Signed Malware & Antivirus Detection

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
1. I don't think so, everything in the TVL or trusted by the user can run freely
2. If the file is on TVL or trusted by the user, it won't be checked on cloud
3. Only if you set Viruscope to check files outside the sandbox too

Edit: Trusted Vendors, PC Firewall, Internet Protection | Internet Security Help

If the vendor is on the 'Trusted Software Vendor List 'AND the user has enabled 'Trust Applications signed by Trusted Vendors' in the 'File Rating Settings' panel, THEN the application will be trusted and allowed to run.
I'm confident the first two points I made are correct but I've emailed Comodo about them for confirmation purposes. I'll post the response when they get back to me.

As for Viruscope, it depends what product you use. Both Comodo Internet Security and Comodo Firewall have Viruscope monitoring applications outside the sandbox by default. If you use Comodo Cloud Antivirus then you have to change a setting to allow it to monitor outside the sandbox.

Edit: Looked around and found one of Cruelsister's previous posts that states revoked certificates don't bypass the TVL:
Compare Protection - Trusted Application Module vs Application Control vs CIS
I'll wait for Comodo's response for definitive confirmation though.
 
Last edited:
  • Like
Reactions: notabot

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
@imuade Comodo's response in regards to revoked certificates and cloud lookup of files with trusted vendor certificates:
Untitled.png
 
Last edited:

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Thanks all for looking into this.

How did Comodo fare during the ccleaner incident? Did it detect it ? If so how soon after the malicious update ?
 

shukla44

Level 13
Verified
Top Poster
Well-known
Jan 14, 2016
601
I don't use TAM in Kaspersky cause of too much blocks of dll's. But i make do by disabling 'Trust digitally signed applications'.
 

Attachments

  • ScreenShot00622.jpg
    ScreenShot00622.jpg
    132.2 KB · Views: 183
Last edited:

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
How did Comodo fare during the ccleaner incident? Did it detect it ? If so how soon after the malicious update ?
I'm not sure how Comodo fared honestly. Remember that CCleaner itself wasn't technically the actual malware; it just connected to a server hosting the malware and downloaded it from there. So assuming the malware that was downloaded was unsigned or using a certificate by an untrusted vendor then it should've been sandboxed by Comodo. If it was signed using a certificate from a trusted vendor then I believe it would've been allowed to run without hindrance.
 
Last edited:

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
I'm not sure how Comodo fared honestly. Remember that CCleaner itself wasn't technically the actual malware; it just connected to a server hosting the malware and downloaded it from there. So assuming the malware that was downloaded was unsigned or using a certificate by an untrusted vendor then it should've been sandboxed by Comodo. If it was signed using a certificate from a trusted vendor then I believe it would've been allowed to run without hindrance.

Thanks for this - what I had read was that the update itself had malware which connected to c&c but this could well had been a journalist not-so-accurately reporting the incident , I didn’t have first hand experience with the ccleaner incident .

Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted? Also where can I find out more about how well it plays with 3rd party security suites ( Sophos, ESET ) or even WD
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted?
It'll only sandbox files that don't have a digital signature from a trusted vendor and have an unknown file rating on their cloud database.
Comodo Firewall has the least performance impact of all Comodo's products and there's very little performance hit when something's being sandboxed. Obviously if a cryptominer gets thrown in the sandbox and it's designed to max out your CPU then it'll be a different story.

Also where can I find out more about how well it plays with 3rd party security suites ( Sophos, ESET ) or even WD
Generally you'll want to pair it with a standard antivirus, not a full-blown suite. Most suites have their own firewall component which may cause conflict with Comodo Firewall. I can't tell you which third-party solutions it doesn't play well with but it should be perfectly fine with the majority of them; WD being the obvious candidate for compatibility with it being integrated into the OS.
 
  • Like
Reactions: notabot and kylprq

kylprq

Level 4
Verified
Jul 26, 2018
146
Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted? Also where can I find out more about how well it plays with 3rd party security suites ( Sophos, ESET ) or even WD

you can use with kaspersky free or sc without problem

Overall , what’s the performance hit ( if any ) for Commodo sandboxing everything not whitelisted?

auto containment settings > select unrecognized files > block > no performance hit
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
In comodo, can I select specific signed apps to always be sandboxed ? This would be a good solution to sandboxing apps whose vendors & supply chain one does not fully trust
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
Fantastic! - am I right to assume that Comodo’s sandboxing can only works when HIPS is switched off from internet security suites ?
You can run both, but sandbox will kick in first, so hips will give you nothing more.
The biggest problem with Comodo is that it can cause issues with Windows 10, especially after a patch Tuesday update
 
  • Like
Reactions: notabot

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
You can run both, but sandbox will kick in first, so hips will give you nothing more.
The biggest problem with Comodo is that it can cause issues with Windows 10, especially after a patch Tuesday update
Not with the comodo cloud :unsure: Comodo has top notch trusted vendors list, doubt anyone will waste possible trusted malware on home users as its been talked before

sandbox will kick in first
Pretty much this
 
  • Like
Reactions: kylprq and notabot

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Does it auto sandbox even things not initiated by explorer/shell so suppose someone exploits my browser to run something remote - will it be sandboxed ?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top