Which Elements of Comodo do You Use?

[Deleted member 65228]

Comodo asked me about that driver(.sys) and I allowed it!But it's not important because I asked hips to protect these files -.- IDC because Comodo didn't tell me if you allow this driver then I cant protect your files from change even if you have block rules:notworthy:.btw thanks.

There is not so much you can do about it because Comodo will be limited to what they can restrict for kernel-mode attacks. To cut it short, there's nothing you can really do because code executing in kernel-mode can override protection mechanisms already in-place. As an example, Microsoft implemented PatchGuard, yet rogue device drivers already executing under ntoskrnl.exe have managed to bypass this protection mechanism in the past simply due to the privileges which were already present. Another example would be self-protection in security software... They are only designed to prevent attacks from user-mode; once a kernel-mode attack comes along, there's no guarantee on whether it will be prevented or successful.

No problem though, I'm glad I managed to answer sufficiently so you now understand why what happened was able to happen.

 

[Deleted member 65228]

before you show AI is useless and now its time for hips lol! can bb blocks this!?

Artificial Intelligence isn't useless in my opinion, I think it can be great and is promising. I am just waiting for it to improve more, the same way that we went from simple Anti-Virus products to what we have nowadays with behavioural protection components usually included within them. The test I previously did could have been applied to a few traditional Anti-Virus products which focus more on static over dynamic, too. At the end of the day, Proof-Of-Concept attacks/scenarios aren't always the "real world". We can sit and discuss how to do this and that all day long but at the end of the day, vendors will focus on what is being done in the wild (by prevalent attacks) and will adapt to them, to protect against real attacks, as opposed to just "what could happen" in a hypothetical situation.

I don't like vendors like Cylance though, hands down I am certain about my thoughts of them... In fact, the only default-deny solution which has any sort of Artificial Intelligence scanning mechanism I think it is fine would be VoodooShield. All the others like Cylance or CrowdStrike I don't really like at all - that doesn't mean they are bad though because all of these products will still be able to protect the user by blocking threats. At the end of the day, every product has good/bad days, limitations and/or bugs. It has always been this way and it will always be this way because we humans aren't perfect and thus anything we make won't be either.

About your question with Behavior Blocking, I think it is basically the same as HIPS but with less alerts and more focused on narrowing down behavior to that of actual malware, as opposed to just specific actions. HIPS can be applied to prevent genuine software from doing this too, whereas a Behavior Blocker is more focused on actual malicious software instead of overall IMO. All these HIPS and BB features in various security products are likely to use the same or similar combination of techniques, who knows... Each vendor have different management directions, engineers with different personal views of the best approaches and experience.

What works for you might not work for me and vice-versa.

 

[AtlBo]

AI is useless and now its time for hips lol! can bb blocks this!?

I started thinking last night about why I have Qihoo 360 with Comodo and thought maybe I should go to Bitdefender free a-v or KFAV. Well I wonder how sophisticated Qihoo's monitoring techniques are with regards to these bb issues. It does report when something wants to change a driver or many other types of system files. I like this, but of course it won't block deleting a file or renaming a file. However, Qihoo 360 is more sophisicated than many realize underneath imo. Thx @Sunshine-boy, I think I should keep Qihoo for now. I also have 64 bit so I feel better about that at least. Qihoo's bb is doing what Comodo HIPS does too in many cases, but I will keep for now for sigs too.

BTW, with Comodo, the key for a file/process to do anything it wants is trust. If the file becomes trusted then for example HIPS when it creates its rule will only perform one check...when the file/process wants to start something. To avoid establishing trust, don't allow from "Unblock Application" or from a Containment alert. The containment alert will create an ignore rule for the container but then also trust in the 'Files list". Unblocking via "Unblock Application" creates an allow rule in every area and the file/process is trusted too. Because the file is trusted, then in Paranoid mode you would probably only see one HIPS alert ever...process/file wants to run something. That's because all the rest of the rules will be set to "allow" in the HIPS rule.

So, I have been trying to determine what is the best way to create a HIPS rule that uses "ask" for all the HIPS rules just from answering the alerts correctly. I am in Safe mode which is different, but I think the best way is to carefully think when you answer each alert. If you don't allow from a containment alert or from "Unblock Applications", in Paranoid, you should see all the HIPS alerts. Maybe you can find something to test this with idk. Do an installation and install using the option "Treat As" and "Installer". Then run the program and see what happens. You have to find something from an non-trusted vendor though. That might make it a little bit hard to test.

I use a trimmed Trusted Vendor List, so I can find things to test more easily. To make this work, I had to also turn off Cloud Lookup so it wouldn't change the TVL and add vendors when I install something from one Comodo normally trusts. I like the system, and I feel it gives me a better chance of creating good HIPS rules with all the "ask" options in place instead of only one and then all "allows". One thing you can do is check your rules to see what they look like. At least you can make sure you are getting "ask" rules in the first place. Hopefully, Paranoid makes you respond even if the vendor is trusted in the TVL.

Hope this helps some although it's very complicated.

 

[shmu26]

I started thinking last night about why I have Qihoo 360 with Comodo and thought maybe I should go to Bitdefender free a-v or KFAV. Well I wonder how sophisticated Qihoo's monitoring techniques are with regards to these bb issues. It does report when something wants to change a driver or many other types of system files. I like this, but of course it won't block deleting a file or renaming a file. However, Qihoo 360 is more sophisicated than many realize underneath imo. Thx @Sunshine-boy, I think I should keep Qihoo for now. I also have 64 bit so I feel better about that at least. Qihoo's bb is doing what Comodo HIPS does too in many cases, but I will keep for now for sigs too.

BTW, with Comodo, the key for a file/process to do anything it wants is trust. If the file becomes trusted then for example HIPS when it creates its rule will only perform one check...when the file/process wants to start something. To avoid establishing trust, don't allow from "Unblock Application" or from a Containment alert. The containment alert will create an ignore rule but then also trust in the 'Files list". Unblocking via "Unblock Application" creates an allow rule in every area and the file/process is trusted too. Because the file is trusted, then in Paranoid mode you would probably only see one HIPS alert ever...process/file wants to run something. That's because all the rest of the rules will be set to "allow" in the HIPS rule.

So, I have been trying to determine what is the best way to create a HIPS rule that uses "ask" for all the HIPS rules just from answering the alerts correctly. I am in Safe mode which is different, but I think the best way is to carefully think when you answer each alert. If you don't allow from a containment alert or from "Unblock Applications", in Paranoid, you should see all the HIPS alerts. Maybe you can find something to test this with idk. Do an installation and install using the option "Treat As" and "Installer". Then run the program and see what happens. You have to find something from an non-trusted vendor though. That might make it a little bit hard to test.

I use a trimmed Trusted Vendor List, so I can find things to test more easily. To make this work, I had to also turn off Cloud Lookup so it wouldn't change the TVL and add vendors when I install something from one Comodo normally trusts. I like the system, and I feel it gives me a better chance of creating good HIPS rules with all the "ask" options in place instead of only one and then all "allows". One thing you can do is check your rules to see what they look like. At least you can make sure you are getting "ask" rules in the first place. Hopefully, Paranoid makes you respond even if the vendor is trusted in the TVL.

Hope this helps some although it's very complicated.

That point you made about trusted files is probably the key to the whole thing.

 

[Deleted member 65228]

Qihoo 360 is more sophisicated than many realize underneath imo

Hands-down I can completely agree with you. I've tested a lot with them in the past and the results were very interesting (positive way), but I don't like how they are commonly installed through software bundling (or at-least used to) and I don't really trust them which is a shame. Their engineer teams/owners are very intelligent though, I remember when Qihoo team exploited Guest -> Host and got a huge bounty reward. That was really impressive, their work on things like that is outstanding IMO without a doubt.

I do think they have a lot to offer though, they even have their own sandbox.

 

[Sunshine-boy]

I disabled auto sandbox! some ppl don't want to use it because it blocks everything blindly! so my protection was hips and proactive settings!
There is 2 option in pchunter first is normal removal and since I had a block rule for pchunter to access the protected folders and files hips blocked it from removing my files but the second option is force removal and this one removed my files without any alert from HIPS
btw this tool made by Chinese! they are hacker

 

[AtlBo]

I do think they have a lot to offer though, they even have their own sandbox.

Yes, the sandbox seems to have potential to me for use with Microsoft Office especially. I hope as Qihoo moves more to commercial grade office security, they will be able to deliver with the best elements of what the program has already.

The monitoring going on underneath does as you mention seem to be from a very bright source. I have had the same impression as you about the engineers there. The program is very pointed but also nicely comprehensive and even the alerts are nice in comparison to others around.

For sure, there is a problem with the ads and the overall sketchy side of the program. I agree it is a shame all that. Really hoping that Qihoo finds a way to monetize the program for businesses so they can do away with the relentless ads in their free version. The installer bundling thing should go away too o/c...

 

[shmu26]

Yes, the sandbox seems to have potential to me for use with Microsoft Office especially. I hope as Qihoo moves more to commercial grade office security, they will be able to deliver with the best elements of what the program has already.

The monitoring going on underneath does as you mention seem to be from a very bright source. I have had the same impression as you about the engineers there. The program is very pointed but also nicely comprehensive and even the alerts are nice in comparison to others around.

For sure, there is a problem with the ads and the overall sketchy side of the program. I agree it is a shame all that. Really hoping that Qihoo finds a way to monetize the program for businesses so they can do away with the relentless ads in their free version. The installer bundling thing should go away too o/c...

If you run MS Office apps in Qihoo sandbox, do you get a MS license error message after 10 minutes of use, forcing the app to shut down?

 

[AtlBo]

I don't currently run them but I will test. I don't recall seeing such an error before. This is Office 2007. I don't know what version you have, and maybe that could have something to do with the error? I'll try it now.

 

[shmu26]

I don't currently run them but I will test. I don't recall seeing such an error before. This is Office 2007. I don't know what version you have, and maybe that could have something to do with the error? I'll try it now.

I don't think you will see that error with Office 2007. But the newer versions of Office throw that error unless the sandbox is specially tailored for them. Comodo sandbox throws the error. Sandboxie used to, until the new edition, which is now out of beta. ReHIPS doesn't have the problem, because it is not virtualization.

 

[Sunshine-boy]

I tested FileLocker

pls, test this vs pchunter(don't forget to choose the force remove option)

 

[AtlBo]

Getting in a good day of testing lol. Indeed not seeing the problem yet in 2007.

pls, test this vs pchunter(don't forget to choose the force remove option)

OK @Sunshine-boy. You want me to test it against File Locker? Where can I get pchunter safely?

 

[klaken]

I disabled auto sandbox! some ppl don't want to use it because it blocks everything blindly! so my protection was hips and proactive settings!
There is 2 option in pchunter first is normal removal and since I had a block rule for pchunter to access the protected folders and files hips blocked it from removing my files but the second option is force removal and this one removed my files without any alert from HIPS
btw this tool made by Chinese! they are hacker

And with viruscope activated sends you some warning? (Fuer adel sandbx) .. Viruscope is the BB of comfortable.

PS: surely that tool is not on the white list of comfortable XD ... remember that this is based on the cloud ..

I like the sandbox and I do not send many things to this (except games) .. eg: in cloud comodo I almost never have sandbox warning something ...

 

[Sunshine-boy]

PC Hunter Download
Virus scope didn't say anything I even disable the cloud!but the same results.

sandbox

Pls, how comodo sandbox can help you on this?or other malware!? let's think its malware, not Pchunter ok?! will it tell me, oh sunshineboy if you run this tool then our hips cant protect your system?xd
I mean the sandbox not gonna tell you anything!it's not Cuckoo Sandbox or forti sandbox to analyze the file for you!

 

[Deleted member 65228]

@AtlBo ^^ Also Download PC Hunter - MajorGeeks

 

[AtlBo]

Thanks I'll test it in a little while. Still checking out MSO 2007 for another few minutes...

 

[AtlBo]

And with viruscope activated sends you some warning? (Fuer adel sandbx) .. Viruscope is the BB of comfortable.

Never get these here unfortunately. I think I may have seen one, but I can't recall what the alert was about. For awhile it was disabled or so Comodo said. With an update there was a notice that the recognizer update for Viruscope would not cause alerts only send data to Comodo. Don't know if this is still true, but I think probably so...

 

[Sunshine-boy]

Pls go to the file section then find your file from the right panel right click on it and press force delete!

 

[AtlBo]

OK yes. Just tested using force remove. File Locker failed the test.

Very sad about this one. I used to use a program called GIPO move on boot that could supposedly move or delete anything during a boot. This one doesn't even need a reboot...

 

[Sunshine-boy]

This tool can bypass every next-generation protection xd from hips to... I like it xd i met it 9 months ago! and since then I use it to force secure remove my files.
It doesn't care what protection or security you have! it just removes everything!with 1 click