9. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    AtlBo, Winter Soldier, Rengar and 3 others like this.
  10. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,713
    10,631
    Testing security programs
    Earth
    Windows 10
    In File Rating what tab to select?...trusted vendors or...?

    1.png
     
    AtlBo and Rengar like this.
  11. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Via Rating scan , the widget or use Killswitch as i described.
    The malware must be launched first.

    (i dont have CIS installed so i can't give you detailed procedure ^^ )
     
    AtlBo, shukla44, Rengar and 2 others like this.
  12. Evjl's Rain

    Evjl's Rain Level 28
    Trusted AV Tester

    Apr 18, 2016
    1,780
    13,084
    Vietnam
    Windows 8.1
    Avast
    hi, did you enable Cloud lookup (file rating settings)?

    if you did, I doubt that that malware is marked as safe on valkyrie by someone that's why it can bypass the sandbox. I had 1 malware which bypassed CCAV by the same reason

    if you disable cloud lookup, perhaps it won't be able to bypass
     
    _CyberGhosT_, AtlBo, shukla44 and 7 others like this.
  13. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    @Evjl's Rain yes it is why i ask him to do a rating scan of the malware.
     
    Parsh, Rengar, Sunshine-boy and 3 others like this.
  14. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,713
    10,631
    Testing security programs
    Earth
    Windows 10
    Aha, so first run malware and then check "Rating Scan" to see if the file is there?

    1.png

    Cloud is enable by default.

    2.png
     
    AtlBo likes this.
  15. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Did you launched the malware before the scan?

    Then can you do the killswitch procedure with the malware launched?
     
    AtlBo and shmu26 like this.
  16. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,713
    10,631
    Testing security programs
    Earth
    Windows 10
    Looks like that malware is Trusted, but why?

    1.png 2.png
     
    AtlBo, shukla44, Der.Reisende and 3 others like this.
  17. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Because surely an idiot whitelisted it. So now you know why it bypass all protection. Only my settings would protected you .

    Comodo's Myths & Facts

    Umbra is the best (for those who didn't know yet) :p
     
  18. Evjl's Rain

    Evjl's Rain Level 28
    Trusted AV Tester

    Apr 18, 2016
    1,780
    13,084
    Vietnam
    Windows 8.1
    Avast
    because an analyst marked it as safe :D
    human error. @vivid explained to me

    can you try again with cloud lookup disable?
     
    AtlBo, Der.Reisende, askmark and 5 others like this.
  19. erreale

    erreale Level 4

    Oct 22, 2016
    191
    791
    Italy
    Windows 10
    Isolation
    AtlBo, Rengar and Umbra like this.
  20. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,243
    13,473
    Utopia
    If it already got onto the trusted list, disabling cloud lookup afterwards might not change its status.
     
    upnorth, AtlBo and Rengar like this.
Loading...