Basic Security Rengar's Security Config

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
How you finding it? It's extremely light and I really like it's GUI but I don't know if I prefer it over CFW.
If you get the chance I wouldn't mind seeing a test of it. I'm not sure how it handles scripts so I'm curious if it suffers the same problem as Avast's hardened mode and if there's any way to bypass it's protection. I've also heard it's universal AV suffers from some major engine update delays.
It's very light and so far I like it
it's not annoying like other anti-exes but still effective
It's not easy for me to test it because I have to collect a sufficient number of samples which have low detection rates according to VT so SAP won't block them easily by Universal AVs. I will try to test it behind the screen to pick good samples and then you these for a video

I notice some differences between engines used by universal AVs and the real engines. For example, WD couldn't detect many malwares I scanned but the Microsoft engine detected them as malwares. Avira and BD have delayed signatures which should have detected some samples that were already detected by these engines according to VT
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,815
it's not annoying like other anti-exes but still effective
Yeah, it's nice to not have to keep unblocking legitimate processes having their network access blocked by CFW.

It's not easy for me to test it because I have to collect a sufficient number of samples which have low detection rates according to VT so SAP won't block them easily by Universal AVs. I will try to test it behind the screen to pick good samples and then you these for a video
Ah right. Didn't think about it being a lot harder to find samples for something that uses multiple engines, even if their sigs are delayed.

I notice some differences between engines used by universal AVs and the real engines. For example, WD couldn't detect many malwares I scanned but the Microsoft engine detected them as malwares. Avira and BD have delayed signatures which should have detected some samples that were already detected by these engines according to VT
I think VDS is a step up in this regard by having a direct link to VT. No out-of-date sigs to worry about in determining if samples are malicious or not.

I'll keep SAP around for now but I'm not all that familiar with it. With CFW I know where I stand and know the protection it affords after using it for a long time but I've never given SAP much of a fair shake and I've only seen one or two tests featuring it so I can't determine how strong its protection is. Especially against signed malware or scripts.

Since SAP were forced to drop VT this is the kind of malware I'd be concerned about when running it:
cppJClV.png

Signed and the universal AV says clean but VT gives a 35/56. What'd happen if someone ran into this kind of sample nowadays when VT isn't there to give you a heads up that it's malicious? As far as I'm aware it doesn't have any kind of behavioural detection so if you unblock it (based on it being signed and the UAV giving it a clean rating) the malware could run indefinitely in theory.

Edit: Sorry for taking over your configuration thread to discuss SAP, @LanDude! :oops: Hope you don't mind.
 
Last edited:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Good configuration, honestly Comodo components are strong enough which you need to carefully tweak for accuracy and precision.

@Arequire: Well in that instances, a user should always close carefully on the alerts. SAP provides multiple criteria to avoid any bypass on the file so any red marks will halt for execution.

In a close look it may not be user friendly, but as the time you use; it can be a very good supplement for setup.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
cppJClV.png

Signed and the universal AV says clean but VT gives a 35/56. What'd happen if someone ran into this kind of sample nowadays when VT isn't there to give you a heads up that it's malicious? As far as I'm aware it doesn't have any kind of behavioural detection so if you unblock it (based on it being signed and the UAV giving it a clean rating) the malware could run indefinitely in theory.
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT :)
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access :(
I can only check the detection rate for <10 files at the time
 
Last edited:

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untested file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT :)
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access :(
I can only check the detection rate for <10 files at the time
What are you gonna do then if the 1-year trial expires? If ever it reaches that point...
 
  • Like
Reactions: Sunshine-boy

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,815
@Arequire: Well in that instances, a user should always close carefully on the alerts. SAP provides multiple criteria to avoid any bypass on the file so any red marks will halt for execution.

In a close look it may not be user friendly, but as the time you use; it can be a very good supplement for setup.
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP.
I keep it in lockdown mode so this wouldn't affect me unless I downloaded and ran it myself. All I'd get shown was the file name that had been blocked. Just a little worrying for those that run interactive mode that the UAV's sigs are so out-of-date that none of the AVs included detected it as malware even when almost all did on VT. I guess you could argue it's still better than the traditional approach of having the file run on your system and hoping behavioural detection or HIPS catches it before it does any damage.
 

Rengar

Level 17
Thread author
Verified
Top Poster
Well-known
Jan 6, 2017
835
REMOVED
NetCraft
ADDED
TheGreatSuspender, Norton DNS

I think im protected with this config.
I had problems upgrading to W10. When i decide to format my pc i will do a clean install of W10 :)


Chrome Extensions added: Dont Track Me Google ,Disable HTML5 Autoplay, Stealth Mode.
 
Last edited by a moderator:

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
yes, there is no behavioral detection. at least SAP is an anti-exe/whitelister so we can block these file if they are marked as "Untrusted file" by SAP. We should upload them to Jotti or VT or upload to cuckoo sandbox and wait for the final verdict
honestly I prefer Jotti because it x5 faster and more responsive than VT :)
my ISP limits the connection to VT. if I want to upload files to VT, I must use a VPN, sometimes cannot access :(
I can only check the detection rate for <10 files at the time
from my experience, SAP literally made me go crazy with the way it handled the "initial scan".
i haven't seen such a buggy POS for a while.
 

inuyasha

Level 4
Verified
Well-known
Apr 9, 2017
186
REMOVED
NetCraft
ADDED
TheGreatSuspender, Norton DNS

I think im protected with this config.
I had problems upgrading to W10. When i decide to format my pc i will do a clean install of W10 :)

why remove netcraft?
 

Rengar

Level 17
Thread author
Verified
Top Poster
Well-known
Jan 6, 2017
835
Its possible to enable Malwarebytes as i have a lifetime licence but its a little overkill...We will see...:unsure:
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Hum... WD + ZAL -> and now MBAM Pro (resident), probably will get some slowdowns in the system, and some issues with the others resident applications...

Try and let us know :)
 
  • Like
Reactions: frogboy and Rengar

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top