Video Malware bypass Comodo Firewall @ CS settings

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,150
OS
Windows 10
#41
Look, if a file is well enough known that it was manually whitelisted by a Comodo employee, then most AVs will already have its sigs. Comodo is usually the last to find out about new malware.
Your AV, if you are using one, will block it. So this kind of a thing is low risk, I would think.
 
Joined
Feb 10, 2017
Messages
1,021
OS
Windows 10
Antivirus
Comodo
#42
Shouldn't be of concern to anyone. Every commercial application that uses whitelisting ends up accidentally allowing a very small number malware through and the chance of running into one in the wild is ridiculously slim. You could also mitigate the risk by using a supplementary AV that would allow it to be caught by signatures before it executed or behavioural blocking after execution.
 
R

Rodney74

Guest
#46
aka my config, because you can't trust anyone especially cloud stuff :D
So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.
 
Likes: AtlBo

Rengar

Level 16
Joined
Jan 6, 2017
Messages
793
OS
Windows 8.1
Antivirus
ESET
#47
So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.
CF with cs settings or CIS with Umbra settings. And ZAM running together. You can also turn off cloud search.
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,969
OS
Windows 10
Antivirus
Default-Deny
#48
So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.
i dont know , your skills and preference so:

Windows Defender (if on Win8/10) + an Anti-exe (ERP or VS) or/and a Sandbox (Sandboxie, Shade, etc... ) or/and a "virtualizer " (Shadow Defender, Timefreeze, etc...) , far more effective than any AV if used correctly, almost malware-free and low on resource usage.

CIS with my settings are only for advanced users having experience with Comodo.
 
Last edited:

jamescv7

Level 61
Trusted
Joined
Mar 15, 2011
Messages
12,638
OS
Windows 10
Antivirus
Microsoft
#51
Double edge sword concept for Comodo.

Clearly the cloud lookup when abuse through whitelist process will turn all protection bypass unless HIPS is ON.

Actually Comodo should provide much careful on the connection of components; for example even the program is trusted however a pop-up should shown about missing digital signature or other information.

------------------------------------

Cloud Lookup is not a bad feature for Comodo since it helps to reduce numerous alerts however a recommend option to turn on HIPS at maximum level to determine the behavior of a program.
 
R

Rodney74

Guest
#55
i dont know , your skills and preference so:

Windows Defender (if on Windows 8/10) + an Anti-exe (ERP or VS) or/and a Sandbox (Sandboxie, Shade, etc... ) or/and a "virtualizer " (Shadow Defender, Timefreeze, etc...) , far more effective than any AV if used correctly, almost malware-free and low on resource usage.

CIS with my settings are only for advanced users having experience with Comodo.

OK Umbra how about I include VS and Shade to my current setup, which is Comodo FW (CS settings) and Kaspersky AV (Most good AV's seem to take a load off my PC, when running Windows Defender Apps open slower, weird I know).

So what do you think, any conflicts?
 
Likes: AtlBo

cruelsister

Level 34
Trusted
Joined
Apr 13, 2013
Messages
2,383
#57
Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).

(Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)

As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.

The original: Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal
Messing with it slightly: Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal

Or more extremely: Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal
These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.

But my compliments to AV Gurus for bringing this to everyone's attention!


Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?
 
Last edited:

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,969
OS
Windows 10
Antivirus
Default-Deny
#58
OK Umbra how about I include VS and Shade to my current setup, which is Comodo FW (CS settings) and Kaspersky AV (Most good AV's seem to take a load off my PC, when running Windows Defender Apps open slower, weird I know).So what do you think, any conflicts?
i remember umbra once saying that if you use CF then you dont need VS
If you keep Comodo , and learn to use it properly, you won't need anything else. Comodo IS or FW is good enough alone. Just keep some OD scanners.
 
R

Rodney74

Guest
#59
If you keep Comodo , and learn to use it properly, you won't need anything else. Comodo IS or FW is good enough alone. Just keep some OD scanners.
Uhhh wait... Now I'm confused.... Why this video then, and why your setup which no longer includes Comodo?

I thought I was tracking with you, but I must have missed the turn and drove over the edge of the cliff?
 
Likes: AtlBo
R

Rodney74

Guest
#60
Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).

(Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)

As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.

The original: Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal
Messing with it slightly: Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal

Or more extremely: Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal
These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.

But my compliments to AV Gurus for bringing this to everyone's attention!


Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?

OK I'm just a simple guy, and you and Umbra have been very helpful, and very knowledgeable, but I must say that, you kind of made me feel that Comodo FW with your settings couldn't be compromised by a file like this...

SO what do I need to change in the CS Comodo FW settings to avoid this or another files from surprising me...
 

Similar Threads

Similar Threads