COMODO Internet Security 5.x Thread

OH. Duh. I have all my downloads in a file that is also sandboxed and restricted. Failed to mention that. I usually run programs in it and scan them to death before running them. Plus I'm not that stupid that I'm going to let something call bbbbbbb.exe, run without a scan or two.

 

If you run the malware from download through the browser, it will run (depending on the sandbox's restrictions). Once you close the sandbox and delete everything, it will get wiped. If you save the file to the download folder and then recover it from the sandbox and run it, then your screwed.

 

I'm in the process of doing a rather extensive test on the abilities of CIS 5.8. Although I certainly like the cloud scanner, but was wondering about the seeming delay in results. I currently reside in the USA.

Unlike HitmanPro which follows a rather direct route from my home to Enschede
The Netherlands, Comodo follows a rather circuitous route around the midwest, then to Stockolm, back to Stoke-On-Trent and Bradford in the UK, finally ending up at Jersey City,NJ.

So I suppose we must cut the Cloud Scanner a little slack as the packets must be tired after such a trip.

 

As in Stockholm in Sweden?

 

Since the update, I no longer get popups when a program is auto-"sandboxed". It imported all of my rules into the Proactive configuration as well, so I can no longer start a "clean" Proactive profile.

 

SweX- Yes, your homeland. I originally thought that it was just an aberration of Network traffic, but for the past 3 days it's been the same path.

 

Espresso. If program "a" is new to your system and unrecognized it is autosandboxed and you get a notification. IF you then close "a" and reopen it it will again be sandboxed but without notification.

 

Interesting find.

 

Is it possible that it's just multiple servers in areas to perform faster computation?

 

I know. I get no notification from new files.

 

HungryMan- I just checked my Trace logs and Bradford, UK is a Comodo address (Comodo CA Limited), Jersey City is Comodo Group, Inc. Can't figure out the hop to Sweden, but again Stockholm is reason enough to go there.

 

Haha lol I don't live in that city so don't ask me

Perhaps they got a DataCenter there?

 

That's what I would figure.

 

Just a bit of trivia for you cruelsister as it's interesting to know why certain locations are of importance to Comodo .... Melih earned a Bachelor of Science degree in Electronic Engineering from Bradford University, United Kingdom, and I imagine that's where he got the inspiration for creating Comodo.

 

A few things this morning- during my testing today I traced the route that Comodo was taking to the Cloud. This time it bypassed Sweden and their facility in the USA (New Jersey) and just connected to Comodo servers in the UK (Manchester and Salford).

Also wanted to share some of what I’m up to. On a daily basis I try to collect at least 25 malware samples. All the samples must meet the following criteria:

1). They must have just made their appearance on the usual lists in the preceding 12 hours.
2). All samples must be run through VirusTotal with the max detection being 10 scanners. Limiting detection to 10 or less reduces that chance that this is a week or 2 old sample finding its way back.
3). Cannot be adware.
4). All samples meeting the above criteria will be tested in a defenseless malware box to verify that the samples files are truly malware.
5). Malicious activity will be defined as making the system unbootable, making the system unusable in some way (disabling any program, browser redirection, etc), and/or the detection of any mysterious network traffic.

CIS 5.8 beta build 2065 will not be tested at default. CIS has very good options so why not use them? The settings used are:

1). Proactive Security
2). AV- Stateful, Heuristics Medium
3). Firewall on Custom policy
4). D+ on Safe Mode, Unknown Programs run as Restricted.

This morning 30 acceptable samples were found. It’s rather hard to give names to these samples as the overall detection rate is so low and different vendors call things by different names. But there were in general some ransomware, Lock-em-all’s, Spyeyes, downloaders, and of course a Zeus or two. On download the AV detected 13, leaving 17. Just for kicks I did a right click scan with HMP (11 detections) and MB (14 detections).
I ran these samples one by one. Cloud picked up and deleted 2 files. The rest were sandboxed as restricted. In 4 cases daughter programs were spawned, and in all 4 cases D+ noticed and also ran these as restricted. Although a number of nasty things were now in memory no slowdown was apparent. No suspicious network connections occurred. At this point I rebooted, opened up CIS and went to the main page, clicked on the D+ section and deleted all the files running as restricted. After a reboot I did scans with MB and HMP. HMP found nothing, MB detected 3 registry traces.

(foolish and unjust comments about the fine product Defensewall removed by CS)

 

thanks for the testing info cruelsister.

 

Wow strong work cruelsister. Nice job breaking down criteria of malware. Nice to see CIS working well. I appreciate how much work goes into producing something like this.
Kind of surprised at defensewall. Normally it is rock solid against just about everything. I'm sure Illya is taking a look at it.

 

dont worry ilya will fix it

 

now try appguard or even sandboxie

 

Also surprised at DefenseWall. Nice that Comodo picked it up though.

The sandboxing just doesn't work well enough for me to use it (on automatic) but V6 will fix that.

 

well there have been many tests........which show that CIS is helped great deal by defense+ in preventing malware......

Shouldn't AV be doing this job? for CIS more often or is it normal?

 

The AV is the weak point. I'd much prefer the improve D+ over the AV.

AV's are backwards technology.

 

No comment

 

There is a certain AV (not named as I don't do A vs B comparisons) with a very, very good Cloud detection rate that did very, very bad against a few new threats found today.

http://www.youtube.com/watch?v=rrtFwmunj3U

 

I second that