Signed Malware & Antivirus Detection

Arequire · Dec 26, 2018

imuade said:
1. I don't think so, everything in the TVL or trusted by the user can run freely
2. If the file is on TVL or trusted by the user, it won't be checked on cloud
3. Only if you set Viruscope to check files outside the sandbox too

Edit: Trusted Vendors, PC Firewall, Internet Protection | Internet Security Help

If the vendor is on the 'Trusted Software Vendor List 'AND the user has enabled 'Trust Applications signed by Trusted Vendors' in the 'File Rating Settings' panel, THEN the application will be trusted and allowed to run.

I'm confident the first two points I made are correct but I've emailed Comodo about them for confirmation purposes. I'll post the response when they get back to me.

As for Viruscope, it depends what product you use. Both Comodo Internet Security and Comodo Firewall have Viruscope monitoring applications outside the sandbox by default. If you use Comodo Cloud Antivirus then you have to change a setting to allow it to monitor outside the sandbox.

Edit: Looked around and found one of Cruelsister's previous posts that states revoked certificates don't bypass the TVL:
Compare Protection - Trusted Application Module vs Application Control vs CIS
I'll wait for Comodo's response for definitive confirmation though.

Sunshine-boy · Dec 26, 2018

imuade said:
The digital signature belongs to Skype technologies

Do you know which av first detected it in the VT?

JM Safe · Dec 26, 2018

SRP or Comodo Firewall as already said.

imuade · Dec 26, 2018

Sunshine-boy said:
Do you know which av first detected it in the VT?

No, i've just checked vt when the link was available here at mt

Arequire · Dec 26, 2018

@imuade Comodo's response in regards to revoked certificates and cloud lookup of files with trusted vendor certificates:

imuade · Dec 27, 2018

Arequire said:
@imuade Comodo's response in regards to revoked certificates and cloud lookup of files with trusted vendor certificates:
View attachment 204402

Ok, thanks for the clarification

So, there is a chance to get infected, but it's really negligible

notabot · Dec 27, 2018

JM Security said:
SRP or Comodo Firewall as already said.

SRP won’t do anything for a ccleaner type of incident though

notabot · Dec 27, 2018

Thanks all for looking into this.

How did Comodo fare during the ccleaner incident? Did it detect it ? If so how soon after the malicious update ?

shukla44 · Dec 27, 2018

I don't use TAM in Kaspersky cause of too much blocks of dll's. But i make do by disabling 'Trust digitally signed applications'.

Arequire · Dec 27, 2018

notabot said:
How did Comodo fare during the ccleaner incident? Did it detect it ? If so how soon after the malicious update ?

I'm not sure how Comodo fared honestly. Remember that CCleaner itself wasn't technically the actual malware; it just connected to a server hosting the malware and downloaded it from there. So assuming the malware that was downloaded was unsigned or using a certificate by an untrusted vendor then it should've been sandboxed by Comodo. If it was signed using a certificate from a trusted vendor then I believe it would've been allowed to run without hindrance.

notabot · Dec 27, 2018

Arequire said:
I'm not sure how Comodo fared honestly. Remember that CCleaner itself wasn't technically the actual malware; it just connected to a server hosting the malware and downloaded it from there. So assuming the malware that was downloaded was unsigned or using a certificate by an untrusted vendor then it should've been sandboxed by Comodo. If it was signed using a certificate from a trusted vendor then I believe it would've been allowed to run without hindrance.

Thanks for this - what I had read was that the update itself had malware which connected to c&c but this could well had been a journalist not-so-accurately reporting the incident , I didn’t have first hand experience with the ccleaner incident .

Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted? Also where can I find out more about how well it plays with 3rd party security suites ( Sophos, ESET ) or even WD

Arequire · Dec 27, 2018

notabot said:
Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted?

It'll only sandbox files that don't have a digital signature from a trusted vendor and have an unknown file rating on their cloud database.
Comodo Firewall has the least performance impact of all Comodo's products and there's very little performance hit when something's being sandboxed. Obviously if a cryptominer gets thrown in the sandbox and it's designed to max out your CPU then it'll be a different story.

notabot said:
Also where can I find out more about how well it plays with 3rd party security suites ( Sophos, ESET ) or even WD

Generally you'll want to pair it with a standard antivirus, not a full-blown suite. Most suites have their own firewall component which may cause conflict with Comodo Firewall. I can't tell you which third-party solutions it doesn't play well with but it should be perfectly fine with the majority of them; WD being the obvious candidate for compatibility with it being integrated into the OS.

kylprq · Dec 27, 2018

Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted? Also where can I find out more about how well it plays with 3rd party security suites ( Sophos, ESET ) or even WD

you can use with kaspersky free or sc without problem

Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted?

auto containment settings > select unrecognized files > block > no performance hit

notabot · Dec 28, 2018

In comodo, can I select specific signed apps to always be sandboxed ? This would be a good solution to sandboxing apps whose vendors & supply chain one does not fully trust

Arequire · Dec 28, 2018

notabot said:
In comodo, can I select specific signed apps to always be sandboxed ? This would be a good solution to sandboxing apps whose vendors & supply chain one does not fully trust

You can.

notabot · Dec 28, 2018

Arequire said:
You can.

Fantastic! - am I right to assume that Comodo’s sandboxing can only works when HIPS is switched off from internet security suites ?

imuade · Dec 28, 2018

notabot said:
Fantastic! - am I right to assume that Comodo’s sandboxing can only works when HIPS is switched off from internet security suites ?

You can run both, but sandbox will kick in first, so hips will give you nothing more.
The biggest problem with Comodo is that it can cause issues with Windows 10, especially after a patch Tuesday update

Moonhorse · Dec 28, 2018

imuade said:
You can run both, but sandbox will kick in first, so hips will give you nothing more.
The biggest problem with Comodo is that it can cause issues with Windows 10, especially after a patch Tuesday update

Not with the comodo cloud

Comodo has top notch trusted vendors list, doubt anyone will waste possible trusted malware on home users as its been talked before

imuade said:
sandbox will kick in first

Pretty much this

notabot · Dec 28, 2018

Does it auto sandbox even things not initiated by explorer/shell so suppose someone exploits my browser to run something remote - will it be sandboxed ?

notabot · Dec 28, 2018

Signed malware on home users has happened, with ccleaner

Signed Malware & Antivirus Detection

Level 29

Level 28

Level 39

Level 12

Level 29

Level 12

Level 15

Level 15

Level 13

Attachments

Level 29

Level 15

Level 29

Level 4

Level 15

Level 29

Level 15

Level 12

Level 38

Level 15

Level 15

Similar threads