Should Comodo users stop using Comodo?

[silversurfer]

Seriously, why another thread for Comodo after the other became (per request of the OP) closed yesterday?
You guys really don't know how difficult is moderation all topics in forum section Comodo

 

[Andy Ful]

Seriously, why another thread for Comodo after the other became (per request of the OP) closed yesterday?
You guys really don't know how difficult is moderation all topics in forum section Comodo

This one will be much easier due to the rules in the OP.

 

[Pico]

Hello @Trident VirusScope Applies Machine Learning Analysis both outside the container and inside the container

Best Regards
Nikola

@Nikola Milanovic,

Are you really a Xcitium Staff member or are you faking / pretending to be one???
On Comodo forum there was an incident that a user was pretending to be Staff member too and got banned for doing so but maybe it wasn't you...

At MT admins / Staff please check authenticity.

 

[silversurfer]

This one will be much easier due to the rules in the OP.

I hope you are right, but we will see what happens upcoming days

 

[Andy Ful]

Comodo likely will contain them and then anti-debug/anti-sandboxing algorithms (which usually in PE malware are not a deficiency) will lead to process termination.

Comodo can have a problem with some fully fileless malware that can bypass Viruscope and Script Analysis. However, most such attacks can be prevented by configuring Script Analysis settings. The most dangerous are pure DLL hijacking attacks (like Zip archive with a benign known EXE + malicious DLL).

 

[Trident]

Comodo can have a problem with some fully fileless malware that can bypass Viruscope and Script Analysis. However, most such attacks can be prevented by configuring Script Analysis settings. The most dangerous are pure DLL hijacking attacks (like Zip archive with a benign known EXE + malicious DLL).

Yep, which is exactly what I will test soon. These could be handled if Valkyrie was integrated and submits the archive for emulation. But the archive would usually be password protected.

 

[Andy Ful]

@Nikola Milanovic,

Are you really a Xcitium Staff member or are you faking / pretending to be one???
On Comodo forum there was an incident that a user was pretending to be Staff member too and got banned for doing so but maybe it wasn't you...

At MT admins / Staff please check authenticity.

I leave this post for one day to allow MT staff to know your request. Next, the post will be deleted.

 

[Pico]

I leave this post for one day to allow MT staff to know your request. Next, the post will be deleted.

Please make sure MT Staff have read it because this is bad if it's true...

 

[Trident]

Please make sure MT Staff have read it because this is bad if it's true...

I completely agree and echo your doubts. I don't see any evidence that machine learning is applied in or outside of container. Upon containing, there are no connections from Comodo to suggest that cloud machine learning is used. The size of the recognisers, even for a quantized machine learning model is too small.

 

[Andy Ful]

I completely agree and echo your doubts. I don't see any evidence that machine learning is applied in or outside of container. Upon containing, there are no connections from Comodo to suggest that cloud machine learning is used. The size of the recognisers, even for a quantized machine learning model is too small.

The file dates suggest that they are not behavior-based cloud detections, but rather local basic modules. It is possible that the local responders could be trained by Machine Learning. However, this would require some additional evidence.

@Nikola Milanovic,
Do you have access to resources that could provide us with more information about responders?

 

[Trident]

The file dates suggest that they are not behavior-based cloud detections, but rather local basic modules. It is possible that the local responders could be trained by Machine Learning. However, this would require some additional evidence.

@Nikola Milanovic,
Do you have access to resources that could provide us with more information about responders?

They could be but given the unpredictability and variability in executable malware (and potentially other that may be added), <500 kb machine learning module (with necessary wrappers and so on)… highly unlikely.

It’s more like generic heuristics and rules.

 

[Andy Ful]

Besides DLL hijacking, another possible Comodo bypass (without knowing AV) can be performed via trusted executables that use Node.js.
Such attacks are not covered by Script Analysis. However, they can be somewhat mitigated by Viruscope responders.

 

[Nikola Milanovic]

The file dates suggest that they are not behavior-based cloud detections, but rather local basic modules. It is possible that the local responders could be trained by Machine Learning. However, this would require some additional evidence.

@Nikola Milanovic,
Do you have access to resources that could provide us with more information about responders?

Hello @Andy Ful VirusScope does apply Machine Learning see below

Xcitium Advanced Endpoint Protection with Artificial Intelligence

Xcitium Advanced Endpoint Protection uses artificial intelligence to supplement other malware detection mechanisms. Variety of malicious and benign files

enterprise.xcitium.com

Best Regards
Nikola

 

[Andy Ful]

Hello @Andy Ful VirusScope does apply Machine Learning see below

Xcitium Advanced Endpoint Protection with Artificial Intelligence

Xcitium Advanced Endpoint Protection uses artificial intelligence to supplement other malware detection mechanisms. Variety of malicious and benign files

enterprise.xcitium.com

Best Regards
Nikola

The responders can be different in Xcitium. Also, Xcitium can allow a cloud backend for Viruscope.
A similar problem is the lack of Comodo's full integration with Valkyrie.

 

[Nikola Milanovic]

The responders can be different in Xcitium. Also, Xcitium can allow a cloud backend for Viruscope.
A similar problem is the lack of Comodo's full integration with Valkyrie.

Both Xcitium and CIS apply Machine Learning on local pc,but machine learning in the cloud is done by our verdicting engine called Xcitium Verdict Cloud also known as Valkyrie

Best Regards
Nikola

 

[Trident]

The responders can be different in Xcitium. Also, Xcitium can allow a cloud backend for Viruscope.
A similar problem is the lack of Comodo's full integration with Valkyrie.

They are different. In one admin guide, the recogniser (which can be seen on screenshots is 13.something), whilst Comodo is 12.3.

Xcitium Enterprise | Xcitium Client Security - VirusScope Settings | Xcitium

The VirusScope Settings page explains how to configure various settings for VirusScope component of XCS.

help.comodo.com

 

[cruelsister]

Besides DLL hijacking, another possible Comodo bypass (without knowing AV) can be performed via trusted executables that use Node.js.
Such attacks are not covered by Script Analysis. However, they can be somewhat mitigated by Viruscope responders.

Sounds fairly easy to bypass. Please provide a file hash (even if detected by VirusScope) that would confirm any of these statements (if you are busy, just one will do).

 

[Pico]

Many Enterprise features are not implemented in consumer freeware CIS.

 

[Nikola Milanovic]

@Nikola Milanovic,

Are you really a Xcitium Staff member or are you faking / pretending to be one???
On Comodo forum there was an incident that a user was pretending to be Staff member too and got banned for doing so but maybe it wasn't you...

At MT admins / Staff please check authenticity.

Hello @Pico yes i am an Employee at Xcitium i work as Malware Analyst at Xcitium

Best Regards
Nikola

 

[Trident]

Hello @Pico yes i am an Employee at Xcitium i work as Malware Analyst at Xcitium

Best Regards
Nikola

I have a script here that is very small, 21kb, yet it injects a full blown RAT server written on .NET, distributed with the net environment. Can you please outline the technical process, how this script works, how it injects?