App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
I use Xcitium OpenEDR. Plus I use WDAC. The WDAC layer is for banning the things I never use like certain LoL.bins. And, I block cmd and powerhshell until I need to use those 2. And I turned on HIPS. Security common sense, you turn off, disable, block things you don't use.
 
Last edited:

Fel Grossi

Level 13
Verified
Top Poster
Well-known
Jan 17, 2014
628
Now it was Melih who responded. I hope they get in touch to analyze the POC and, if possible, correct this weakness.

Nothing is 100%, there is always a fine line of burdening users. Usability vs Security is a constant battle. We have always been trying to make sure we provide the best security for the usability. We can add many theoritical scenerios that are not a current threat in the wild that might negatively affect usability. However we are always looking for new ways to improve the security without affecting the user experience. We very much appreciate the good work Andy has done and we welcome and encourage more of these kind of POCs so that we can all improve as a community!
 
F

ForgottenSeer 109138

Guys, your critique of Comodo does not help in this thread.
Any AV can be criticized, but people who use Comodo do not complain much.:)
Andy, I think what everyone here is failing to say, is Thank you.

At some point maybe the users in the forum will get past the peeing matches over products and realize that users like yourself that submit things as such, are not meaning to condemn products but help them find issues they did not realize existed. Whether or not these are in the wild now or could be at some later time when discovered by those that would use such a knowledge in a malicious way. These types of test and your openness and lack of damning products clearly states you are only doing this to help others and as such should be greatly appreciated by all, as it benefits all.
 

Fel Grossi

Level 13
Verified
Top Poster
Well-known
Jan 17, 2014
628
In the Comodo forum, I suggested that someone on the team contact @Andy Ful . However, Melih responded redundantly, I didn't understand very well.
Maybe someone has already contacted Andy, or they are waiting for him to get in touch, or as he highlighted that the chance of seeing in the wild is close to 0, he doesn't see the need for correction.
I tried to help where I could.

I thank Andy and all colleagues on this forum for always bringing content that enriches our knowledge.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
guys, im really sorry to be lost here but i was reading the entire post and i need to ask: is this something to really worry as a user?

I do not think so.
There are many other possibilities that can be more dangerous to you. There is no need to worry when you read something on MT. It is just the information to think over.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Hello Andy can you repeat the ttest with the option checked: Detect embedded code at cmd ?

Heuristic analysis of the code alone may not yield anything

It's been a long time since I've been here :)

Cześć. :)

Welcome back.
I can do it without making video. Which concrete setup should be tested?
 

tachion

New Member
Jan 19, 2012
8
I'm talking about the same test with hips checked as it was in the second video and the embedded code option checked

I wonder how it would turn out :)

Zrzut ekranu 2024-03-13 200433.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I'm talking about the same test with hips checked as it was in the second video and the embedded code option checked

I wonder how it would turn out :)

View attachment 282162

These settings for cmd[.]exe + the settings used in the first video, can block the particular variant of the attack that utilizes cmd[.]exe.
They will not block some other variants, that do not use CMD.
 

Pico

Level 6
Feb 6, 2023
266
Could this attack be blocked effectively by adding certain HIPS rules like (user) apps deny access to certain files or system resources. I'm wondering if one or more HIPS rules could defend this attack and if so which rules to add.
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top