App Review Malware bypass Comodo Firewall @ CS settings

[shmu26]

Look, if a file is well enough known that it was manually whitelisted by a Comodo employee, then most AVs will already have its sigs. Comodo is usually the last to find out about new malware.
Your AV, if you are using one, will block it. So this kind of a thing is low risk, I would think.

 

[Arequire]

Shouldn't be of concern to anyone. Every commercial application that uses whitelisting ends up accidentally allowing a very small number malware through and the chance of running into one in the wild is ridiculously slim. You could also mitigate the risk by using a supplementary AV that would allow it to be caught by signatures before it executed or behavioural blocking after execution.

 

[woodrowbone]

Did anyone inform Comodo, so they can kick the wannabe analyst in the but?

/W

 

[ctrlz]

Thank you @Av Gurus , great test.
I suggest to inform Comodo about this defect, it's funny that a default deny policy created trusted malwares

 

[Rodney74]

Wow, wait til CS hears about this. and I've been running CFW and Kaspersky AV.

Guess I'll have to turn to PC Matic, for my security needs.

 

[Rodney74]

aka my config, because you can't trust anyone especially cloud stuff

So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.

 

[Rengar]

So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.

CF with cs settings or CIS with Umbra settings. And ZAM running together. You can also turn off cloud search.

 

[Deleted member 178]

So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.

i dont know , your skills and preference so:

Windows Defender (if on Win8/10) + an Anti-exe (ERP or VS) or/and a Sandbox (Sandboxie, Shade, etc... ) or/and a "virtualizer " (Shadow Defender, Timefreeze, etc...) , far more effective than any AV if used correctly, almost malware-free and low on resource usage.

CIS with my settings are only for advanced users having experience with Comodo.

 

[Windows Defender Shill]

Trouble in paradise Comodo?.......JK

I'm curious to see if they will patch this.

 

[212eta]

Trouble in paradise Comodo?

-Trouble? Yes.
-Paradise? Not at all...

 

[jamescv7]

Double edge sword concept for Comodo.

Clearly the cloud lookup when abuse through whitelist process will turn all protection bypass unless HIPS is ON.

Actually Comodo should provide much careful on the connection of components; for example even the program is trusted however a pop-up should shown about missing digital signature or other information.

------------------------------------

Cloud Lookup is not a bad feature for Comodo since it helps to reduce numerous alerts however a recommend option to turn on HIPS at maximum level to determine the behavior of a program.

 

[Rodney74]

Calling Doctor CS... We have an emergency on the 4th floor....

 

[FrFc1908]

Has anyone pointed this out on the comodo forums yet or not? if not , I will post this at the forums if that is ok? cruesister is on the road for sometime , so I do not know when she is able to reply back to this thread.

 

[shmu26]

Just run a good AV along with Comodo, and you are okay.
If you want to be really paranoid, combo it with Voodoshield and disable VS parent/child permissions

 

[Rodney74]

i dont know , your skills and preference so:

Windows Defender (if on Windows 8/10) + an Anti-exe (ERP or VS) or/and a Sandbox (Sandboxie, Shade, etc... ) or/and a "virtualizer " (Shadow Defender, Timefreeze, etc...) , far more effective than any AV if used correctly, almost malware-free and low on resource usage.

CIS with my settings are only for advanced users having experience with Comodo.

OK Umbra how about I include VS and Shade to my current setup, which is Comodo FW (CS settings) and Kaspersky AV (Most good AV's seem to take a load off my PC, when running Windows Defender Apps open slower, weird I know).

So what do you think, any conflicts?

 

[inuyasha]

i remember umbra once saying that if you use CF then you dont need VS

 

[cruelsister]

Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).

(Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)

As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.

The original: Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal
Messing with it slightly: Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal

Or more extremely: Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal
These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.

But my compliments to AV Gurus for bringing this to everyone's attention!


Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?

 

[Deleted member 178]

OK Umbra how about I include VS and Shade to my current setup, which is Comodo FW (CS settings) and Kaspersky AV (Most good AV's seem to take a load off my PC, when running Windows Defender Apps open slower, weird I know).So what do you think, any conflicts?

i remember umbra once saying that if you use CF then you dont need VS

If you keep Comodo , and learn to use it properly, you won't need anything else. Comodo IS or FW is good enough alone. Just keep some OD scanners.

 

[Rodney74]

If you keep Comodo , and learn to use it properly, you won't need anything else. Comodo IS or FW is good enough alone. Just keep some OD scanners.

Uhhh wait... Now I'm confused.... Why this video then, and why your setup which no longer includes Comodo?

I thought I was tracking with you, but I must have missed the turn and drove over the edge of the cliff?

 

[Rodney74]

Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).

(Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)

As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.

The original: Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal
Messing with it slightly: Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal

Or more extremely: Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal
These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.

But my compliments to AV Gurus for bringing this to everyone's attention!


Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?

OK I'm just a simple guy, and you and Umbra have been very helpful, and very knowledgeable, but I must say that, you kind of made me feel that Comodo FW with your settings couldn't be compromised by a file like this...

SO what do I need to change in the CS Comodo FW settings to avoid this or another files from surprising me...