App Review TeslaCrypt 2.0 vs Comodo Firewall

[cruelsister]

As I'm taking a few days off from my assignment (as to avoid a Psychotic Episode), I had time to do a few videos.

This one is how Comodo Firewall handles the new version of Tesla which was written about here:

https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall

This test will vary the CF sandbox settings to illustrate the differences. Also note the outbound connections that the malware requested (and being a nice person I allowed)- this is to an Amazon server farm in Northern Virginia that is really getting annoying as it's a haven for malware/adware sites.





To Jack & Co- I noticed that my status has been elevated while I was away. Thank You! You honor me.

 

[yigido]

Thank you for the test! about the title? Well deserved

 

[Moose]

Salutations,

Enjoyed the TeslaCrypt 2.0 vs Comodo Firewall video. Will Comodo Firewall be ready for Windows 10?
Maybe it time to remove sandboxie and install Comodo Firewall!

Also, I very disappointed with CrtyptoMointor at this point!

Kind regards,

 

[yigido]

Will Comodo Firewall be ready for Windows 10?
Maybe it time to remove sandboxie and install Comodo Firewall!

Wait for the next release of Comodo products. They will be ready for Windows10 as mentioned in Comodo forum.

 

[Deleted member 178]

Maybe it time to remove sandboxie and install Comodo Firewall!

no way i remove sandboxie lol

two sandboxes set properly is not a bad thing

 

[cruelsister]

Moose- It seems that the issue of CF for Windows 10 is more of an unpacking problem, but as I have no desire to use a pre-release OS I can't personally verify; but a hotfix is in the works with the release this week (friend Yigido would know more).

Regarding CryptoMonitor, the only cryptic thing about it is why someone would use it. I'd love to go on a rant, but being sweet, kind, and gentle I'll defer to the Video I'm posting when I finish this message.

Now about Sandboxie- an excellent product, especially when they added the network block option for sandboxed processes; however last time (a few months ago) I checked, it was still weak on certain APT calls that could be exploited.

 

[Tony Cole]

May I ask, when you change the level to untrusted, how comes the malware is fully virtualized, am kinda lost? Great review, Sandboxie seems weak compared with Comodo. How would you block APT calls with either Sandboxie or Kaspersky?

 

[cruelsister]

Hi Tony!- Superb questions. Although Comodo has changed the basic Sandbox setting to Fully Virtualized, there are still degrees of what any sandboxed file can do- At the Untrusted level, it can do very little. See 1:35 of the Video and you'll note that the only perceived intrusion was the malware file itself. However when I changed the setting to the default (which would be Full V/Partially Limited) the malware was able to start things like Notepad, Photo Viewer and Seamonkey (my default browser) as well as at least querying other processes (like vssadmin). See the 3:43 point of the Video for all the other things that the malware attempted to intrude upon.

When considering these (attempted) intrusions, there are things that the malware was able to call up and start (Notepad, Photo Viewer and Seamonkey), but even so these things were sandboxed in turn and would be flushed when the sandbox was reset. Other attempts to intrude on system files (like vssadmin) were outright blocked.

But although in neither of the first two sandbox settings in the Video did this particular malware make any changes to the actual system, this isn't always the case. The Full V/Partially Limited default setting CAN let malware make some minor modifications; a case in point is the CTB locker class ransomware which attempts to change the Windows wallpaper to the ransom message. Although sandbox reset will get rid of the message, your original wallpaper will be changed to solid Black. A minor system change to be sure, but still totally unacceptable to me.

Finally on this topic, note that unlike in the following Video on CryptoMonitor, the malware file was unable to self-delete (suicide).

About Sandboxie- it is a really fine application. It does have for some reason the APT call flaw (I actually demonstrated this in one of my first Comodo videos- I will have to look back later to find out exactly where). Personally I have never seen an malware to exploit it to trash a system protected by SB, but on the other hand it was able to make definite system changes which I find troubling. So although I much prefer the Comodo sandbox properly set, I certainly would use Sandboxie over any pure AV/HIPS combo out there.

Please forgive me in advance if I confused you further with the above explanation.

M

 

[Deleted member 178]

in the latest CIS version , they lessen the choice of options for the auto-sandbox. only 4 choices.

 

[Tony Cole]

Ah, now I understand. Thank you for that. Yes, CryptoMonitor seems like a scam, seems odd he has vanished off the radar. I cancelled my payment.

Very good review, congratulations on the new title, very well deserved!

 

[cruelsister]

Umbra- Actually the choices are only regarding the restriction level for things that are already in the sandbox running in Full V. This is currently the case with both CF and CIS.

In past versions they gave the user the choice of the actual Sandbox level- Partially Limited. Limited, etc. where going into Full V was only one of the options. I personally despised that as at the levels below that of Full V it was a piece of cake to infect the machine. Now the choices in the Optional setting of Restriction level just stops riff-raffy type things.

 

[Moose]

Salutations, Friends!

Just in install on 1 of 3 PC's with-out cruelsister settings so far so good! Before when I install Comodo Firewall about 3/4 months ago, it would not let me connect to the internet and/or use the sandboxie. That is why, I uninstall, so far so good! I will try cruelsister settings in a little while, that is where I run into a headaches and/or problems with the above. Hopefully it will work right this time.

 

[Tony Cole]

So I have it all set up as suggested, would it offer more protection to uncheck or check do not virtualize access to?

 

[Moose]

Salutations, Friends!

Wow! After using Start-up and shutdown and start-up took forever! So, I remove Kerish Doctor,NoThanksVirus, and Malwarebtyes Anti-Malware. Much better now! Start-up just a little bit long!

I will use Emsisoft Emergency Kit in place of Malwarebtyes Anti-Malware. Question, please! Will Comodo Firewall upgrade itself just
before Windows 10 is downloaded? Or do I need to uninstall completely and then install Comodo Firewall?

Going to work on the 2nd PC's now!

 

[kmr1684]

Salutations, Friends!

Wow! After using Start-up and shutdown and start-uptook forever! So, I remove Kerish Doctor,NoThanksVirus, and Malwarebtyes Anti-Malware. Much better now! Start-up just a little bit long!

I will use Emsisoft Emergency Kit in place of Malwarebtyes Anti-Malware. Question, please! Will Comodo Firewall upgrade itself just
before Windows 10 is downloaded? Or do I need to uninstall completely and then install Comodo Firewall?

Going to work on the other PC's now!

i think better uninstall comodo after you have taken backup of setting of comodo and reinstall it after the upgrade to win 10, it will be fine and it will give you less headache, and please better install the win 10 ready comodo than sorry.

ps: sorry i am not using comodo right now. so i can't give you on hand experience in this matter. happy using of comodo.

 

[Moose]

Salutations, Friends!

Remember to off Windows Firewall, just over look! It's the simple things in life that get
you anymore!

Kind regards,

 

[Tony Cole]

RE: the APT calls, would changing Comodo firewall to do not show popup alerts - block requests prevent this?

 

[cruelsister]

CF is totally fine with the APT calls, blocking them with ease. It's Sandboxie that's lacking here.

 

[Tony Cole]

Thanks, so I do not need to change that setting, just leave it unchecked?

 

[Moose]

Salutations, Friends,

Being fair, let give the benefit of this updated youtube review.





Maybe a re-test on CryptoMonitor. Look like he trying!