Andy Ful

Level 48
Verified
Trusted
Content Creator
Different strokes for different folks. I'll take my chances. Best Buy has better customer service than Fry's Electronics, but it doesn't change the fact that Fry's has better stuff. AG has given me no issues so far. A couple of post-factory entries and I'm good to go. Less effort than H_C to set up, and less effort to lock/unlock. It's a mature and polished product, which I appreciate. I like working with my computers, rather than working on them. I get more than my share of that as is.
AG is a very good commercial product (paid). Both AG and H_C can be locked/unlocked with one click. H_C can be configured with 2 clicks (Recommended settings). H_C is more restrictive for the user actions than AG, and less restrictive for the system processes than AG. Both have some unique features. I think that AG can be more usable for many people, but there are some people who think otherwise.(y)
 
Last edited:

LDogg

Level 29
Verified
All these scripts and programs people have listed here are just scams. They don't work and they don't improve your security. Instead the will make your security worse.
Sorry to put my discourse in this manner, but I don't think you have any prior experience, knowledge, evidence or expertise in suggesting the software is a "scam". Hard Configure, AppGuard et al increase security of one computer massively dependent on oneself implementation of a computer setup.

If you do have any evidence to put forward as an argument to backup your quoted claims I would very much like to see in put in motion, also you're border-lining defamation as this could deter people from using such software if people believe your statement, thus loosing potential revenue and clientele.

Please be careful with future statement if you have evidence to put forward.

~LDogg
 

ebocious

Level 4
AG is a very good commercial product (paid). Both AG and H_C can be locked/unlocked with one click. H_C can be configured with 2 clicks (Recommended settings). H_C is more restrictive for the user actions than AG, and less restrictive for the system processes than AG. Both have some unique features. I think that AG can be more usable for many people, but there are some people who think otherwise.(y)
Yah, I'm more concerned about system processes than user actions. Nobody knows my admin password but my wife and me, I research before I install/run, and my wife doesn't install anything; so I don't need protection from myself. Fileless malware is my biggest concern.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Yah, I'm more concerned about system processes than user actions. Nobody knows my admin password but my wife and me, I research before I install/run, and my wife doesn't install anything; so I don't need protection from myself. Fileless malware is my biggest concern.
In the home environment (almost) all malware are started by user actions so initially can run only with standard privileges. So, it is far better and safer to restrict user actions, because this does not disturb Windows system processes, Windows Updates and administrative scheduled tasks. The malware/exploit cannot run because of those restrictions, so cannot get higher privileges, too.
If you want to apply restrictions with high privileges then you cannot restrict user actions as much as with standard privileges, because this could break something in the system. But, such restrictions are necessary for enterprise users, because the computers in the large local network can be attacked with high privileges (remotely).
 
Last edited:

ebocious

Level 4
In the home environment (almost) all malware is started by user actions so initially can run only with standard privileges. So, it is far better and safer to restrict user actions, because this does not disturb Windows system processes, Windows Updates and administrative scheduled tasks. The malware/exploit cannot run because of those restrictions, so cannot get higher privileges, too.
If you want to apply restrictions with high privileges then you cannot restrict user actions as much as with standard privileges, because this could break something in the system. But, such restrictions are necessary for enterprise users, because the computers in the large local network can be attacked with high privileges (remotely).
True. And if I ran an admin account, shared my admin password, or had UAC turned down; then I would have greater cause for concern. But I don't. Now, since I run Chrome with its sandbox and site isolation, along with Malwarebytes Browser Extension, Bitdefender TrafficLight, WoT, and Quad9 DNS; I realize my chances of landing on a malicious page are slim from the get-go. And if I do land on a malicious page, or a legitimate page infected by a third party, the malware on that page has to be able to defeat MBBE and BDTL, escape the sandbox, and execute.

It's a tall order, but not impossible. And since my processor is vulnerable to Meltdown and Spectre, not to mention how much harder it is to detect fileless malware, I don't feel like waiting until a working drive-by download kit enters the wild. There's something I can do about it now. And I'm doing it. Blue Ridge acknowledges that, once Spectre executes, nothing can stop it. But because certain events have to take place before Spectre can take hold, a proactive program like AG has as good a chance as any of stopping it before it's too late. And since the OP specifically asked about default-deny alternatives to Cruel Comodo, this is material information. Cheers!
 
Last edited:

Klappis

Level 1
True. And if I ran an admin account, shared my admin password, or had UAC turned down; then I would have greater cause for concern. But I don't. Now, since I run Chrome with its sandbox and site isolation, along with Malwarebytes Browser Extension, Bitdefender TrafficLight, WoT, and Quad9 DNS; I realize my chances of landing on a malicious page are slim from the get-go. And if I do land on a malicious page, or a legitimate page infected by a third party, the malware on that page has to be able to defeat MBBE and BDTL, escape the sandbox, and execute.

It's a tall order, but not impossible. And since my processor is vulnerable to Meltdown and Spectre, not to mention how much harder it is to detect fileless malware, I don't feel like waiting until a working drive-by download kit enters the wild. There's something I can do about it now. And I'm doing it. Blue Ridge acknowledges that, once Spectre executes, nothing can stop it. But because certain events have to take place before Spectre can take hold, a proactive program like AG has as good a chance as any of stopping it before it's too late. And since the OP specifically asked about default-deny alternatives to Cruel Comodo, this is material information. Cheers!
How do you run Chrome in sandbox mode and site isolation?
 
  • Like
Reactions: AtlBo

Slyguy

Level 42
Verified
There are some baddies going around that exploit Chrome's Extension System and can cause some serious issues. A symptom of it says your chrome browser is managed your organization.

It seems to also get beyond default-deny systems but I guess we would need to test it more. I ran into a system that was impacted by such a beast. Also it can impact Android, iOS, Windows and Chromebooks.


Honestly, I am unsure anything can stop these other than perhaps a Group Policy to block all Chrome Extensions and/or not even using Chrome?

Administrative Templates
and then
Google
and then
Google Chrome
and then
Extensions
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
There are some baddies going around that exploit Chrome's Extension System and can cause some serious issues. A symptom of it says your chrome browser is managed your organization.

It seems to also get beyond default-deny systems but I guess we would need to test it more. I ran into a system that was impacted by such a beast. Also it can impact Android, iOS, Windows and Chromebooks.
...
Modifying policies requires malware that could access admin rights. In most cases, it is a malware that already infected system outside the web browser and wants to infect the web browser by installing the malicious extension. It can be also done without modifying policies, but doing it via policies can be probably harder to detect by AVs.
The default-deny system will easily prevent modifying policies because it will block the initial malware in the first place.(y)

Edit.
I do not use Chrome, but maybe there is a Chrome security flag that disables the policy feature? If not, then it should be implemented, because home users do not use the policy feature, and they are vulnerable for nothing.
 
Last edited:

ticklemefeet

Level 22
Verified
Modifying policies requires malware that could access admin rights. In most cases, it is a malware that already infected system outside the web browser and wants to infect the web browser by installing the malicious extension. It can be also done without modifying policies, but doing it via policies can be probably harder to detect by AVs.
The default-deny system will easily prevent modifying policies because it will block the initial malware in the first place.(y)

Edit.
I do not use Chrome, but maybe there is a Chrome security flag that disables the policy feature? If not, then it should be implemented, because home users do not use the policy feature, and they are vulnerable for nothing.
Did you try it against Appguard with tweaked settings?
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Did you try it against Appguard with tweaked settings?
I did not test Appguard for over a year. I could bypass Apguard default protection by using scriptlets and LOLBins, but this can be easily prevented by adding some LOLBins to guarded applications and some to the User Space. It is hard to bypass a properly configured AppGuard, but like any security, it can be bypassed in the targetted attack. Anyway, most attackers will find another target, which will be easier to bypass.

Exploiting Chrome via policy feature has nothing to do with AppGuard protection, because Chrome processes are not protected by AppGuard directly. So, if the malware could bypass AppGuard and get access to admin rights, then next it could change the policies to infect Chrome. The same is true for most default-deny solutions. The hard task for the malware will be bypassing default-deny protection and get admin rights (very improbable for widespread malware).
 
Last edited:

ticklemefeet

Level 22
Verified
I did not test Appguard for over a year. I could bypass Apguard default protection by using scriptlets and LOLBins, but this can be easily prevented by adding some LOLBins to guarded applications and some to the User Space. It is hard to bypass a properly configured AppGuard, but like any security, it can be bypassed in the targetted attack. Anyway, most attackers will find another target, which will be easier to bypass.

Exploiting Chrome via policy feature has nothing to do with AppGuard protection, because Chrome processes are not protected by AppGuard directly. So, if the malware could bypass AppGuard and get access to admin rights, then next it could change the policies to infect Chrome. The same is true for most default-deny solutions.
OK so this config would not stop it?

c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
 
  • Like
Reactions: AtlBo and oldschool

Andy Ful

Level 48
Verified
Trusted
Content Creator
OK so this config would not stop it?

c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
These blocked LOLBins are most common, so most attacks will be stopped.
 

ebocious

Level 4
How do you run Chrome in sandbox mode and site isolation?
They should be enabled by default. You can double-check on site isolation by going to "chrome://process-internals" (without quotes); it should say "Site Isolation mode: Site Per Process."

If it says "Site Isolation mode: Disabled," then you need to fix that. Go to "chrome://flags/#site-isolation-trial-opt-out" and select "Default."
 
Last edited:

Wraith

Level 13
Verified
Malware Tester
I love VS,

the reason im currently preferring Comodo Cloud over VS is for 1 simple reason.

unknown files are ran sandboxed 'automatically', whereas on VS > if you allow the wrong unknown file - You're toast. (im hoping such a feature will pop into v.5.0 but for now, im giving CCAV a try & i really like it lol

I like what Dan is doing with VS - let's see if he does go that route too. (maybe a more user friendly modern UI too)
If you're not sure if a file is malicious or not, when VS blocks a file, you can first allow it to run in cuckoo sandbox. If the verdict returns clean you can use the file else if the verdict returns as malicious, you shouldn't run it.