App Review NotPetya vs Comodo Firewall

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
serveimage.jpg
 
  • Like
Reactions: novocaine, cruelsister, enaph and 2 others
I actually had no intention of doing another CF video; I was just preparing for next week's notPetya thingy which explores something really nasty about this malware (which was a real PITA to prepare). But since I had everything already in place I figured Why Not?

Yes indeed, I was crazy to do another VF video...
 
  • Like
Reactions: Solarlynx, secureguy109g, BugCode and 9 others
Has anybody seen the test of any Comodo product, when fighting NotPetya (Wannacry, EternalPot, etc.) infecting the local network? The firewall used in Comodo products should be very useful when the laptop is temporarily connected to the public network or Enterprise network. But, I did not see the test showing how Comodo's firewall, HIPS and Sandbox can fight the malware attacking computers connected to the infected network.
From the other tests, we know that SRP and Anti-exe products cannot stop the kernel backdoor infecting the local network. Some security products can stop the infection via network filtering or memory scan.
 
Last edited:
  • Like
Reactions: Sunshine-boy, Der.Reisende, ravi prakash saini and 3 others
Andy Ful said:
Has anybody seen the test of any Comodo product, when fighting NotPetya (Wannacry, EternalPot, etc.) infecting the local network? The firewall used in Comodo products should be very useful when the laptop is temporarily connected to the public network or Enterprise network. But, I did not see the test showing how Comodo's firewall, HIPS and Sandbox can fight the malware attacking computers connected to the infected network.
From the other tests, we know that SRP and Anti-exe products cannot stop the kernel backdoor infecting the local network. Some security products can stop the infection via network filtering or memory scan.
Click to expand...
yeah good point almost all test are related to click to run we need to see more about hacking a computer with metasploit kali and other stuff any hacker can make a raspberry like device connected in public wifi to automatically hack connected computers
 
  • Like
Reactions: Sunshine-boy, Andy Ful and ravi prakash saini
Andy- whether on a single computer or a computer connected to a Network (either through LAN or hard wired), an infection has to start at a given point. So one can extrapolate the effects- say on a thousand computer Network a single Endpoint is infected- can the malware gain Network access (like an info-stealer on a Home machine), can it successfully set up connections to the TOR network (like EternalRocks), or can it infect connected drives (like a common Worm)? If these have in the past have been shown to be blocked, one can be rather comfortable about things,

But what about some new and yet undisclosed exploit, like FSB stuff that God Forbid WikiLeaks would EVER acknowledge. What about these?

Note that exploits such as these are not the malware vectors themselves- they essentially just open a path for the actual malware to spread. Even if such stuff is undetected and allowed to establish itself, will it necessarily allow a Network to be trashed? Consider a prison analogy- what good would it be if an exploit opens the Cell door when the prisoner (malware) is chained to the wall? So it is with virtualization- if the actual malware is contained and can't get out of containment (not even able to infect an Endpoint), does it matter that a Network connection is open for it when it can never actually utilize it?
 
  • Like
Reactions: AtlBo, Sunshine-boy, simmerskool and 11 others
cruelsister said:
...
Note that exploits such as these are not the malware vectors themselves- they essentially just open a path for the actual malware to spread.
...
Click to expand...
I rather think of the possibility, when the attacker wants to steal passwords from people connected to the public network, using Metasploit or FuzzBunch. One can make a payload in the form of DLL and use the kernel backdoor (like DoublePulsar) to execute it on the target computer. The payload can steal passwords like in Zoltan video (ETERNALBLUE / DOUBLEPULSAR / PEDDLECHEAP):

I did not see (so far) Comodo product's response against executing a DLL payload by DoublePulsar.

Edit1.
I admit that such scenario is unlikely, when the user frequently updates the system. But, it would be probable in Enterprise networks. So, I am curious if Comodo for Enterprises can detect/stop such infection (like some other products).

Edit2.
If so, then Comodo would be truly recommended for Enterprises.
 
Last edited:
  • Like
Reactions: AtlBo, Sunshine-boy, Der.Reisende and 1 other person
Andy- I can't speak for Comodo, but this video is MY response to a malware dll being dropped. I know that the Metasploit console videos are impressive to watch, but understand that they never look at what is actually occurring on the potentially infected endpoint. For a malware dll to activate, something HAS to act on it for the dll to be activated (like by rundll32) otherwise it will just sit on the machine looking stupid. You really have to differentiate between the exploit and the malware payload. If the payload cannot run nor can it connect out, what harm (and this is on the assumption that the exploit can magically be established)?

Also, for this video I did tweak Comodo- but in the opposite way of what might be expected. I made it weaker. I shut the Cloud AV off (this would have detected and deleted the dll on run), and as usual disabled the HIPS. Furthermore (as is stated in the video) I set the Sandbox to the default Partially Limited setting (as if I would EVER do that on my system!). With Cruel Comodo the exe would have just been outright stopped (and that would have been a bore) without the ability to call up either schtasks or rundll32. The only thing really of interest with NotPetya is something one one is mentioning (but I will).

Finally, I know that the EternalWhatever exploits are currently in vogue for discussion. But really, how do these exploits differ from a simple Worm which will propagate on the Network and have (and are) causing massive data breaches and untold billions of dollars of harm? For me, as long as you have the proper security protection in place these exploits are, in the words of the immortal Bard, "full of Sound and fury, Signifying Nothing."
 
  • Like
Reactions: AtlBo, Sunshine-boy, ZeroDay and 8 others
cruelsister said:
...
I know that the Metasploit console videos are impressive to watch, but understand that they never look at what is actually occurring on the potentially infected endpoint. For a malware dll to activate, something HAS to act on it for the dll to be activated (like by rundll32) ...
Click to expand...
This is not so simple. In the case I mentioned, DoublePulsar is activating the malware DLL without using the standard methods (like rundll32.exe, or calling LoadLibrary API). In my example, DoublePulsar is simply nonstandard reflective DLL loader, that is already running in the kernel. If the payload DLL is self sufficient and does not spawn new processes, then Comodo will have a problem. It would be not wise to believe that Comodo should block/contain the malware DLL, without testing it.

Edit1.
Such scenario is similar to NotPetya only at the exploit stage. It is very different at the payload stage.
I am also not saying, that in the Zoltan video (from my previous post), FuzzBunch module for stealing passwords was using such scenario. It could spawn some processes, that were ignored by the security program installed on the target computer.

Edit2.
It is also possible, that malware DLL executed by DoublePulsar, could run system executables whitelisted by Comodo. That possibility depends on HIPS, "Heuristic Command Line Analysis" and "Embedded Code Detection" features. This also should be tested, because DoublePulsar does not use the standard method to execute the malware DLL.
 
Last edited:
  • Like
Reactions: AtlBo, erreale, Sunshine-boy and 1 other person

You may also like...