COMODO Internet Security 5.x Thread

Updated to final .

 

During my malware testing the other day I came across an interesting sample. As I've explained in the past we always run malware samples in a clean unprotected computer to verify the stuff we collect actually is malicious. This particular sample did an interesting thing- it created a parallel Administrator account in Windows (via a command line script), and forced the Login screen to appear. Although that was the extent of what this thing did (CIS sandboxed and prevented it, by the way), a colleague of mine (with an evil turn of mind) added a bit of code to it. The sample will now make this false Admin account the default, and he added a password to it.

So now to access the computer in regular or safe mode one would need the false default admin password to proceed, which obviously one would not have.

So looks like someone is coming up with a new ransomware method, and those using an AM app without Sandboxing are lost.

 

So does it bypass CIS?

It,s not new, there was a simulator many years back doing same thing.

 

No- The sandbox prevented it from doing anything, and the AV defs caught up with it around 48hrs after it appeared. However none of the other Enterprise apps that we test prevented it, which is actually not surprising as they are all vulnerable to ransomware attacks. What is surprising it that while Comodo has a signature for it, Symantec still (as of this morning) doesn't.

 

comodo

 

As much as i like Comodo and i am a proud user,i have to say that the new release sucks.Installed today UltraIso and when i was trying to compact an ISO file,i didn't realise why the hell Ultraiso didn't responding and keep crashing.Surprise,it was in Comodo's sandbox,without a warning.And the worst thing,Comodo wasn't able to kill TuneUp 2011 process when i tried,and while Ultraiso was hanging and not responding,i tried to kill it with CIS.Not a chance.I had to use KillSwitch to do it.For now,i will go back to 5.5 version.

 

Had to revert to previous version. 5.8 kept crashing on start up and not showing D+ events.

 

I had a few issues with installing 5.8 a last night. I had upgraded via the updater and had the firewall running. I then installed PCAV and ran it a for a little while. I then decided to uninstall both firewall and PCAV. I then installed avast free and then installed comodo firewall. For some reason the firewall would install but on restart wouldn't initialize. I had to uninstall both avast and firewall. Now I just have CIS running. Not really sure what happened but this is the first time I've had any issues installing CIS or firewall. Yes I did run a ccleaner and all uninstalls went through revo.

 

Glad you guys bought this up as I've been meaning to post about it. I had the same problem and although I requested a solution from the Comodo forums they really hadn't a clue as to what was going on (the Mods tend to be Geeks Like Us and not the actual coders, so I guess we shouldn't be surprised).

Anyway, the problem that we were (are) having pretty much is confined to:

1). those that have used the Beta versions and upgrade via the "Check for new version" function within CIS, and/or
2). those who have imported their settings from a previous version.

Solution:

1). Export your current settings (we may or may not have use for them). If you are not familiar with how to do this, just right click the Comodo icon on you taskbar, click the "Manage My Configuration" notation, Highlight whatever you are using (hopefully Proactive Security!!!), and click Export. We'll import using this method later.

2). Get the CIS Uninstall Tool from here:

https://forums.comodo.com/install-setup-configuration-help-cis/uninstaller-tool-for-comodo-products-t71897.0.html

Run it, reboot, run it again. No need to reboot after second run.

3). Install the current CIS 5.8 build.

4). After install and update, Export your settings as a baseline.

5). Easy way to check at this point if the problem has resolved- Download the most excellent free defrag program, Puran Defrag from here:

http://www.puransoftware.com/Puran-Defrag-Download.html

Comodo hasn't whilelisted this program, so it will be god for the test. On running the installer you should now have a sandbox alert. Don't install it yet, so either allow or block but uncheck the remember box on the D+ alert.

6). To see if your old settings will also work Import and overwrite the existing settings. Run the Puran installer again and see if you still get the D+ alert. Some will, some won't, but with either the fresh configuration or (hopefully) your old saved Config the problem should (will!!!) be resolved.

 

I love the interface revamp on this latest release.

 

@ cruelsister

Interesting sample indeed

On the face of it yes But hang on a mo. If after getting infected with it someone couldn't log in again, how would the baddies make contact with the users to try and extract $ ?

Well no, because those of us using an AntiExe would be fine

 

I'm liking the new version. Along with all the other enhancements, separate AV and Firewall versions are available for download, along with specific architectures. That saves bandwidth and time.

 

I'm always using a clean CTM snapshot when i install AV and FW on my machine.And yes,i've imported settings.So,what i should do is to install CIS and don't import anything and the Sandbox problem will be resolved?Or pretty much all of them?

 

Joe- What I would do in your case is uninstall CIS in the regular way and then use the Uninstall tool after reboot. After installing CIS, try the Puran Defrag test (or whatever program you know is not whitelisted) to see if the D+ alert will appear.

If you remember Comodo suggested not to import old settings when 5.5 came out, so maybe this is the case again. Not importing settings is really no biggie unless you are running the Firewall (like I am) in Custom mode; then it's just allowing Net traffic for your apps.

Clone- Once the faux Admin account is created, it could easily be set for Windows to boot right into it on Start, where the ransom screen would appear.

As to the use of the Faronics program, you are correct that it would stop it. But sadly ransomware isn't aimed at Geeks Like Us: we have images, boot disks, Admin password finders like Ophcrack. It's aimed at the typical user who still thinks that booting is a way to try on shoes.

 

CIS has never popped up any alert for specific programs here, my trusted vendors is slimmed down to Comodo & Microsoft items, the programs are not in the trusted files lists & yet comodo doesn't give a damn about running them.

- HostsMan
- WinDirStat
- Homer

 

Thank you Cruel for your reply.But with age i begin to lose my patience and for now i will stick with 5.5 version.When the new one settles in,i will do the upgrade.

 

I don't know why ransomware LockEmAll manages to bypass Comodo. I've even set D+ to Untrusted and still nothing. But in LanGuy video, it's blocked. I know there are different versions but none of them was ever blocked by Comodo which is a bit disappointing...
Version 5.8 looks nice though but i wish it would be better against these LockEmAll ransomware nasties.

 

I've never come across any ransomware that wasn't blocked by CIS, and I've been extensively testing for months. LockemAll's in particular are contained nicely in the sandbox. Having D+ at Restricted and above (Recommended setting in our opinion) will just blow off any of the ransomware variants. At Limited and below you may have to reboot to get rid of the screen; but either way no harm is done.

If you have any particular sample in mind, please PM me.

 

Take a look at this video of CIS 5.8 , malware done serious damage even sandboxed on Untrusted.

http://www.youtube.com/watch?v=fYM8f3HXAXk

 

should have had sandboxie installed

 

That's why with a security suite you don't disable components of it haha. Its a suite because its layered approach, if 1 layer fails it has others to use to block the malware. That's the whole point of it.

The automatic sandbox isn't a virtualized enviorment just policy restriction and its obvious the policies applied aren't restricted enough for the malware to keep from doing damage. I would just sandbox to block and it wouldn't have ran. That's how i configure my machine. Untrusted breaks good programs anyway so no point in running malware with policy restrictions just have it blocked.

 

Topic was on a D+ and sandbox and how it's unbreakable on higher settings , that's why I posted that video link.
Malware was very old, that's why there was signature for it.
I watched several videos recently with Comodo AV enabled and similar things happened.

btw what's the point of having a suite which blocks absolutely everything (won't let something execute in the first place) ?
Doesn't make sense.

 

To avoid signature detection. Disabling real-time scanner doesn't disable D+, so you can test D+ efficiency without real-time scanner interfering. Comodo should really make some more QA before releasing their upgrades that are more downgrades than anything in this case.