New MRG test results

Discussion in 'other anti-malware software' started by Dark Star 72, Jun 23, 2010.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Hi, Allow should not matter. As long as application is running inside the sandbox, it should not be able to install the hook.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I think some people did not understand the CFP test video. Actually they tested the sandbox componenet, not the defence plus. In this case, once the simulator is sandboxed, it must not be able to do any harm, even if you allow all pop up alerts by defence plus.
     
  3. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    Absolutely agree with you that everybody whose in a security field whether they are AV vendors or Firewall vendors or anybody else should work like a TEAM. They have to listen each other, they have to share the information with each other...They should be more flexible and should have accepting nature in case they failed to protect their consumers.
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,379
    Location:
    Hawaii
    Well said! :thumb:
     
  5. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    It really should not AFFECT the system but gonna SEND the data to the internet till the system is shut down or the process in the sandbox is terminated. Thats how I understand it.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    No.

    1- It must not be able to capture the data as it is sandboxed. Any sandboxed application must not be able to log key strokes esp on a secure site( and esp when the browser is running un-sandboxed). A simple block of the hook/ dll injection might do the job in many cases.

    2- A good sandbox must not allow any sandboxed application to send data out side unless a specific application is ALLOWED by the user in sandbox rules/ exceptions( for example user will specifically ALLOW for browsers/ messengers etc in order to be able to surf the internet).
     
    Last edited: Jun 27, 2010
  7. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Are we talking about Comodo personally, or sandboxing as a whole? ;)
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i think all sandbox type program should have such restriction,even to not to connect to the internet when trapped in the sandbox,good idea to prevent data theft:thumb:
     
  9. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Anyway I would prefer a program which wouldn't interrupt me every time it needs to make a decision, whether I understand or not those popups, and that's where MRG is heading to...

    and that's where the key difference from Matousec's tests is. Sorry couldn't help myself.
     
    Last edited: Jun 27, 2010
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Both I think.
    Most/ All sandboxes are pretty silent.
     
  11. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Prefer to listen and read, especially when I think the same way, ;) :thumb:
     
  12. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Comodo sandbox can redirect file/registry but can not virtualise behaviors which affect simulated lua, i think, this is why you get prompt, you do not have such prompts in sandboxie, you have only info about this or that api is not supported and similar..

    btw. if prompt appears tester should answer accordingly, this is not sandbox test it is test for on line banking...
     
    Last edited: Jun 27, 2010
  13. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    The default setting in Sandboxie is to allow any program in the sandbox to access the internet. And yet it's an excellent security tool.

    Isn't the point of a sandbox to stop any programs inside it from changing the system outside the sandbox? It's not intended to protect a browser from other programs running inside the same sandbox.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    They told their policy that they will not give credit for ordinary alerts. Policy is wrong for classical HIPS, but that,s a different discussion.

    Comodo sandbox lacks interception for dll injection etc, so it obviously failed the test. IMO, it,s more of a deficient feature, rather than failure. I hope Comodo make their sandbox feature rich n more solid without any delays. It,s really frustrating that you can,t even know which applications are running inside sandbox( Am I true)?

    This is sandbox test for online banking/ passpwrd stealing malware etc and pretty valid for a sandbox IMO.
     
  15. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten

    Ok, but if we talk about test i think your thinking is wrong, because you can not look only in CIS sandboxing but in whole product... Let me explain what I think, if something gonna to escape from CIS sandbox you will receive prompt, in this particular situation (I can only guess) global hook prompt, so if you click deny, no info will escape to their server, also I think nobody with half brain will click allow for program which is unknown, especially if on prompt clearly says it can be used for keylogging and you are about to do some banking ...

    Do they need to improve sandbox? yes they should, usability especially but with resources they use (MS documented/approved API only) I think they cant do much more, on another hand it is good enough protection if you willing to answer D+ behavior prompts correctly while unknown program runs in sandbox... Look at CIS sandbox like a "too many prompts suspender" and not as a unknown programs tester like sandboxie which can give enough APIs for progs to run flawlessly in isolated space
     
  16. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,545
    • my cousins would click "allow" or simply close any popups/alerts... :D
    • my friends would go crazy trying to figure out about the popups/alerts which is exactly the same as when installing some other trustworthy programs that uses the same method that triggered the HIPS.
     
  17. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    This is from another forum:

    "PostPosted: Sat Jun 26, 2010 1:34 pm

    I keep getting these popup defense alerts by Comodo firewall:

    rundll32.exe is trying to execute:

    Microsoft.VisualBasic.resources.dll
    mscorlib.resources.dll
    system.resources.dll


    I don't know exactly what's going on. I don't trust that they keep popping up over and over. I allowed them once and it seemed that soon after some malware was detected on my system. I know that it looks like microsoft junk but I don't understand why something recently started to repeatedly try and access resources.

    I've read that Comodo can be quite a paranoid software firewall.



    Any suggestions?"



    How many people out there know what to do in a situation like this one?. Some people say "if you don't understand the popups don't buy this". Can a company survive selling its products only to costumers who know Windows by heart?.
     
  18. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    +1 :thumb:
     
  19. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    The point is that there are no pop-ups when installing known trustworthy applications.
    Only when an installation is of uncertain legitimacy do you get any pop-ups.Whether or not this is due to malware or a clean file is irrelevant,it just means that caution should be taken and the user should determine if it's safe or not before allowing it access to the system.

    There is the argument that the sandbox should offer a complete isolation solution,but this would cause many usability issues apparently.That's not to say that there isn't room for improvement in the sandbox implementation,there are a number of areas where it could be hardened and hopefully this fact has been recognised by the devs.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    If GesWall, DefenceWall and SBIE can work with MS OS, Comodo can work too. Their Sandbox seems in infancy, unless they are thinking on a different model/ approach of sandboxing.
     
  21. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Slightly OT, but isn't that the main issue with Comodo?
    In their pursuit of building the 'free ultimate security suite', it seems it will never ever be finished.
    A sw firewall, with a HIPS. And an AV. And a sandbox. And perhaps a BB is to be added in the mix? And next?

    Development like this is bound to receive criticism, I guess
    I'm not judging Comodo as they are free to decide whatever they want but it's their decision not to divide CIS clearly in stable vs. development branches.
    Users (in their own free will) are continuously confronted with this mix of parts that are stable/finished and some 'under-construction'.

    Right, back on-topic again.
     
  22. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,057
    Location:
    Ontario, Canada
    Sveta where is the updated test list for the last 2 or 3 days!

    TH
     
  23. Sveta MRG

    Sveta MRG Registered Member

    Joined:
    Aug 16, 2009
    Posts:
    209
    Hi TH,

    Tonight we will be publish the updated report, testing continues as planned.

    Regards,
    Sveta
     
  24. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,057
    Location:
    Ontario, Canada
    OK Thanks!

    TH
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thanks Sveta;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.