Using Comodo Internet Security as an anti-executable

Discussion in 'other anti-malware software' started by MrBrian, Aug 10, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
  3. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    You can also use Comodo Time Machine as an anti-executable. It trashes your MBR and prevents everything from running. :D
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    That was cold..but true, lol.
     
  5. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
    At least they fixed it, took plenty long though :doubt:
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    nice aproach:D
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    In the past Commodo created a default rule with all asks in steads of the deny's or allows you had changed in the default profiles (Limited, Trusted, etc) when you were not running Paranoid mode. This rules 'leak' existed until Comodo 3.x (the last one I tried). At that time they responded to me that would come with a complete different innovation (it was the sandbox), which would make this 'problem' small for average users running default settings (using the sandbox). I doubt whether they have solved the issue. So it is indeed best practise to Disable D+ when installing and run paranoid mode otherwise!.

    Just two question what sandbox settings do you use?
     
    Last edited: Aug 10, 2010
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    How is your method different from mine? What issues have you encountered using it?
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    :D :D :) ;) :D :cool:
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    My method uses Paranoid mode. For other reasons though, I now specify that it's required to disable Defense+ when installing software.

    My method doesn't use the CIS sandbox, so it's disabled.

    Thank you :).
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    your welcome:)
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks, you managed to evade design limitations :thumb: of Comodo

    Could you check whether the setting the sandbox on, overrides your setup. It makes no sense to keep the sandbox on, but when somebody less knowledgeable wants to copy your setting and forgets it, it could lead to unexpected results.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Great suggestion :thumb:.

    In brief testing with the sandbox on, the method seems to still work fine. I tested with setting 'Automatically run unrecognized programs inside the Sandbox' off and also on.

    I think there might be value in using the sandbox with this method. For example, let's suppose a user opens a malicious PDF, which then causes a malicious .exe to be downloaded and attempted to execute. Upon execution attempt, Comodo Internet Security should either prompt or block the malicious .exe, depending on the 'Suppress Defense+ alerts' setting. Let's suppose that the 'Suppress Defense+ alerts' setting is unchecked. Let's suppose that the user unfortunately answers 'Allow' to the execution prompt. If the 'Automatically run unrecognized programs inside the Sandbox' setting is on, the malicious .exe should be sandboxed by CIS. Is this correct?
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well,

    At least the file changes and registry changes are directed to a sandboxed location. SO Yes, but the deny on itself is strong enough IMO (no need for the sandbox overhead).

    I allways changed the file check on all types of files to executables located in C root, Windows and Program Files. This to match the registry and file protection (not all Current User entries are denied either by D+ in the standard setting).

    Regards Kees
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Various changes have been made to the method since the initial post.
     
  16. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Does this work using the free version of Comodo Internet Security?
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes :).
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, MrBrian,

    Congratulations on a well-thought out tutorial.

    I noted your commens in Reply #7:

    Some years ago, I discussed malware infections with a tech person in a local computer shop. He said that 99% of all problems he saw in the shop were "User Error" meaning your second paragraph above.

    I've always remembered that!

    So, with a good anti-execution procedure set up, the only missing link is to educate people on avoiding the "rubbish!"

    ----
    rich
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you :). The purposely-installed "rubbish" indeed is a big problem.
     
  20. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've figured out how to allow installations to take place without disabling Defense+ first. If I don't find any problems, I'll change the guide sometime over the weekend.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't think MrBrian was referring to applications when he mentioned "rubbish" -- my assumption, anyway. I think he was referring to things like this, which I've cited before, which I called "user error":

    DNS changer Trojan for Mac (!) in the wild
    http://isc.sans.org/diary.html?storyid=3595

    ----
    rich
     
  23. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    But isnt that an application? Somewhat?

    On my debian linux box, NOTHING gets the admin privileges unless its from the debian repositories.
    Not acroread
    Not Adobe flash plugin
    Not SpiderOak online backup service
    Not Opera
    etc etc
    :D
     
  24. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I intended "rubbish" to include socially engineered installations, phony anti-malware, software from dubious websites, cracked software, etc.
     
Loading...
Thread Status:
Not open for further replies.