App Review Qihoo Total Security- An initial test

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
thanks for the great explanations.
Now I must admit that I am confused. Why are people so big on sandboxing/isolating/limiting their browsers and PDF apps (think of ReHIPS for instance), if the anti-exe will anyways stop the payload from running?
Because a user will not always take the correct decision plus it minimizes/stops the risk of exploits not yet patched. Sure if you always click block on all alerts you are 99% safe but do you do that?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Because a user will not always take the correct decision plus it minimizes/stops the risk of exploits not yet patched. Sure if you always click block on all alerts you are 99% safe but do you do that?
In addition, if an exploit can get into your file system and run powershell, couldn't it then modify the registry and change your settings and remove your security softs from startup? Then it can run the payload next time you reboot.
But if you have HIPS enabled in COMODO, you will get pretty suspicious when a process all of a sudden wants to run Powershell...
 

woodrowbone

Level 10
Verified
Dec 24, 2011
480
Interesting discussion, my problem with sandboxes and legit apps is not when I (the user) run the legal app, then it is easy to move out of the sandbox.
When a legal app wants to update itself, and the sandbox steps in, the installation goes thru, and all is run in the sandbox and fully working.
What happens after reboot, with CFW for example, is the sandbox not emptied then?

/W
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Interesting discussion, my problem with sandboxes and legit apps is not when I (the user) run the legal app, then it is easy to move out of the sandbox.
When a legal app wants to update itself, and the sandbox steps in, the installation goes thru, and all is run in the sandbox and fully working.
What happens after reboot, with CFW for example, is the sandbox not emptied then?

/W
comodo sandbox does not get emptied unless you go and empty it yourself.
but usually, the updater is a separate process, and you will get a prompt for a new process that wants to run, and you can run it out of sandbox.
 

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
and this payload will have to be run locally (on your system) to infect, and this is anything but fileless! Point being that when the payload is downloaded and run it will also be detected and sandboxed no matter if the browser is isolated or not.

"Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)"

Malware don't need Coffee: Angler EK : now capable of "fileless" infection (memory malware)
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Actually the sandbox will empty itself on reboot. It is important that it does as at the default (partially Limited) sandbox level something like lockscreen malware will be allowed to execute to the extent that you will have a Desktop Overlay; but on reboot things like this vanish as they won't be allowed to be permanent.

Woodrow- if the legit application is not sandboxed than the updater also will not be so contained. For those that want to keep a specific legit application sandboxed all the time but want to update it the best procedure is to disable the sandbox, update the application and close it, then enable the sandbox once again.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Actually the sandbox will empty itself on reboot. It is important that it does as at the default (partially Limited) sandbox level something like lockscreen malware will be allowed to execute to the extent that you will have a Desktop Overlay; but on reboot things like this vanish as they won't be allowed to be permanent.
very interesting! I assume that is one of the reasons you recommended to set autosandbox at block, rather than sandbox.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
"Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)"

Malware don't need Coffee: Angler EK : now capable of "fileless" infection (memory malware)
but COMODO HIPS should alert you about this.
I mean, if you are visiting a website, and out of nowhere, Powershell or a script interpreter wants to run, that is going to be your sign that an exploit is attempting to infect you...
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Shmu- I've actually done just some minor work with the HIPS module as I never have it active (the terminate and reverse functionality is admittedly pretty nifty). Although I'll include this in a Qihoo +CF video that I hope I have time to do, I hope you will please accept a text report of CF's protection (no HIPS):

I just ran a Locky wsf file- something the maladvertisers love- on execution (and this is at Partially Limited sandbox level) wscrpt.exe is immediately sandboxed. When this process tries to connect to command to get the payload you will get a firewall warning (unless to have checked the Block access when using Firewall safe mode- then it will just die there). But if you will allow network access and and let the payload to be downloaded and run, the payload as well as any malware dll's and bat files to maintain persistence will also be sandboxed. Yes, at Partially Limited you will see the ransom messages- but who cares? Clean the box (or reboot) and they also die. The only residual system change would be the desktop background changed to solid black. Easy enough to change back to what it was, though.

Using the Untrusted setting will kill the entire process at inception, by the way.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Still we should admit that Qihoo's suspicious ability is indeed a successful component out there; not so aggressive but fine tune.

Although still a big question where possible bypass may occur, however it can be very minimal considering of strong engines combined. ;)

-------------------

Meanwhile for Comodo, something that there is no fixed formula solution against majority of threats thus it needs heavy tweaks.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Shmu- I've actually done just some minor work with the HIPS module as I never have it active (the terminate and reverse functionality is admittedly pretty nifty). Although I'll include this in a Qihoo +CF video that I hope I have time to do, I hope you will please accept a text report of CF's protection (no HIPS):

I just ran a Locky wsf file- something the maladvertisers love- on execution (and this is at Partially Limited sandbox level) wscrpt.exe is immediately sandboxed. When this process tries to connect to command to get the payload you will get a firewall warning (unless to have checked the Block access when using Firewall safe mode- then it will just die there). But if you will allow network access and and let the payload to be downloaded and run, the payload as well as any malware dll's and bat files to maintain persistence will also be sandboxed. Yes, at Partially Limited you will see the ransom messages- but who cares? Clean the box (or reboot) and they also die. The only residual system change would be the desktop background changed to solid black. Easy enough to change back to what it was, though.

Using the Untrusted setting will kill the entire process at inception, by the way.
this is great. I will have to read this carefully and digest it.
 
D

Deleted member 2913

Woodrow- if the legit application is not sandboxed than the updater also will not be so contained. For those that want to keep a specific legit application sandboxed all the time but want to update it the best procedure is to disable the sandbox, update the application and close it, then enable the sandbox once again.
But many a times, couple files related to the updating programs are sandboxed And messes programs. I have experienced this with Free Download Manager, Java, VLC, etc... And thats the prob for average users.
 
Last edited by a moderator:

woodrowbone

Level 10
Verified
Dec 24, 2011
480
[QUOTE="cruelsister, post: 555258, member: 7463"

Woodrow- if the legit application is not sandboxed than the updater also will not be so contained. For those that want to keep a specific legit application sandboxed all the time but want to update it the best procedure is to disable the sandbox, update the application and close it, then enable the sandbox once again.
But many a times, couple files related to the updating programs are sandboxed And messes programs. I have experienced this with Free Download Manager, Java, VLC, etc... And thats the prob for average users.[/QUOTE]

That! :)

/W
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Let's talk Java. The other day there was a Java update (to version 8 build 111). I have Java installed on my system and proceeded to the update routine. All went fine and it was updated BUT one file, deploy.jar was sandboxed and not allowed to proceed. First off, this is not an issue for a home user as deploy.jar is for installing Java over multiple endpoints; secondly why was it sandboxed (and it is ALWAYS sandboxed)? Simply because Oracle decided not to sign it!

Now whose fault is that? Comodo's because it isolated an unsigned script, or Oracle's because they are too lazy to sign the file?

The ONLY issues that one will have in updated applications while using Comodo is if the developer does not sign the updating routine. I'll be making a video with a tentative release date of November where it will be shown how to deal with stuff like this.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Now whose fault is that? Comodo's because it isolated an unsigned script, or Oracle's because they are too lazy to sign the file?
all hate and blame aside, there are a lot of lazy/stingy devs out there...
 
  • Like
Reactions: Logethica

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top