Video Review Malware bypass Comodo Firewall @ CS settings

Discussion in 'Video Reviews' started by Av Gurus, Apr 28, 2017.

  1. shmu26

    shmu26 Level 53

    Jul 3, 2015
    Look, if a file is well enough known that it was manually whitelisted by a Comodo employee, then most AVs will already have its sigs. Comodo is usually the last to find out about new malware.
    Your AV, if you are using one, will block it. So this kind of a thing is low risk, I would think.
  2. Arequire

    Arequire Level 18

    Feb 10, 2017
    United Kingdom
    Windows 7
    Shouldn't be of concern to anyone. Every commercial application that uses whitelisting ends up accidentally allowing a very small number malware through and the chance of running into one in the wild is ridiculously slim. You could also mitigate the risk by using a supplementary AV that would allow it to be caught by signatures before it executed or behavioural blocking after execution.
    upnorth, rockstarrocks, AtlBo and 5 others like this.
  3. woodrowbone

    woodrowbone Level 8

    Dec 24, 2011
    Did anyone inform Comodo, so they can kick the wannabe analyst in the but?

  4. ctrlz

    ctrlz Level 2

    Mar 20, 2017
    Thank you @Av Gurus , great test.
    I suggest to inform Comodo about this defect, it's funny that a default deny policy created trusted malwares :rolleyes:
    AtlBo, Sunshine-boy, ZeroDay and 4 others like this.
  5. Rodney74

    Rodney74 Guest

    Wow, wait til CS hears about this. and I've been running CFW and Kaspersky AV.

    Guess I'll have to turn to PC Matic, for my security needs.
    upnorth, AtlBo and frogboy like this.
  6. Rodney74

    Rodney74 Guest

    So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

    Just something simple but effective... Thanks.
    AtlBo likes this.
  7. Rengar

    Rengar Level 14

    Jan 6, 2017
    Windows 8.1
    CF with cs settings or CIS with Umbra settings. And ZAM running together. You can also turn off cloud search.
    AtlBo and (deleted member) like this.
  8. Umbra

    Umbra From Emsisoft

    May 16, 2011
    Community manager
    Vietnam & France
    Windows 10
    #48 Umbra, Apr 29, 2017
    Last edited: Apr 29, 2017
    i dont know , your skills and preference so:

    Windows Defender (if on Win8/10) + an Anti-exe (ERP or VS) or/and a Sandbox (Sandboxie, Shade, etc... ) or/and a "virtualizer " (Shadow Defender, Timefreeze, etc...) , far more effective than any AV if used correctly, almost malware-free and low on resource usage.

    CIS with my settings are only for advanced users having experience with Comodo.
  9. Windows Defender Shill

    Apr 28, 2017
    Windows 10
    Trouble in paradise Comodo?.......JK

    I'm curious to see if they will patch this.
    upnorth, AtlBo and Rengar like this.
  10. 212eta

    212eta Level 7

    May 11, 2011
    Windows Desktop
    Windows 10
    -Trouble? Yes. ;)
    -Paradise? :confused: Not at all...:D
    AtlBo, erreale, Rengar and 1 other person like this.
  11. jamescv7

    jamescv7 Level 61

    Mar 15, 2011
    Web and FileMaker Developer
    Windows 10
    Double edge sword concept for Comodo.

    Clearly the cloud lookup when abuse through whitelist process will turn all protection bypass unless HIPS is ON.

    Actually Comodo should provide much careful on the connection of components; for example even the program is trusted however a pop-up should shown about missing digital signature or other information.


    Cloud Lookup is not a bad feature for Comodo since it helps to reduce numerous alerts however a recommend option to turn on HIPS at maximum level to determine the behavior of a program.
    AtlBo, Av Gurus, Umbra and 2 others like this.
  12. Rodney74

    Rodney74 Guest

    Calling Doctor CS... We have an emergency on the 4th floor....
    AtlBo and erreale like this.
  13. Trickster

    Trickster Level 14

    Jul 28, 2016
    Loving / caring Husband :)
    Windows 10
    Has anyone pointed this out on the comodo forums yet or not? if not , I will post this at the forums if that is ok? cruesister is on the road for sometime , so I do not know when she is able to reply back to this thread.
    AtlBo, frogboy, woodrowbone and 2 others like this.
  14. shmu26

    shmu26 Level 53

    Jul 3, 2015
    Just run a good AV along with Comodo, and you are okay.
    If you want to be really paranoid, combo it with Voodoshield and disable VS parent/child permissions
    upnorth, AtlBo and Rengar like this.
  15. Rodney74

    Rodney74 Guest

    OK Umbra how about I include VS and Shade to my current setup, which is Comodo FW (CS settings) and Kaspersky AV (Most good AV's seem to take a load off my PC, when running Windows Defender Apps open slower, weird I know).

    So what do you think, any conflicts?
    AtlBo likes this.
  16. inuyasha

    inuyasha Level 4

    Apr 9, 2017
    Windows 10
    i remember umbra once saying that if you use CF then you dont need VS
    AtlBo and Umbra like this.
  17. cruelsister

    cruelsister Level 32

    Apr 13, 2013
    #57 cruelsister, Apr 29, 2017
    Last edited: Apr 29, 2017
    Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).

    (Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)

    As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.

    The original: Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal
    Messing with it slightly: Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal

    Or more extremely: Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal
    These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.

    But my compliments to AV Gurus for bringing this to everyone's attention!

    Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?
  18. Umbra

    Umbra From Emsisoft

    May 16, 2011
    Community manager
    Vietnam & France
    Windows 10
    If you keep Comodo , and learn to use it properly, you won't need anything else. Comodo IS or FW is good enough alone. Just keep some OD scanners.
  19. Rodney74

    Rodney74 Guest

    Uhhh wait... Now I'm confused.... Why this video then, and why your setup which no longer includes Comodo?

    I thought I was tracking with you, but I must have missed the turn and drove over the edge of the cliff?
    AtlBo likes this.
  20. Rodney74

    Rodney74 Guest

    OK I'm just a simple guy, and you and Umbra have been very helpful, and very knowledgeable, but I must say that, you kind of made me feel that Comodo FW with your settings couldn't be compromised by a file like this...

    SO what do I need to change in the CS Comodo FW settings to avoid this or another files from surprising me...
    AtlBo and shmu26 like this.