App Review Xcitium Advanced with OpenEDR Combined

[ErzCrz]

XIMA(Xcitium Instant Malware Analysis) is Valkyrie Static and Dynamic Analysis in this case VirusScope

Great. Glad the two were combined.

Might be worth using the Spoiler feature for large screenshots

 

[ForgottenSeer 100397]

VirusScope is Static and Dynamic Behavioral Analysis and its excellent and amazing

I'm aware of that. What I meant in the post is that Comodo's detection technologies don't help containment or users decide whether to run an unknown or unvetted program in containment or outside. As a result, they don't make Comodo any more user-friendly in terms of usability. Therefore, the VirusScope default setting analyzes apps running in containment only, and it's likely that the Valkyrie default will be the same.

 

[simmerskool]

There are a lot of topics debating Comodo's effectiveness. The Firewall with Containment alone is all you need and you can run any AV along side of it. @cruelsister tests it regularly against the latest threats. It has taken years to be updated but it's firewall still does what it does well and Containment when configured properly has yet to be compromised and contains the latest ransomware with no issues. At the end of the day, use what works best for you. There are other products out there using sandboxing/containment technology of unknowns.

Anyway, with anticipated next stable release January/Feb for Comodo Firewall/CIS we'll see how it develops. Xcitium Enterprise producs are current and updated all the time. The last I heard, they're working with CF/CIS to bring it in line.

right, I used CF (cruelcomodo) for several years, I was merely pointing out to @Xeno1234 that not everyone here likes Xcitium (comodo). I have not tried Xcitium on VM yet, but I do have CF 2024 beta running on a VM.

 

[ErzCrz]

right, I used CF (cruelcomodo) for several years, I was merely pointing out to @Xeno1234 that not everyone here likes Xcitium (comodo). I have not tried Xcitium on VM yet, but I do have CF 2024 beta running on a VM.

Ah okay.
I like the new Beta, just need an advanced view and a few other things ironing out.

 

[pennsteve101]

Thank you for the test results, how does it compare to other comparable EDR solutions?

 

[Victor M]

Thank you for the test results, how does it compare to other comparable EDR solutions?

Here's a brief overview of BitDefender EDR : Advanced Security - Victor M BitDefender EDR test box Config

 

[Nikola Milanovic]

Spoiler

 

[Nikola Milanovic]

The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger

 

[Victor M]

My red team just invited some Chinese hackers to test the defenses. I am using my Xcitium OpenEDR machine now. Will keep you guys posted on the progress.

 

[Sandbox Breaker]

My red team just invited some Chinese hackers to test the defenses. I am using my Xcitium OpenEDR machine now. Will keep you guys posted on the progress.

Are you using Xcitium also?

 

[Victor M]

Are you using Xcitium also?

I also have WDAC in effect - a) a blacklist of some LoL Bins and b) a whitelist of MS Signed files, \Windows, \Program Files, \Program Files (x86) . And Xcitium EDR also has Auto-Containment. So alien files are not that much of a worry. Xcitium has several products, I assume you are talking about Xcitium Verdict Cloud?

EDIT maybe I should worry, because if they obtain System rights from attacking SVCHOST, then they can write to \Windows \Program Files etc. But Xcitium EDR Auto-Containment is pretty smart - it recognizes odd program executions, even if they are Xcitium files themselves.

 

[Sandbox Breaker]

I also have WDAC in effect - a) a blacklist of some LoL Bins and b) a whitelist of MS Signed files, \Windows, \Program Files, \Program Files (x86) . And Xcitium EDR also has Auto-Containment. So alien files are not that much of a worry. Xcitium has several products, I assume you are talking about Xcitium Verdict Cloud?

EDIT maybe I should worry, because if they obtain System rights from attacking SVCHOST, then they can write to \Windows \Program Files etc. But Xcitium EDR Auto-Containment is pretty smart - it recognizes odd program executions, even if they are Xcitium files themselves.

Any news

 

[Victor M]

Update re: the red team guest Chinese hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon. Pretty deadly attack.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.

 

[Nikola Milanovic]

Update re: the red team guest Chinese Hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.

The uploaded file looks like a malicious file

 

[Victor M]

What file are you talking about ?

 

[Nikola Milanovic]

What file are you talking about ?

the sample of hackers

 

[Victor M]

I was attacked on the 3rd or 4th of Jan EST. Your screenshot was for an analysis done on the 5th UTC.

 

[Nikola Milanovic]

I was attacked on the 3rd or 4th of Jan EST. Your screenshot was for an analysis done on the 5th UTC.

you didnt got attacked you had Xcitium

 

[Victor M]

If the 'attack' was using a malware file, it would have been virtualized, by any edition of Comodo. So it wasn't a file based attack. And this was a test machine, with no other software that could be blamed for any malfunction.

 

[Xeno1234]

Update re: the red team guest Chinese hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon. Pretty deadly attack.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.

How is Kaspersky EDR. Their home AV is great so im curious about their Enterprise.