App Review Malware bypass Comodo Firewall @ CS settings

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Look, if a file is well enough known that it was manually whitelisted by a Comodo employee, then most AVs will already have its sigs. Comodo is usually the last to find out about new malware.
Your AV, if you are using one, will block it. So this kind of a thing is low risk, I would think.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Shouldn't be of concern to anyone. Every commercial application that uses whitelisting ends up accidentally allowing a very small number malware through and the chance of running into one in the wild is ridiculously slim. You could also mitigate the risk by using a supplementary AV that would allow it to be caught by signatures before it executed or behavioural blocking after execution.
 
R

Rodney74

aka my config, because you can't trust anyone especially cloud stuff :D

So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.
 
  • Like
Reactions: AtlBo

Rengar

Level 17
Verified
Top Poster
Well-known
Jan 6, 2017
835
So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.
CF with cs settings or CIS with Umbra settings. And ZAM running together. You can also turn off cloud search.
 
D

Deleted member 178

So Umbra... Give me your opinion, A simple guy (ME) wants to run one or two real time security software's, with my choice of on demand scanners. The real time security would be something, hopefully that doesn't bog down my PC, nor interrupt me when working.

Just something simple but effective... Thanks.
i dont know , your skills and preference so:

Windows Defender (if on Win8/10) + an Anti-exe (ERP or VS) or/and a Sandbox (Sandboxie, Shade, etc... ) or/and a "virtualizer " (Shadow Defender, Timefreeze, etc...) , far more effective than any AV if used correctly, almost malware-free and low on resource usage.

CIS with my settings are only for advanced users having experience with Comodo.
 
Last edited by a moderator:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Double edge sword concept for Comodo.

Clearly the cloud lookup when abuse through whitelist process will turn all protection bypass unless HIPS is ON.

Actually Comodo should provide much careful on the connection of components; for example even the program is trusted however a pop-up should shown about missing digital signature or other information.

------------------------------------

Cloud Lookup is not a bad feature for Comodo since it helps to reduce numerous alerts however a recommend option to turn on HIPS at maximum level to determine the behavior of a program.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Just run a good AV along with Comodo, and you are okay.
If you want to be really paranoid, combo it with Voodoshield and disable VS parent/child permissions
 
R

Rodney74

i dont know , your skills and preference so:

Windows Defender (if on Windows 8/10) + an Anti-exe (ERP or VS) or/and a Sandbox (Sandboxie, Shade, etc... ) or/and a "virtualizer " (Shadow Defender, Timefreeze, etc...) , far more effective than any AV if used correctly, almost malware-free and low on resource usage.

CIS with my settings are only for advanced users having experience with Comodo.


OK Umbra how about I include VS and Shade to my current setup, which is Comodo FW (CS settings) and Kaspersky AV (Most good AV's seem to take a load off my PC, when running Windows Defender Apps open slower, weird I know).

So what do you think, any conflicts?
 
  • Like
Reactions: AtlBo

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).

(Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)

As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.

The original: Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal
Messing with it slightly: Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal

Or more extremely: Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal
These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.

But my compliments to AV Gurus for bringing this to everyone's attention!


Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?
 
Last edited:
D

Deleted member 178

OK Umbra how about I include VS and Shade to my current setup, which is Comodo FW (CS settings) and Kaspersky AV (Most good AV's seem to take a load off my PC, when running Windows Defender Apps open slower, weird I know).So what do you think, any conflicts?
i remember umbra once saying that if you use CF then you dont need VS
If you keep Comodo , and learn to use it properly, you won't need anything else. Comodo IS or FW is good enough alone. Just keep some OD scanners.
 
R

Rodney74

If you keep Comodo , and learn to use it properly, you won't need anything else. Comodo IS or FW is good enough alone. Just keep some OD scanners.

Uhhh wait... Now I'm confused.... Why this video then, and why your setup which no longer includes Comodo?

I thought I was tracking with you, but I must have missed the turn and drove over the edge of the cliff?
 
  • Like
Reactions: AtlBo
R

Rodney74

Sorry I wasn't around for this discussion! I had a little time to play around with this file and as AV Gurus most excellently demonstrated this file was able drop into AppData and set itself up for AutoStart. That's the downside (and pretty significant although as mentioned by Umbra it's because some Schmuck at Comodo set it as Trusted). The upside is that as this is an info-stealer the actual malicious potential was negated by the Firewall (at my settings) which blocked the initial connection out to first Command in Paris (the temp files created in the Temp directory were not able to be transmitted).

(Digression- stuff like this always makes me glad to have Scotty alive and alert on my system. WinPatrol will alert to autostart changes for which one may be otherwise unaware)

As I was curious if this issue was intrinsic to this particular file or if it was a general reaction to this class of Banker (that would suck Big Time) I did some minor playing with the file.

The original: Antivirus scan for 190d5c8de27115b98484d653dff246fc05ce02ac69fedd009e469d7535f3faeb at 2017-04-29 21:32:59 UTC - VirusTotal
Messing with it slightly: Antivirus scan for f1ca8d86bd7e4a29c543bbd6b286f3098aeb02e996ee3b4105c9cd355ca931ac at 2017-04-29 21:19:31 UTC - VirusTotal

Or more extremely: Antivirus scan for d4283f3a737f5abcfa9d4d7d1f162f4ea3653df193ed3ae8cc2b2add6179985e at 2017-04-29 21:10:02 UTC - VirusTotal
These yielded the results that the latter 2 were indeed sandboxed, thus showing (at least to me) that this was not a general bypass and that someone at Comodo should not get a bonus this year.

But my compliments to AV Gurus for bringing this to everyone's attention!


Oh yeah- forgot to mention this- After running the initial malware sample, rebooting and making sure the drop autostarted, I did scans with MB, HMP,and Zemana portable. ZAM and HMP detected the thingy in memory; MB did not. Just what is going on at Malwarebytes lately?


OK I'm just a simple guy, and you and Umbra have been very helpful, and very knowledgeable, but I must say that, you kind of made me feel that Comodo FW with your settings couldn't be compromised by a file like this...

SO what do I need to change in the CS Comodo FW settings to avoid this or another files from surprising me...
 
  • Like
Reactions: AtlBo and shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top