COMODO Internet Security 5.x Thread

Blackday successfully bypassed both restricted and untrusted sandboxes. GPCode did not manag to bypass Untrusted nor Partially Limited.

Both would have been blocked had I not disabled the heuristics/ other stuff.


Screenies in the next few posts.

 

More. In order.

Next post will include GPCode. This concludes the Black-Day test.

edit oops

 

GPCode.

Last pic is the system info.

 

I didn't bother posting the partially limited results as they are the same. No infection from GPCode on this machine.

I'll try on Windows 7 later.

 

Again, to reiterate, the default settings of Comodo WILL block this. It's just that the sandbox was not enough on its own.

 

Have you report this "problem"?
Anyway since they are planning a full sandbox for CIS 6 probably it will be "fixed"
They are already talking about CIS 2012 so it must be around the corner

An interesting test about CIS 5.8 BETA http://forums.comodo.com/beta-corner-cis/test-of-cis-58-beta-t74973.0.html;msg0#new

 

Very nice information there Hungry Man.

May I ask what specifically did you disabled? I might be tampering on something that will make me vulnerable there.

Will await results for the Windows 7 test.

More reason's to wait for version 6 with utmost eagerness.

 

@ everybody

I think that CIS already got you covered. The only thing you have to do is to automatically sandbox your browser(s); even as partially limited gpcode or blackday will not be able to cause any harm whatsoever.

Thanks

 

Jason- I believe HungryMan Disabled Defense Plus and just ran things in the Sandbox for testing purposes. You really don't want to do that on your main computer! Defense+ and the Sandbox work synergistically against malware, and you really want such a setup against the zero-day stuff that is currently out there.

 

That's why I'm running sandboxie along with CIS. Not much getting through that combo.

 

Black-Day was reported to them a long time ago. I may let them know it's still an issue.

I disabled literally everything except for sandboxing.

Unfortunately you can't autosandbox both Chrome and its plugins or they both crash. I'd rather sandbox Java than Chrome.

Also, if you were to autosandbox your browser and use NONE of CIS's other defenses than blackday would still break free and infect you.

 

Gpcode will not give you infected executables. Don,t scan with mBAM. Just look for the files encrypted by gpcode. You will find them even if gpcode is sandboxed aspcode bypasses CIS sandbox( did not test this beta though).

Did you specifiaclly looked for these encrypted files?

 

It will not. Blackday and probably gpode bypass the sandbox of CIS.

 

Sure he did not otherwise there is no fun in testing the sandbox as sandbox doesn,t even work if you disable the defence plus.

 

+1

 

I didn't disable defense+. Just the other modules in it that didn't include autosandboxing.

I thought that gpcode changed the desktop background? I'll try it again this time looking for the specific patched files. Which ones should I be checking and for what?

EDIT: I see from your old test. I'll try it now.

I'm not seeing any changes to .txt files.

 

An interesting find. Manually sandboxing black-day (through teh defense security policy) as anything, including partially limited, will break it/ stop it from infecting.

The only difference between the auto and manual is that auto does not virtualize. This function is coming in V6.

So in V6 we'll have the fix to this.

 

thanks for confirming this.
I used to have this belief tht manual sandbox would stop infecting the machine from this threat..
Yes, Manual Sandbox does actual virtualizing, whereas Auto Sandboxing applies some kind of restrictions depending on the level set.

Thanks,
Harsha.

 

Autosandboxing only has partial virtualization. This is the same for all levels (partially limited through untrusted) and the only thing that changes is what further security methods are forced onto the program (I'd love more details on what these methods are.)

Manual sandboxing has full virtualization of the file system/ registry as well as the standard levels of restrictions. Even Partially Limited will give you full virtualization so on it's own it's very powerful.

 

Kind of off topic, but as I temporarily had a spare Malware Box I installed an AV solution that must go unnamed (no a vs b comparison here!) and did testing on it. Not very pretty results at all. Maybe they should make the icon dance.


http://www.youtube.com/watch?v=rrtFwmunj3U

 

PMSL

 

@aigle/Hungry Man,

A minute ago I was confused by the "D+ disabling"..nice there

So indeed gpcode/blackday is still a factor until full virtualization in version 6.

Awaiting W7 results

 

Well... if a 0day version of blackday came out it would still be caught by the heuristics... but if it were modified to get around that somehow you'd be boned without an extra layer of defense.

 

extra layer like what hungryman?any recomendation man?thanks