App Review Olympic Destroyer vs Comodo Firewall

[Evjl's Rain]

after watching several videos CS has posted, I know CF is one of the best, if not the best security tool to lockdown the system. I'm no longer impressed anymore because CF does what it can do

however, I think should be used in a different way other than executing a malware inside the sandbox, as Sunshine-boy said, we don't notice any malicious activity inside the sandbox, unless the malwares are cryptominers, crash or spawn so many processes that can be noticed. Because of CS's settings, even safe apps with an UI can crash and show nothing

I think CF should be used as following:
1/ exploit shield, when malwares try to download their payloads, CF will block them => something is clearly malicious and deserves user's intervention
2/ When an user executes a random file
- if CF allows the file to run because it is whitelisted by cloud or TVL => let the file runs
- if the file is sandboxed and crashes due to CS's configuration (untrusted or highly restricted), the file can either be safe or malicious. The user has to do several steps to determine the safety of that file (VM, VT, hybrid-analysis, sandboxie without no restriction,...) or pray and run the file outside the sandbox

for now, I'm using CF's sandbox as an exploit shield to block malware payloads
CF is extremely prone to FPs, especially for non-english, french or spanish applications (non-commonly speaking languages). In fact, I had to whitelist at least 10 times per day when I was installing or updating my applications

the 2/ is clearly not for average users and it's not security, it's troublemaker

 

[AtlBo]

Comodo buries almost all the crack files (process) into the sandbox..right after execution..Their default deny is some right..but is heavy for a normal user..
It works on two ways :- File Digital Sign and Reputation(in cloud)...and their Virus scope works in 2-3/100 samples..Firewall too much active..
I highly doubt most of their detections especially (Unclassified malware)..and most of the times simply adding to DB due to VT detections..Fp's prone
Too user dependency..no automated decisions..0 BB..takes a toll from gng to Comodo..

I agree with you about most of this, but let's face it...it sandboxes malware. Shouldn't forget about command-line monitoring that is in Comodo these days. And the firewall is there, also, and the HIPS if you care to use that protection...

 

[Mahesh Sudula]

I agree with you about most of this, but let's face it...it sandboxes malware. Shouldn't forget about command-line monitoring that is in Comodo these days. And the firewall is there, also, and the HIPS if you care to use that protection...

Forgot to mention..i had issues with windows updates too..mostly after installing as Failed.. i highly suspect comodo in this regard
Don know how actually it checks and blocks the above issues..but rectified immediately after uninstalling;;
Their HIPS flagging with diff colours ..(Red and Yellow) mostly for trusted windows processes tooo..
From their website..even their Bank guard completely locks the browser virtually ..Sandbox Sandbox Sandbox
They may be innovative but completely LOCKED UP in that Old age technology

 

[AtlBo]

however, I think should be used in a different way other than executing a malware inside the sandbox, as Sunshine-boy said, we don't notice any malicious activity inside the sandbox, unless the malwares are cryptominers, crash or spawn so many processes that can be noticed. Because of CS's settings, even safe apps with an UI can crash and show nothing

I posted about this issue on the Comodo forum:

Set up Auto-Contain to Run Unrecognized without Restriction-Changes in Container - Defense+ / Sandbox Help - CIS

Ended up a discussion about a testing mode for unrecognized programs. I admit I was a little bit astonished when I realized how difficult setting up a testing function would be . The last statement of the responder was nice though.

I think CF should be used as following:
1/ exploit shield, when malwares try to download their payloads, CF will block them => something is clearly malicious and deserves user's intervention
2/ When an user executes a random file
- if CF allows the file to run because it is whitelisted by cloud or TVL => let the file runs
- if the file is sandboxed and crashes due to CS's configuration (untrusted or highly restricted), the file can either be safe or malicious. The user has to do several steps to determine the safety of that file (VM, VT, hybrid-analysis, sandboxie without no restriction,...) or pray and run the file outside the sandbox

Yes, if the user will 100% believe Comodo TVL and cloud, at which I am improving myself, then it's up to the user to do the other work mentioned by @Evjl's Rain. Very good point. I do think Comodo should do a better job of letting people know when their action could be extremely risky and damaging. Maybe Comodo could keep up with what has been previously auto-boxed and throw a special alert if someone tries to run it outside...

 

[AtlBo]

Their HIPS flagging with diff colours ..(Red and Yellow) mostly for trusted windows processes tooo..

It does, but some of this is a parent/child thing. Like you will get an alert for Explorer.exe or whatever for each unrecognized program run from start menu or task bar, etc. Comodo uses your choice to add an exclusion in the rule. You can see them there where it says modify in an individual HIPS rule, in the example case for Explorer.exe...

I trimmed the TVL, so I get alot of alerts, but it is a good way to see how Comodo works. Don't get them all that much anymore, but I used to get alot of HIPS alerts that led to a modify/exclusion. Think I have 17 apps Explorer is allowed to execute...

Not to get away from the magic of Comodo. That's about being able to trust cloud lookup and the TVL. Once you can buy into that, the rest is fun and games with Auto-sandboxing enabled...as long as the user doesn't run unrecognized outside the box. The HIPS is really interesting and cool, but only useful I think where someone wants super tailored/sculpted security...

 

[Arequire]

The idea is to use CF on a system where you don't plan on installing anything new; only updating your existing programs. If you're constantly installing new software that's being sandboxed and you're pulling them out the sandbox without thought then there's no point in using CF because you're just going to end up pulling malware out the sandbox too. You'd be far better off just installing a traditional AV and letting it decide what's malicious and what isn't.

 

[Morphius]

Guys...haven't you noticed the file was blocked from the execution? So it didn't even run in the sandbox. So, what you see is not a normal "app running in the sandbox" behavior, hence legitimate applications running in the sandbox won't crash/won't start that often (as in the video).
@cruelsister1 why is that? What is your sandbox config?
Maybe it was classified as malicious in the cloud, and according to the first rule of automatic containment it was blocked?
BTW Comodo's Viruscope is getting better and better, I wouldn't say it has a detection of 2-3%.

You'd be far better off just installing a traditional AV and letting it decide what's malicious and what isn't.

Comodo does that too. It coexists with the sandbox. The funny part is, when a traditional AV will fail to recognize malware you will end up with encrypted files or your data stolen.

 

[Arequire]

Guys...haven't you noticed the file was blocked from the execution? So it didn't even run in the sandbox. So, what you see is not a normal "app running in the sandbox" behavior, hence legitimate applications running in the sandbox won't crash/won't start that often (as in the video).
@cruelsister1 why is that? What is your sandbox config?
Maybe it was classified as malicious in the cloud, and according to the first rule of automatic containment it was blocked?
BTW Comodo's Viruscope is getting better and better, I wouldn't say it has a detection of 2-3%.

There's a setting in "Containment Settings" that blocks the execution of unknown files if they request privilege elevation:

If an unknown file doesn't request privilege elevation then it'll run in the sandbox without being blocked.

 

[Evjl's Rain]

The idea is to use CF on a system where you don't plan on installing anything new; only updating your existing programs. If you're constantly installing new software that's being sandboxed and you're pulling them out the sandbox without thought then there's no point in using CF because you're just going to end up pulling malware out the sandbox too. You'd be far better off just installing a traditional AV and letting it decide what's malicious and what isn't.

yes, that's the point. CF should be used if users want to completely lockdown the system and rarely install new apps or it's possible if users use well-known commonly speaking language apps

 

[Morphius]

Yes, thank you, I've forgotten about that part of CS config.

 

[Mahesh Sudula]

Comodo will definitely do better if :-
Say a unknown indeed (harmful) file is run..sandbox immediately contaminates analyzes it and throws an alert flagging as malicious due to harmful behaviour..and blocks(no option to allow)
Secondly...it runs a file (sandbox misses due to digital sign)** tampered ..and it's virusScope catches it (with cloud or w/o)...due to harmful characteristics...
Fp's are accepted upto certain extent
~~( F- Secure)#

 

[Arequire]

Comodo does that too. It coexists with the sandbox. The funny part is, when a traditional AV will fail to recognize malware you will end up with encrypted files or your data stolen.

The exact reason why I refuse to use a singular security application. Proactive defences such as behaviour blockers are too hit-or-miss and I simply don't feel protected when using one by itself.

 

[Rebsat]

Tickle- I've been thinking already of just putting out a new "settings only" video for CF. Probably on March 2-3.

I would greatly appreciate it if you could release a new video for your updated CF settings at your earliest convenience:X3:

 

[Mahesh Sudula]

Addition feature would be
If the file indeed a malware manages to bypass the Both SB and Virus Scope...then their Aggressive heuristics should come into play with the help of (Real Time +Cloud )flagging as suspicious and require user to submit it for Valkyire Analysis..
Most of all..BOOT TIMe protection should be engaged ...this would definitely give an edge.

 

[Terry Ganzi]

I would greatly appreciate it if you could release a new video for your CF settings only as soon as possible :X3:

hxxps://www.youtube.com/watch?v=FoIu3Z2ImO8
Change the (x x) t t to view.

 

[Arequire]

Most of all..BOOT TIMe protection should be engaged ...this would definitely give an edge.

Not as much as you'd think. Malware would have to execute and run on the system first before it can start interfering with stuff during boot.
If CF is being installed on a entirely clean system then boot time protection really wouldn't add much value.

 

[cruelsister]

Rebsat- That is exactly what I have planned. It will be released the weekend of March 2-3. For the past year a number of people wanted to see this and essentially wrote "Just shut up and show the settings", which is what will be done- a malware free video!

1) Regarding Windows Update issues- I've been using CF for years as have many of my friends and some enlightened Enterprise companies (utilizing Comodo endpoint). None have had an issue with Windows Update with respect to Comodo. I frequently see posts like "I installed Comodo and my Parakeet died'. No, Comodo did not kill your Parakeet, nor did it (insert word here that rhymes with Duck)-up your Windows Update.

2). About why the Olympic Destroyer was not seen running in the sandbox- Please note that my settings have the Containment level at Restricted. If I had left it at the default "Partially Limited" you would have seen a number of things running in the Box (In the middle- or End- of March or so I'll be probably putting out a Comodo vs malware video and I'll remember to show the differences).

Please note that the Containment level of Restricted did not operate this way in the past. Comodo has upped the efficiency of the sandbox at ALL levels- although they would rather die than admit it, I'm pretty sure this is due to the RAT video I released last year and something I've been harassing them about. Formerly the sandbox let a dll drop; currently it stops it cold.

M

 

[bribon77]

the video with your configacion is an excellent idea .. I also see it necessary for people who ask

 

[ForgottenSeer 69673]

Rebsat- That is exactly what I have planned. It will be released the weekend of March 2-3. For the past year a number of people wanted to see this and essentially wrote "Just shut up and show the settings", which is what will be done- a malware free video!

1) Regarding Windows Update issues- I've been using CF for years as have many of my friends and some enlightened Enterprise companies (utilizing Comodo endpoint). None have had an issue with Windows Update with respect to Comodo. I frequently see posts like "I installed Comodo and my Parakeet died'. No, Comodo did not kill your Parakeet, nor did it (insert word here that rhymes with Duck)-up your Windows Update.

2). About why the Olympic Destroyer was not seen running in the sandbox- Please note that my settings have the Containment level at Restricted. If I had left it at the default "Partially Limited" you would have seen a number of things running in the Box (In the middle- or End- of March or so I'll be probably putting out a Comodo vs malware video and I'll remember to show the differences).

Please note that the Containment level of Restricted did not operate this way in the past. Comodo has upped the efficiency of the sandbox at ALL levels- although they would rather die than admit it, I'm pretty sure this is due to the RAT video I released last year and something I've been harassing them about. Formerly the sandbox let a dll drop; currently it stops it cold.

M

Thank you so much for the explanation. I am looking forward to your setting vid. now feed the kitty some chow.

 

[show-Zi]

The idea is to use CF on a system where you don't plan on installing anything new; only updating your existing programs. If you're constantly installing new software that's being sandboxed and you're pulling them out the sandbox without thought then there's no point in using CF because you're just going to end up pulling malware out the sandbox too. You'd be far better off just installing a traditional AV and letting it decide what's malicious and what isn't.

As a person without a testing environment, I agree with the opinion of @Arequire .The thing that I ask is suppression of damage from zero day. Is it wrong to consider the automatic sandbox as an alarm of a malicious program?