a virus pass COMODO

[a256886572008]

COMODO Firewall 3.12.111745.560

1.I execute a virus

2.COMODO diplay an alert"wscript.exe is doing something."

3.I choose "limited applications", and click OK.

4.My disks of C & D become.......

[dcrowe0050]

So what is your question??

[a256886572008]

Quote:

Originally Posted by dcrowe0050

So what is your question??

COMODO can not block this action of the virus

[dell boy]

what is the point of this thread? if you want to report a virus then try their forums, if your not happy with the protection offered there is other free alternatives to comodo that you might prefer, to name a few there is AVG Avast! Avira and microsofts own free antivirus MSE.

[Meriadoc]

Quote:

Originally Posted by a256886572008

COMODO Firewall 3.12.111745.560

1.I execute a virus

2.COMODO diplay an alert"wscript.exe is doing something."

3.I choose "limited applications", and click OK.

4.My disks of C & D become.......

Thanks a256886572008, btw what virus was it?.

[funkydude]

Quote:

Originally Posted by Meriadoc

Thanks a256886572008, btw what virus was it?

Joke:Win32.GreenEnvironment

[blacknight]

Not a bad idea post it also in Comodo Forum, isn't ?

[dcrowe0050]

From my experience CIS miss a lot of virus and malware so my advice would be clean up uninstall all but the Firewall which is great and get another freeAV like Avast

[smage]

Hi a256886572008,

Here is the link for you to submit the virus to Comoso so that other CIS users get protected as well.

http://internetsecurity.comodo.com/submit.php

Thanks

[NodKiller]

First thing: all av products are far from perfect (I tested a well-known av product which has a huge fan-camp here not long ago against zero day threats and it was like 1 out of 10) so you're silly if you rely on them (need better solution like HIPS and sandboxing).
Second thing: I use the whole CIS package and I'm very satisfied even with the av scanner (the whole suite running smoothly and very light on resources). No need to use another av scanner.
Third thing: you didn't even remove it or quarantine it, just set the application rule to limited app (what's with that).
Fourth thing: are your settings the highest possible for really good protection? (guess not). You can find good guides how to setup CIS for maximum protection.
Fifth thing: looking at your threads on this forum and comodo's you just want to discredit their product mostly because of your ignorance.


P.S. If you test seriously well-know av products against zero day malware (not against zero day links) your result will be very disappointing: if they can protect against 20-30% this is very good result (just forget about this very outdated technology). I guess you still live in this fancy world of antiviruses or paid by one of the companies.
Please stop submitting BS's like this....

[thanatos_theos]

I think he did this to test CIS's HIPS and not the AV. So it's possible the AV is not installed (so even if it detects the threat...). This thread might be inspired from the thread below (malware able to install in LUA/with limited access),

http://www.wilderssecurity.com/showthread.php?t=256948

Unfortunately the malware was still able to install even with 'limited' rights set by CIS. With limited, writing to disk is blocked. Maybe this is a flaw with the default limited rule? Or the malware executed was a script and the rule didn't apply correctly/well to wsrcipt.exe (which is a part of Windows and set as trusted?)? I think CIS doesn't monitor scripts on-execution?

Probably a256886572008 should explain?

[_kronos_]

Exactly, your observation means that this malware can infect even with user rights (not only administrator). Nothing else.
So please be carefull before to do a test, or publishing it as "CIS Bypassed", because if you click ALLOW to its alerts CIS is bypassed as well, but it is not a vulnerability.

Otherwise, if we are misunderstanding your test, please explain us your metodology...

Regards

[dawgg]

Quote:

Originally Posted by funkydude

Joke:Win32.GreenEnvironment

... its not a virus then is it?
I wont be surprised if most AVs miss it and possibly many behaviour blockers if it just changes the background.

[tcarrbrion]

Quote:

Originally Posted by thanatos_theos

With limited, writing to disk is blocked.

A limited application is not blocked from writing to disk or the registry. Only direct disk access and protected files/registry settings are blocked. It could still delete everything in "my documents" unless added to "my protected files".

[Fuzzfas]

I don't see where's Comodo failure on this one...

ALL classical HIPS, won't protect you if you THINK that the malware isn't "bad enough". Just like it won't protect you from something you THINK it's legitimate software, so you switch to "installer-updater" mode and let it install... This is the biggest limitation of classical HIPS. If you don't think at all that it's malware, they can't protect you if you install them.

In this case, by setting "limited application", you bypass a good part of Comodo's protection...

Classical HIPS are good, but they are not panacea against things that you don't suspect as bad and you want to install them. This is where AV scanners and trying the software under something like sandboxie or Shadow Defender or Returnil & Co help to get a better idea.

[jmonge]

@fuzzfas nice avatar

[Kees1958]

Quote:

Originally Posted by thanatos_theos

I think he did this to test CIS's HIPS and not the AV. So it's possible the AV is not installed (so even if it detects the threat...). This thread might be inspired from the thread below (malware able to install in LUA/with limited access),

http://www.wilderssecurity.com/showthread.php?t=256948

Unfortunately the malware was still able to install even with 'limited' rights set by CIS. With limited, writing to disk is blocked. Maybe this is a flaw with the default limited rule? Or the malware executed was a script and the rule didn't apply correctly/well to wsrcipt.exe (which is a part of Windows and set as trusted?)? I think CIS doesn't monitor scripts on-execution?

Probably a256886572008 should explain?

Yep, when running in clean PC mode wscript is part of the existing, trusted nunch of programs.

[Fuzzfas]

Quote:

Originally Posted by ssj100

Sandboxie, Shadow Defender, Returnil won't help you if the software you want to test requires a system restart - use a VM like VirtualBox (completely free) instead. VM's are much more versatile for testing things out than light virtualisation software.

Otherwise, completely agree with your other points.

True, VM is a complete solution for testing software (and malware) in general, you can do anything.

Personally i 've never tried a VM, maybe i should. From the sound of it i always thought it would take some time to setup a VM. I prefer a solution like Shadow Defender (or Returnil Free) + First Defence PC Rescue-Rollback. Most malware doesn't even require reboot. I 'd actually become very suspicious if i were to install something and it required reboot. In most cases all you need to avoid malware is to download reputable software from reputable sources. And usually malware that you execute comes in small packages (simple or camouflaged exe). Well, the exception with rogue antivirus exists, but, if you don't know which antivirus are legitimate, then probably you don't know VM/ Returnil or Rollback either.

Quote:

Originally Posted by jmonge

@fuzzfas nice avatar

Hi there Jmonge! I see that now you are trying Twister. Yeah, the avatar is nice, but since i can't run Twister on 64bit i might change it. 64bit isn't a priority for Filseclab. Which is probably understandable since i presume that in China most people don't have cutting edge hardware, so they don't rush to 64bit OS either. This is also probably the reason of why all chinese security application that i 've tried run on very low specs hardware.

Maybe i should put Scotty as my new mascot!

[firzen771]

Quote:

Originally Posted by Fuzzfas

Hi there Jmonge! I see that now you are trying Twister. Yeah, the avatar is nice, but since i can't run Twister on 64bit i might change it. 64bit isn't a priority for Filseclab. Which is probably understandable since i presume that in China most people don't have cutting edge hardware, so they don't rush to 64bit OS either. This is also probably the reason of why all chinese security application that i 've tried run on very low specs hardware.

Maybe i should put Scotty as my new mascot!

can never go wrong with good ol scotty

[aigle]

I have tried this virus. CFP does not fail IMO. You need a bit of custom rules, add file protection for *.lnk and *.vbs file creation.

Only thing deficient in CFP here is that it doesn,t monitor about putting hidden attributes to files and folders and malware is able to hide all folders in C drive including windows directory and program files folder.

A clever piece of malware indeed. I will post later with screen shots, hopefully in a week by God,s will. Too busy ATM.