App Review Malware bypass Comodo Firewall @ CS settings

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Av Gurus

Level 29
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Comodo firewall is set to Cruelsister settings.
I think that this malware is bypased that settings (maybe I'm wrong).
What do you think?

Video summary:
1. check Comodo firewall settings
2. delete all trusted vendors
3. add some malware to see if Comodo is working OK
4. check that one malware at VT
5. run malware and watch:
- C:\Users\Av-Gurus\AppData\Local
- Task manager startup
- network connection

 
Last edited:
D

Deleted member 178

from what i see, the sandbox wasn't able to catch it.
Anyway , CS settings isn't the tightest one, it is a mix between usability and security focusing on the sandbox as main defense by disabling (silencing) the HIPS; with my settings i would be alerted by a prompt from the HIPS.

Edit: For those that doesn't want to read the whole thread, Comodo rated the malware as "Trusted" so it wasn't sandboxed or blocked by the HIPS.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
@Av Gurus , Just for the record, could you please enable HIPS, and run the test again? It's important to know if HIPS helps or not. I am sure that @Umbra's super-max settings will catch anything, but I still want to know if HIPS at default settings is any good.
 

Av Gurus

Level 29
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
from what i see, the sandbox wasn't able to catch it.
Anyway , CS settings isn't the tightest one, it is a mix between usability and security focusing on the sandbox as main defense by disabling the HIPS; with my settings i would be alerted by a prompt from the HIPS.

@Av Gurus , Just for the record, could you please enable HIPS, and run the test again? It's important to know if HIPS helps or not. I am sure that @Umbra's super-max settings will catch anything, but I still want to know if HIPS at default settings is any good.

I just put HIPS to Safe Mode and results are the same.
Check pictures:

1.png 2.png3.png4.png
 
D

Deleted member 178

@Av Gurus can you run the malware under file rating, because if the file is flagged as trusted , it will bypass all protection (except the HIPS and in paranoid mode only ).

you can use Killswitch to do a second verification.

I saw it undetected in VT by Comodo , may be a reason.
 

Av Gurus

Level 29
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
How to do that? I don't understand...
 
  • Like
Reactions: AtlBo

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
hi, did you enable Cloud lookup (file rating settings)?

if you did, I doubt that that malware is marked as safe on valkyrie by someone that's why it can bypass the sandbox. I had 1 malware which bypassed CCAV by the same reason

if you disable cloud lookup, perhaps it won't be able to bypass
 

Av Gurus

Level 29
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Via Rating scan , the widget or use Killswitch as i described.
The malware must be launched first.

(i dont have CIS installed so i can't give you detailed procedure ^^ )

Aha, so first run malware and then check "Rating Scan" to see if the file is there?

1.png

hi, did you enable Cloud lookup (file rating settings)?

if you did, I doubt that that malware is marked as safe on valkyrie by someone that's why it can bypass the sandbox. I had 1 malware which bypassed CCAV by the same reason

if you disable cloud lookup, perhaps it won't be able to bypass

Cloud is enable by default.

2.png
 
  • Like
Reactions: AtlBo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top