VoodooShield/Cyberlock

Hmmm, that is odd... CIS 10 did not treat the files as safe, and EfficacyTest.exe worked perfectly during the test... please look at post #11366

Maybe the CIS stable version is different... maybe Djigi can test the 36 samples on the stable version of CIS and let us know.

Either way, I should probably stay out of this... Djigi asked me to test the 36 files so we could see what might be going wrong with the EfficacyTest app, then all heck broke loose .

 

If CIS 10 didn't treat files as safe then guess EfficacyTest.exe should be autosandboxed or blocked as I guess EfficacyTest.exe would not be there in Comodo Whitelists.

As you mentioned its a beta & seems its very early beta, kinda alpha.

 

Yeah, exactly, I totally understand all of that, and since the first test went really well, I figured the same thing would happen and the result would be about the same as the first test. But keep in mind, Djigi had the exact same result that I did (minus the one non-executable file). He might want to send those samples to Comodo so that they know. I am not sure what happened, but we all need to realize that there is the possibility that the malware escaped the sandbox... this can happen.

 

When you use a VM, the shared folder must be set on "read only", you aren't supposed to move stuff from the guest to the host. it is what i do; then on the host, i put Sandboxie and other tools in the mix to isolate and restrict the shared folder. so malware doesn't have a chance to jump from the guest to the host

 

Yeah, I always knew there was a chance that the test computer would be infected, but I had to do it that way because EfficacyTest.exe generates a report of all of the blocked and allowed files, and that was the easiest way to be able to grab the report. It is super easy to format and reinstall Windows on that computer anyway, I have all of the drivers ready and everything, and that is all I use it for, so no big deal at all. Besides, NullByte said that CIS 10 was 100% protection, and since he is extremely familiar with CIS, I figured it was safe. Then again, he did say something about how Comodo does not work in VirtualBox unless you change a setting... but it worked absolutely perfectly (even with EfficacyTest) for the first test I performed on CIS 10 earlier today with the old 1,000 random sample pack from my first youtube video. Usually I am more careful, but since the first test worked really well and since NullByte said that the protection was 100%, I figured we were good to go. Thankfully it did not spread to network shares, I would have been in deep trouble... imagine if it would have wiped out the VS source code on my main computer . I have backups of everything, but it would have been a real pain.

I ran a couple of more tests with CIS 8 using the same 36 samples, only because I was curious (I really should stay out of this as much as possible). I am done testing for now... here are the results.

CIS 8 with EfficacyTest

www.voodooshield.com/artwork/CIS8withEfficacyTest.webm

CIS 8 Manual Execution after copying to the desktop from the C: Root

www.voodooshield.com/artwork/CIS8ManualExecution.webm

The results are essentially the same as CIS 10, and sorry, but I have a problem believing that there is a special setting when testing in a VM with CIS, or that CIS ignores files that are already on the computer, being that the first test worked flawlessly, and being that I copied the files from the C root to the desktop before manually executing them. Maybe we can give the samples to NullByte and he can test!

 

CIS in default setting is weak , i used it since ages (i was a big fan) to the point i ditched it (almost) for good. To make it super-secure, you have to spend hours to obtain that level of safety , then if you are lucky the bug that delete your customized rules won't appear...

 

I am not at all familiar with CIS, so I have no idea either way, but I will say it performed better than any other product besides Cylance with the 1,000 samples (93.1%), but then it did not do so well with the 36 samples from Djigi .

 

I Pm'd NullByte on MT asking him to test VS and he informed me that he uses Linux. My background is technology, not security but telecoms, and I can't fathom how you can pronounce something is 100% without having played with the kit. I know I'm getting on a bit but have things changed that much? For requesting NB to get hold of a Windows PC and test VS I was accused of being aggressive by the children on MT. Reading what he writes, I would put him up there with CS as somebody that really knows what they are talking about. I wish he would get a Windows PC and test.

 

Something is odd, he somehow tested CIS 10...

https://malwaretips.com/threads/comodo-internet-security-cis-v10-0-0-5144-beta.61409/#post-523722

"The Free version is exactly the same as the old one, a few minor changes in the sandbox settings. The boot time is a little slower, memory usage is ~ 12-15 MB.
Tested with 360 samples, the detection rate is still low, protection is 100%.
I didn't notice Valkyrie in this product, that's a shame"

There is a Linux version of Virtual Box, I use it for the Cuckoo Sandbox server, so I am assuming that is what he used to test CIS 10 with the 360 samples that he mentioned. And actually, instead of installing Windows again on my test computer, I am going to install Linux and use it to test from now on.

I totally agree with you, there is no reason for everyone to get all worked up, especially when all we have to do is perform tests to discover the truth. Besides, we are all on the same team (the good guys).

On a side note, I am confused why NB was disappointed that Valkyrie was not yet activated in CIS 10, when VoodooAi is quite similar, but yet does not seem to think too highly of it .

 

Thanks Dan.

 

Cool... yeah, it expired recently, so I added a couple of years, so you should be good to go, if not, please let me know! Thank you!

 

I tested this malware folder couple of time, I add Samples & EfficacyTest after CIS is installed because i know that CIS mark stuff already on system safe.
Then scan that folder with CIS, score 0% (some samples have been upload to Comodo by this time), then run EfficacyTest and PC got very infected.
I even change to proactive config and it is same thing (I'm talking about CIS 10 BETA).
I will be now test CIS 8 stable.

 

Cool, sounds great! But one thing... how does CIS mark stuff already on the system that quickly? Like, for example, if you were going to mark all of the files on the system as read only, it would take some time. Another example is SAP's initial scan... it can take a little bit of time. I guess I am just confused.

 

BTW, do you want to send the 36 files to NullByte so he can test? If he has the same result, maybe he can submit the files to Comodo.

 

CIS 8 when installed it run "Rating Scan" (CIS 10 didn't do that, yet) and check all files.

 

Like I said in the previous post CIS block unrecognized files and submit it to them.
You have link to download that samples @Zippyshare so send it to him.

 

But what happens before the ratings scan? Everything is allowed?

 

I'm not sure, it's not everything allow just Comodo put mark on files (trusted, unrecognized or malicious).
Maybe other members can explain it better.

 

I am not sure either, but I am curious if anyone can explain this further. Also, keep in mind that the first test the I performed worked flawlessly, and CIS 10 had a 93.1% efficacy on the 1,000 samples from my first youtube video... using the exact same procedure with the EfficacyTest app.

I better go to bed, goodnight! Be careful with that malware Djigi .

 

I just start to test, and it failed again (EfficacyTest was about 12%).
Virtual machine crush and i have to restart it.
Here are couple of images:

 

Here is new picture:

 

This is weird to me too .
CIS 10 Beta and CIS 8 both the same result .

BTW: this CIS 8 test is on default settings which is not good (Auto-sandbox only sandbox some files).

I will try CIS 8 with Proactive Config now.

 

Proactive Config, same results...

 

Me too stop using it about 2 years ago.
I don't have time today for testing anymore (maybe at evening).

Sandbox settings have to change to "Untrusted" to be better (like in this last video test by Cruelsister - https://youtu.be/Rf9FwVwywM0).

 

Hi Dan

Just using the free version. It seems very quiet. It might have solved an issue with Cyberfox crashing when downloading files.

At the moment I am happy to keep it.