App Review Xcitium Advanced with OpenEDR Combined

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,221
XIMA(Xcitium Instant Malware Analysis) is Valkyrie Static and Dynamic Analysis in this case VirusScope
Great. Glad the two were combined.

Might be worth using the Spoiler feature for large screenshots ;)
1702125619552.png
 
F

ForgottenSeer 100397

VirusScope is Static and Dynamic Behavioral Analysis and its excellent and amazing
I'm aware of that. What I meant in the post is that Comodo's detection technologies don't help containment or users decide whether to run an unknown or unvetted program in containment or outside. As a result, they don't make Comodo any more user-friendly in terms of usability. Therefore, the VirusScope default setting analyzes apps running in containment only, and it's likely that the Valkyrie default will be the same.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
There are a lot of topics debating Comodo's effectiveness. The Firewall with Containment alone is all you need and you can run any AV along side of it. @cruelsister tests it regularly against the latest threats. It has taken years to be updated but it's firewall still does what it does well and Containment when configured properly has yet to be compromised and contains the latest ransomware with no issues. At the end of the day, use what works best for you. There are other products out there using sandboxing/containment technology of unknowns.

Anyway, with anticipated next stable release January/Feb for Comodo Firewall/CIS we'll see how it develops. Xcitium Enterprise producs are current and updated all the time. The last I heard, they're working with CF/CIS to bring it in line.
right, I used CF (cruelcomodo) for several years, I was merely pointing out to @Xeno1234 that not everyone here likes Xcitium (comodo). I have not tried Xcitium on VM yet, but I do have CF 2024 beta running on a VM.
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
Are you using Xcitium also?
I also have WDAC in effect - a) a blacklist of some LoL Bins and b) a whitelist of MS Signed files, \Windows, \Program Files, \Program Files (x86) . And Xcitium EDR also has Auto-Containment. So alien files are not that much of a worry. Xcitium has several products, I assume you are talking about Xcitium Verdict Cloud?

EDIT maybe I should worry, because if they obtain System rights from attacking SVCHOST, then they can write to \Windows \Program Files etc. But Xcitium EDR Auto-Containment is pretty smart - it recognizes odd program executions, even if they are Xcitium files themselves.
 
Last edited:

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
I also have WDAC in effect - a) a blacklist of some LoL Bins and b) a whitelist of MS Signed files, \Windows, \Program Files, \Program Files (x86) . And Xcitium EDR also has Auto-Containment. So alien files are not that much of a worry. Xcitium has several products, I assume you are talking about Xcitium Verdict Cloud?

EDIT maybe I should worry, because if they obtain System rights from attacking SVCHOST, then they can write to \Windows \Program Files etc. But Xcitium EDR Auto-Containment is pretty smart - it recognizes odd program executions, even if they are Xcitium files themselves.
Any news
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
Update re: the red team guest Chinese hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon. Pretty deadly attack.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.
 
Last edited:
  • Like
Reactions: simmerskool
Oct 17, 2023
108
Update re: the red team guest Chinese Hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.
1704412883159.png

The uploaded file looks like a malicious file
1704412905303.png
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
If the 'attack' was using a malware file, it would have been virtualized, by any edition of Comodo. So it wasn't a file based attack. And this was a test machine, with no other software that could be blamed for any malfunction.
 

Xeno1234

Level 14
Jun 12, 2023
684
Update re: the red team guest Chinese hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon. Pretty deadly attack.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.
How is Kaspersky EDR. Their home AV is great so im curious about their Enterprise.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top