a virus pass COMODO

Discussion in 'other anti-malware software' started by a256886572008, Oct 30, 2009.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    COMODO Firewall 3.12.111745.560

    1.I execute a virus

    2.COMODO diplay an alert"wscript.exe is doing something."

    3.I choose "limited applications", and click OK.

    4.My disks of C & D become.......
     

    Attached Files:

    • vs5.png
      vs5.png
      File size:
      59.2 KB
      Views:
      1,155
    • vs6.png
      vs6.png
      File size:
      43.2 KB
      Views:
      1,155
  2. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    So what is your question??
     
  3. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    COMODO can not block this action of the virus:ouch:
     
  4. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    what is the point of this thread? if you want to report a virus then try their forums, if your not happy with the protection offered there is other free alternatives to comodo that you might prefer, to name a few there is AVG Avast! Avira and microsofts own free antivirus MSE.
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks a256886572008, btw what virus was it?.
     
    Last edited: Oct 31, 2009
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Joke:Win32.GreenEnvironment
     
  7. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    Not a bad idea post it also in Comodo Forum, isn't ? ;)
     
  8. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    From my experience CIS miss a lot of virus and malware so my advice would be clean up uninstall all but the Firewall which is great and get another freeAV like Avast
     
  9. smage

    smage Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    377
  10. NodKiller

    NodKiller Registered Member

    Joined:
    Feb 13, 2009
    Posts:
    19
    First thing: all av products are far from perfect (I tested a well-known av product which has a huge fan-camp here not long ago against zero day threats and it was like 1 out of 10) so you're silly if you rely on them (need better solution like HIPS and sandboxing).
    Second thing: I use the whole CIS package and I'm very satisfied even with the av scanner (the whole suite running smoothly and very light on resources). No need to use another av scanner.
    Third thing: you didn't even remove it or quarantine it, just set the application rule to limited app (what's with thato_O).
    Fourth thing: are your settings the highest possible for really good protection? (guess not). You can find good guides how to setup CIS for maximum protection.
    Fifth thing: looking at your threads on this forum and comodo's you just want to discredit their product mostly because of your ignorance.


    P.S. If you test seriously well-know av products against zero day malware (not against zero day links) your result will be very disappointing: if they can protect against 20-30% this is very good result (just forget about this very outdated technology). I guess you still live in this fancy world of antiviruses or paid by one of the companies.
    Please stop submitting BS's like this....
     
  11. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    I think he did this to test CIS's HIPS and not the AV. So it's possible the AV is not installed (so even if it detects the threat...). This thread might be inspired from the thread below (malware able to install in LUA/with limited access),

    https://www.wilderssecurity.com/showthread.php?t=256948

    Unfortunately the malware was still able to install even with 'limited' rights set by CIS. With limited, writing to disk is blocked. Maybe this is a flaw with the default limited rule? Or the malware executed was a script and the rule didn't apply correctly/well to wsrcipt.exe (which is a part of Windows and set as trusted?)? I think CIS doesn't monitor scripts on-execution? :doubt:

    Probably a256886572008 should explain?
     
  12. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Exactly, your observation means that this malware can infect even with user rights (not only administrator). Nothing else.
    So please be carefull before to do a test, or publishing it as "CIS Bypassed", because if you click ALLOW to its alerts CIS is bypassed as well, but it is not a vulnerability.

    Otherwise, if we are misunderstanding your test, please explain us your metodology...

    Regards
     
  13. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    ... its not a virus then is it?
    I wont be surprised if most AVs miss it and possibly many behaviour blockers if it just changes the background.
     
  14. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    58
    A limited application is not blocked from writing to disk or the registry. Only direct disk access and protected files/registry settings are blocked. It could still delete everything in "my documents" unless added to "my protected files".
     
  15. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I don't see where's Comodo failure on this one...

    ALL classical HIPS, won't protect you if you THINK that the malware isn't "bad enough". Just like it won't protect you from something you THINK it's legitimate software, so you switch to "installer-updater" mode and let it install... This is the biggest limitation of classical HIPS. If you don't think at all that it's malware, they can't protect you if you install them.

    In this case, by setting "limited application", you bypass a good part of Comodo's protection...

    Classical HIPS are good, but they are not panacea against things that you don't suspect as bad and you want to install them. This is where AV scanners and trying the software under something like sandboxie or Shadow Defender or Returnil & Co help to get a better idea.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    @fuzzfas nice avatar;)
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, when running in clean PC mode wscript is part of the existing, trusted nunch of programs.
     
  18. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    True, VM is a complete solution for testing software (and malware) in general, you can do anything.

    Personally i 've never tried a VM, maybe i should. From the sound of it i always thought it would take some time to setup a VM. I prefer a solution like Shadow Defender (or Returnil Free) + First Defence PC Rescue-Rollback. Most malware doesn't even require reboot. I 'd actually become very suspicious if i were to install something and it required reboot. In most cases all you need to avoid malware is to download reputable software from reputable sources. And usually malware that you execute comes in small packages (simple or camouflaged exe). Well, the exception with rogue antivirus exists, but, if you don't know which antivirus are legitimate, then probably you don't know VM/ Returnil or Rollback either.

    Hi there Jmonge! I see that now you are trying Twister. :D Yeah, the avatar is nice, but since i can't run Twister on 64bit i might change it. 64bit isn't a priority for Filseclab. Which is probably understandable since i presume that in China most people don't have cutting edge hardware, so they don't rush to 64bit OS either. This is also probably the reason of why all chinese security application that i 've tried run on very low specs hardware.

    Maybe i should put Scotty as my new mascot! :cool:
     
  19. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    can never go wrong with good ol scotty :D
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have tried this virus. CFP does not fail IMO. You need a bit of custom rules, add file protection for *.lnk and *.vbs file creation.

    Only thing deficient in CFP here is that it doesn,t monitor about putting hidden attributes to files and folders and malware is able to hide all folders in C drive including windows directory and program files folder.

    A clever piece of malware indeed. I will post later with screen shots, hopefully in a week by God,s will. Too busy ATM.
     
Loading...
Thread Status:
Not open for further replies.