- Nov 19, 2014
- 2,350
Because a user will not always take the correct decision plus it minimizes/stops the risk of exploits not yet patched. Sure if you always click block on all alerts you are 99% safe but do you do that?
Qihoo Total Security- An initial test
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Jul 3, 2015
- 8,153
In addition, if an exploit can get into your file system and run powershell, couldn't it then modify the registry and change your settings and remove your security softs from startup? Then it can run the payload next time you reboot.
But if you have HIPS enabled in COMODO, you will get pretty suspicious when a process all of a sudden wants to run Powershell...
- Dec 24, 2011
- 480
Interesting discussion, my problem with sandboxes and legit apps is not when I (the user) run the legal app, then it is easy to move out of the sandbox.
When a legal app wants to update itself, and the sandbox steps in, the installation goes thru, and all is run in the sandbox and fully working.
What happens after reboot, with CFW for example, is the sandbox not emptied then?
/W
When a legal app wants to update itself, and the sandbox steps in, the installation goes thru, and all is run in the sandbox and fully working.
What happens after reboot, with CFW for example, is the sandbox not emptied then?
/W
- Jul 3, 2015
- 8,153
comodo sandbox does not get emptied unless you go and empty it yourself.
but usually, the updater is a separate process, and you will get a prompt for a new process that wants to run, and you can run it out of sandbox.
- Jun 12, 2014
- 314
"Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)"
Malware don't need Coffee: Angler EK : now capable of "fileless" infection (memory malware)
- Apr 13, 2013
- 3,224
Actually the sandbox will empty itself on reboot. It is important that it does as at the default (partially Limited) sandbox level something like lockscreen malware will be allowed to execute to the extent that you will have a Desktop Overlay; but on reboot things like this vanish as they won't be allowed to be permanent.
Woodrow- if the legit application is not sandboxed than the updater also will not be so contained. For those that want to keep a specific legit application sandboxed all the time but want to update it the best procedure is to disable the sandbox, update the application and close it, then enable the sandbox once again.
Woodrow- if the legit application is not sandboxed than the updater also will not be so contained. For those that want to keep a specific legit application sandboxed all the time but want to update it the best procedure is to disable the sandbox, update the application and close it, then enable the sandbox once again.
- Oct 17, 2016
- 95
- Jul 3, 2015
- 8,153
very interesting! I assume that is one of the reasons you recommended to set autosandbox at block, rather than sandbox.
- Jul 3, 2015
- 8,153
but COMODO HIPS should alert you about this.
I mean, if you are visiting a website, and out of nowhere, Powershell or a script interpreter wants to run, that is going to be your sign that an exploit is attempting to infect you...
- Apr 13, 2013
- 3,224
Shmu- I've actually done just some minor work with the HIPS module as I never have it active (the terminate and reverse functionality is admittedly pretty nifty). Although I'll include this in a Qihoo +CF video that I hope I have time to do, I hope you will please accept a text report of CF's protection (no HIPS):
I just ran a Locky wsf file- something the maladvertisers love- on execution (and this is at Partially Limited sandbox level) wscrpt.exe is immediately sandboxed. When this process tries to connect to command to get the payload you will get a firewall warning (unless to have checked the Block access when using Firewall safe mode- then it will just die there). But if you will allow network access and and let the payload to be downloaded and run, the payload as well as any malware dll's and bat files to maintain persistence will also be sandboxed. Yes, at Partially Limited you will see the ransom messages- but who cares? Clean the box (or reboot) and they also die. The only residual system change would be the desktop background changed to solid black. Easy enough to change back to what it was, though.
Using the Untrusted setting will kill the entire process at inception, by the way.
I just ran a Locky wsf file- something the maladvertisers love- on execution (and this is at Partially Limited sandbox level) wscrpt.exe is immediately sandboxed. When this process tries to connect to command to get the payload you will get a firewall warning (unless to have checked the Block access when using Firewall safe mode- then it will just die there). But if you will allow network access and and let the payload to be downloaded and run, the payload as well as any malware dll's and bat files to maintain persistence will also be sandboxed. Yes, at Partially Limited you will see the ransom messages- but who cares? Clean the box (or reboot) and they also die. The only residual system change would be the desktop background changed to solid black. Easy enough to change back to what it was, though.
Using the Untrusted setting will kill the entire process at inception, by the way.
- Mar 15, 2011
- 13,070
Still we should admit that Qihoo's suspicious ability is indeed a successful component out there; not so aggressive but fine tune.
Although still a big question where possible bypass may occur, however it can be very minimal considering of strong engines combined.
-------------------
Meanwhile for Comodo, something that there is no fixed formula solution against majority of threats thus it needs heavy tweaks.
Although still a big question where possible bypass may occur, however it can be very minimal considering of strong engines combined.
-------------------
Meanwhile for Comodo, something that there is no fixed formula solution against majority of threats thus it needs heavy tweaks.
- Jul 3, 2015
- 8,153
this is great. I will have to read this carefully and digest it.
But many a times, couple files related to the updating programs are sandboxed And messes programs. I have experienced this with Free Download Manager, Java, VLC, etc... And thats the prob for average users.
Last edited by a moderator:
- Dec 24, 2011
- 480
But many a times, couple files related to the updating programs are sandboxed And messes programs. I have experienced this with Free Download Manager, Java, VLC, etc... And thats the prob for average users.[/QUOTE]
That!
/W
- Jul 3, 2015
- 8,153
I used to have chrome set to run autosandboxed, and it seemed to me as if it had persistence
- Jul 3, 2015
- 8,153
- Apr 13, 2013
- 3,224
Let's talk Java. The other day there was a Java update (to version 8 build 111). I have Java installed on my system and proceeded to the update routine. All went fine and it was updated BUT one file, deploy.jar was sandboxed and not allowed to proceed. First off, this is not an issue for a home user as deploy.jar is for installing Java over multiple endpoints; secondly why was it sandboxed (and it is ALWAYS sandboxed)? Simply because Oracle decided not to sign it!
Now whose fault is that? Comodo's because it isolated an unsigned script, or Oracle's because they are too lazy to sign the file?
The ONLY issues that one will have in updated applications while using Comodo is if the developer does not sign the updating routine. I'll be making a video with a tentative release date of November where it will be shown how to deal with stuff like this.
Now whose fault is that? Comodo's because it isolated an unsigned script, or Oracle's because they are too lazy to sign the file?
The ONLY issues that one will have in updated applications while using Comodo is if the developer does not sign the updating routine. I'll be making a video with a tentative release date of November where it will be shown how to deal with stuff like this.
- Jul 3, 2015
- 8,153
all hate and blame aside, there are a lot of lazy/stingy devs out there...
- Jun 11, 2014
- 273
Similar threads
