Which Elements of Comodo do You Use?

Discussion in 'Comodo' started by AtlBo, Nov 6, 2017.

?

Elements of Comodo that You Use

Poll closed Dec 6, 2017.
  1. Firewall

    43 vote(s)
    86.0%
  2. HIPS

    16 vote(s)
    32.0%
  3. Auto-Contain

    37 vote(s)
    74.0%
  4. Heuristic Command-line Monitoring

    24 vote(s)
    48.0%
  5. Cloud Lookup

    27 vote(s)
    54.0%
  6. Viruscope

    29 vote(s)
    58.0%
  7. Shortened (Edited) Trusted Vendors List

    11 vote(s)
    22.0%
  8. Detect PUP Software (setting in File Rating Settings)

    20 vote(s)
    40.0%
  9. Desktop Widget

    10 vote(s)
    20.0%
  10. Killstart

    12 vote(s)
    24.0%
Multiple votes are allowed.
  1. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,311
    Caille
    Windows 10
    There is not so much you can do about it because Comodo will be limited to what they can restrict for kernel-mode attacks. To cut it short, there's nothing you can really do because code executing in kernel-mode can override protection mechanisms already in-place. As an example, Microsoft implemented PatchGuard, yet rogue device drivers already executing under ntoskrnl.exe have managed to bypass this protection mechanism in the past simply due to the privileges which were already present. Another example would be self-protection in security software... They are only designed to prevent attacks from user-mode; once a kernel-mode attack comes along, there's no guarantee on whether it will be prevented or successful.

    No problem though, I'm glad I managed to answer sufficiently so you now understand why what happened was able to happen. :)
     
    Weebarra, AtlBo and Sunshine-boy like this.
  2. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,311
    Caille
    Windows 10
    Artificial Intelligence isn't useless in my opinion, I think it can be great and is promising. I am just waiting for it to improve more, the same way that we went from simple Anti-Virus products to what we have nowadays with behavioural protection components usually included within them. The test I previously did could have been applied to a few traditional Anti-Virus products which focus more on static over dynamic, too. At the end of the day, Proof-Of-Concept attacks/scenarios aren't always the "real world". We can sit and discuss how to do this and that all day long but at the end of the day, vendors will focus on what is being done in the wild (by prevalent attacks) and will adapt to them, to protect against real attacks, as opposed to just "what could happen" in a hypothetical situation.

    I don't like vendors like Cylance though, hands down I am certain about my thoughts of them... In fact, the only default-deny solution which has any sort of Artificial Intelligence scanning mechanism I think it is fine would be VoodooShield. All the others like Cylance or CrowdStrike I don't really like at all - that doesn't mean they are bad though because all of these products will still be able to protect the user by blocking threats. At the end of the day, every product has good/bad days, limitations and/or bugs. It has always been this way and it will always be this way because we humans aren't perfect and thus anything we make won't be either.

    About your question with Behavior Blocking, I think it is basically the same as HIPS but with less alerts and more focused on narrowing down behavior to that of actual malware, as opposed to just specific actions. HIPS can be applied to prevent genuine software from doing this too, whereas a Behavior Blocker is more focused on actual malicious software instead of overall IMO. All these HIPS and BB features in various security products are likely to use the same or similar combination of techniques, who knows... Each vendor have different management directions, engineers with different personal views of the best approaches and experience.

    What works for you might not work for me and vice-versa. :)
     
    Weebarra, AtlBo and Sunshine-boy like this.
  3. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,515
    Qihoo 360
    #123 AtlBo, Nov 27, 2017
    Last edited: Nov 27, 2017
    I started thinking last night about why I have Qihoo 360 with Comodo and thought maybe I should go to Bitdefender free a-v or KFAV. Well I wonder how sophisticated Qihoo's monitoring techniques are with regards to these bb issues. It does report when something wants to change a driver or many other types of system files. I like this, but of course it won't block deleting a file or renaming a file. However, Qihoo 360 is more sophisicated than many realize underneath imo. Thx @Sunshine-boy, I think I should keep Qihoo for now. I also have 64 bit so I feel better about that at least. Qihoo's bb is doing what Comodo HIPS does too in many cases, but I will keep for now for sigs too.

    BTW, with Comodo, the key for a file/process to do anything it wants is trust. If the file becomes trusted then for example HIPS when it creates its rule will only perform one check...when the file/process wants to start something. To avoid establishing trust, don't allow from "Unblock Application" or from a Containment alert. The containment alert will create an ignore rule for the container but then also trust in the 'Files list". Unblocking via "Unblock Application" creates an allow rule in every area and the file/process is trusted too. Because the file is trusted, then in Paranoid mode you would probably only see one HIPS alert ever...process/file wants to run something. That's because all the rest of the rules will be set to "allow" in the HIPS rule.

    So, I have been trying to determine what is the best way to create a HIPS rule that uses "ask" for all the HIPS rules just from answering the alerts correctly. I am in Safe mode which is different, but I think the best way is to carefully think when you answer each alert. If you don't allow from a containment alert or from "Unblock Applications", in Paranoid, you should see all the HIPS alerts. Maybe you can find something to test this with idk. Do an installation and install using the option "Treat As" and "Installer". Then run the program and see what happens. You have to find something from an non-trusted vendor though. That might make it a little bit hard to test.

    I use a trimmed Trusted Vendor List, so I can find things to test more easily. To make this work, I had to also turn off Cloud Lookup so it wouldn't change the TVL and add vendors when I install something from one Comodo normally trusts. I like the system, and I feel it gives me a better chance of creating good HIPS rules with all the "ask" options in place instead of only one and then all "allows". One thing you can do is check your rules to see what they look like. At least you can make sure you are getting "ask" rules in the first place. Hopefully, Paranoid makes you respond even if the vendor is trusted in the TVL.

    Hope this helps some although it's very complicated.
     
    Sunshine-boy, Opcode and shmu26 like this.
  4. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,263
    13,560
    Utopia
    That point you made about trusted files is probably the key to the whole thing.
     
  5. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,311
    Caille
    Windows 10
    Hands-down I can completely agree with you. I've tested a lot with them in the past and the results were very interesting (positive way), but I don't like how they are commonly installed through software bundling (or at-least used to) and I don't really trust them which is a shame. Their engineer teams/owners are very intelligent though, I remember when Qihoo team exploited Guest -> Host and got a huge bounty reward. That was really impressive, their work on things like that is outstanding IMO without a doubt.

    I do think they have a lot to offer though, they even have their own sandbox.
     
  6. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    I disabled auto sandbox! some ppl don't want to use it because it blocks everything blindly! so my protection was hips and proactive settings!
    There is 2 option in pchunter first is normal removal and since I had a block rule for pchunter to access the protected folders and files hips blocked it from removing my files but the second option is force removal and this one removed my files without any alert from HIPS:p
    btw this tool made by Chinese! they are hacker:D
     
    Weebarra, AtlBo and Opcode like this.
  7. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,515
    Qihoo 360
    Yes, the sandbox seems to have potential to me for use with Microsoft Office especially. I hope as Qihoo moves more to commercial grade office security, they will be able to deliver with the best elements of what the program has already.

    The monitoring going on underneath does as you mention seem to be from a very bright source. I have had the same impression as you about the engineers there. The program is very pointed but also nicely comprehensive and even the alerts are nice in comparison to others around.

    For sure, there is a problem with the ads and the overall sketchy side of the program. I agree it is a shame all that. Really hoping that Qihoo finds a way to monetize the program for businesses so they can do away with the relentless ads in their free version. The installer bundling thing should go away too o/c...
     
    Weebarra, Opcode and Sunshine-boy like this.
  8. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,263
    13,560
    Utopia
    If you run MS Office apps in Qihoo sandbox, do you get a MS license error message after 10 minutes of use, forcing the app to shut down?
     
    Weebarra, Opcode, AtlBo and 1 other person like this.
  9. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,515
    Qihoo 360
    I don't currently run them but I will test. I don't recall seeing such an error before. This is Office 2007. I don't know what version you have, and maybe that could have something to do with the error? I'll try it now.
     
    Weebarra, Sunshine-boy and Opcode like this.
  10. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,263
    13,560
    Utopia
    I don't think you will see that error with Office 2007. But the newer versions of Office throw that error unless the sandbox is specially tailored for them. Comodo sandbox throws the error. Sandboxie used to, until the new edition, which is now out of beta. ReHIPS doesn't have the problem, because it is not virtualization.
     
  11. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    pls, test this vs pchunter(don't forget to choose the force remove option)
     
    Weebarra, Opcode, AtlBo and 1 other person like this.
  12. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,515
    Qihoo 360
    Getting in a good day of testing lol. Indeed not seeing the problem yet in 2007.

    OK @Sunshine-boy. You want me to test it against File Locker? Where can I get pchunter safely?
     
    Weebarra, Opcode and Sunshine-boy like this.
  13. klaken

    klaken Level 2

    Oct 11, 2014
    84
    164
    Student
    Chile
    Windows 7
    Comodo
    And with viruscope activated sends you some warning? (Fuer adel sandbx) .. Viruscope is the BB of comfortable.

    PS: surely that tool is not on the white list of comfortable XD ... remember that this is based on the cloud ..

    I like the sandbox and I do not send many things to this (except games) .. eg: in cloud comodo I almost never have sandbox warning something ...
     
  14. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    #134 Sunshine-boy, Nov 27, 2017
    Last edited: Nov 27, 2017
    PC Hunter Download
    Virus scope didn't say anything:D I even disable the cloud!but the same results.
    Pls, how comodo sandbox can help you on this?or other malware!? let's think its malware, not Pchunter ok?! will it tell me, oh sunshineboy if you run this tool then our hips cant protect your system?xd
    I mean the sandbox not gonna tell you anything!it's not Cuckoo Sandbox or forti sandbox to analyze the file for you!
     
    Weebarra, AtlBo and Opcode like this.
  15. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,311
    Caille
    Windows 10
  16. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,515
    Qihoo 360
    Thanks I'll test it in a little while. Still checking out MSO 2007 for another few minutes...
     
    Sunshine-boy and Opcode like this.
  17. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,515
    Qihoo 360
    Never get these here unfortunately. I think I may have seen one, but I can't recall what the alert was about. For awhile it was disabled or so Comodo said. With an update there was a notice that the recognizer update for Viruscope would not cause alerts only send data to Comodo. Don't know if this is still true, but I think probably so...
     
    Weebarra, Opcode and Sunshine-boy like this.
  18. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    Pls go to the file section then find your file from the right panel right click on it and press force delete!
     

    Attached Files:

    Opcode and AtlBo like this.
  19. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,515
    Qihoo 360
    OK yes. Just tested using force remove. File Locker failed the test.(n):oops::cry:

    Very sad about this one. I used to use a program called GIPO move on boot that could supposedly move or delete anything during a boot. This one doesn't even need a reboot...
     
    Weebarra, Opcode and Sunshine-boy like this.
  20. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    This tool can bypass every next-generation protection xd from hips to... :giggle: I like it xd i met it 9 months ago! and since then I use it to force secure remove my files.
    It doesn't care what protection or security you have! it just removes everything!with 1 click
     
    shmu26, AtlBo and Opcode like this.
Loading...
Similar Threads Forum Date
Need Help HitmanPro Alert - Blocking Photoshop Elements 14 on Startup Apps - Questions & Help Jan 8, 2016
Expired Get Ashampoo Burning Studio Elements for FREE Giveaways Archive Jan 9, 2012
Expired Giveaway of the Day - 4 Elements Premium Game Giveaways Archive Sep 4, 2011