App Review Xcitium Advanced with OpenEDR Combined

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645

Xeno1234

Level 14
Jun 12, 2023
684

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
I know the version people can get that arent in a actual business setup dont have the business's "Enhanced Anti-Malware "
It is better that way, you don't want their sales team spamming your inbox incessantly, rushing you to make a purchase decision. Unless something has a very good reputation and I thus really really want to try it, then I give out my company's email address. I only have one business email address, and it is used for both internal mail and external mail. I prefer to keep it uncluttered.

EDIT: you can obtain a 'sole proprietor' business license at a very low cost in most states.
 
Last edited:

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
Update re: the red team guest Chinese hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon. Pretty deadly attack.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.
If you had set good firewall rules they wouldn't be able to connect to logonui. I've defender against many of these smb, RPC and other windows network attacks. Zero trust also needs to be applied on the network stack. I have doubts that your team actually succeeded.
 
Last edited:
  • Like
Reactions: simmerskool

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
I have doubts that your team actually succeeded.
Firewalls obstruct only some hackers.

I saw logonui.exe appear on my Xclitium EDR alerts several times that day within a 2 hr time frame. Logonui had never showed up as an alert before. Xcitium generates alerts for suspicious invocations. The process tree is 5 levels deep, definitely not normal. And if I remember correctly, logonui does not normally show up in process explorer, after you logon, it quits. So the combination of logonui showing up as an Xcitium alert, and the fact that I could no longer logon (gives error msg) , on this test machine with no other software to create problems, I'd confidently say they have succeeded.
 
Last edited:
  • Like
Reactions: simmerskool

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
Since this thread is on product reviews, I would like remind readers that there is No Such Thing as 100% perfect security. Technical defenses, which include firewalls, AV's, IPS etc can all be defeated given enough time and effort. And hackers have that advantage.

And then, take into consideration that this is a white box test - my red team ( and the guest ) knows exactly what defenses I have. And they correctly chose a Network based attack, without using any malware which would be virtualized by Xcitium OpenEDR.

An important defense layer is having backups. This is your last layer of defense. One must always have backups. And this attack on logonui is the perfect example, I can not login.

The solution is restore from image backup, and then vritualizing logonui.exe in Xcitium's Auto Containment Rules. The solution was simple, figured it out and completed in 20 mins.

The guest hacker then attacked again, and this time, the attack failed.

For those readers who are new, the red team and I play this game constantly. The aim is to find the holes in our security and then fix them, in preparation for the Real Thing.

I am adding this post to illustrate that Xcitium OpenEDR is configurable, and can be adapted to defend against new attacks. Xcitium OpenEDR s a nice tool. Other AV's defenses cannot be configured. The AV would let you choose what to scan, what to exclude etc, but you cannot add new definitions to it. You have to wait till the vendor adds a capabiltiy, so, in the mean time, when you are under attack, what do you do?
 
Last edited:
Oct 17, 2023
108
1704712230738.png

Machine Learning:Highly Suspicious
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger
 

lyldz

Level 3
Verified
Well-known
Jun 4, 2016
139
I want to ask you something off-topic.

Will the interface get an update in 2024?



Or will it continue with the old interface from 2023 and before?
 
  • Like
Reactions: simmerskool

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
645
I think the OpenEDR portal got an upgrade last Nov/Dec 2023. They seem to be constantly improving it. Last week, they released ver 13 of Xcitium Client Security / CIS , but, it does not officially support Win 11 23H2 yet.
 
  • Like
Reactions: simmerskool

Xeno1234

Level 14
Jun 12, 2023
684
I have an interesting question.
If I paid Xcitium with another AV (like Kaspersky or Harmony), would the other AV’s BB work on things in containment?
 
  • Like
Reactions: simmerskool

lyldz

Level 3
Verified
Well-known
Jun 4, 2016
139
I think the OpenEDR portal got an upgrade last Nov/Dec 2023. They seem to be constantly improving it. Last week, they released ver 13 of Xcitium Client Security / CIS , but, it does not officially support Win 11 23H2 yet.
can you look at this..

I installed the app to give it a second chance and although EDR is active in the profile settings, the second picture shows it as inactive.

1.PNG


2.PNG




I uninstalled and reinstalled the plugin and my problem is not solved.edr is active under licenses now.it was also active in my first installation.
 
  • Like
Reactions: simmerskool
Oct 17, 2023
108
can you look at this..

I installed the app to give it a second chance and although EDR is active in the profile settings, the second picture shows it as inactive.

View attachment 280953

View attachment 280954



I uninstalled and reinstalled the plugin and my problem is not solved.edr is active under licenses now.it was also active in my first installation.
You use Xcitium nice but im sure the problem will be solved soon
 
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top