VoodooShield/Cyberlock

3 files blocked were by AV & not AS.
May be trusted files are still scanned by AV, dont know for sure?

 

Cool, thank you... I bet it is dismhost then. I can probably disable the special dismhost handling and post a new version and see how it does. Hopefully I can do that soon!

 

Just to be clear -

You tested 1000 samples with CIS 10 Beta.
You tested 36 samples with CIS 8 Stable

Did you also tested 36 samples with CIS 10 Beta?

 

Yes, that was the test where my computer was infected (CIS 10 36 samples). See, I had already ran the CIS 10 1,000 samples, and it worked perfectly and CIS had an efficacy of 93.1%. So then I ran the CIS 10 36 samples using the exact same procedures (with EfficacyTest.exe)... and boom, it nailed me.

 

Hehehe, I do not know either... if you guys figure it out, please let me know . Thank you guys! Sorry, this was not supposed to turn into an extended discussion, but one thing led to another, and well, here we are.

So I am going to stand by my original statement... "I have had a couple of people ask how well the new Comodo 10 beta performs with the pre-execution blocking efficacy test, so I tested it with the first 1,000 samples, and it did really well... 93.1%!" .

 

Dan, I think that is just a symptom because VS freezes on other things besides dismhost.exe. Didn't you say that VS doesn't have access to Temp files on Win10, or something along those lines?



Note the path?

 

It's already been analysed and added to their database of trusted files so it won't be sandboxed.






Default settings are just so Comodo works on install without too much hassle for most users. If you need good protection you need to reconfigure it or add other security products.

Comodo Proactive - should have HIPS enabled.



If "Remember my answer" is chosen it takes a couple of days to train then you don't get bothered by lots of pop-ups.
Personally I don't use the HIPS component and rely on something else for that.

 

EfficacyTest.exe is trusted by Comodo. Dont know how but VoodooSoft is not in the Local Trusted Vendor List.

May be when you tested CIS 10 with 1000 samples, EfficacyTest was not trusted by Comodo at that time.
And now EfficacyTest is trusted by Comodo.

 

All executables are scanned but action taken depends upon configuration. Example:

With this option unchecked file location is not taken into account. If checked Comodo places a zone identifier on monitored files.



Regarding sandbox it's possible to add your own rules or edit existing rules. Here all unrecognised files will be blocked: That's not the default.

 

That is weird.

 

Gees, it would be good to read about VoodooShield in this thread instead of Comodo.

 

Sorry. I was thinking the same thing! However it seems that configuration of other products might be a problem.

 

When I typed voodoo in TVL & pressed enter, I got finished searching the table & voodoo was not there. May be new entry & needed update i.e I installed latest version but not tried updating.

Ok, I think we should stop posting on Comodo here.

Apologies for hijacking the thread.

 

It's definitely turned out to be one of the best hijacks ever!
I keep checking to see if cruelsister's VS video has been posted and all I am getting is a very detailed analysis of CIS. Mind you there was the added benefit of another great cruelsister vid, but it was, of course, about CIS!

 

I am waiting for cruelsister's VVS video.

 

Yeah, exactly... it is something like that. I really think once we tell Vlad everything that we know, he will be able to figure out a way to reproduce the bug and then fix it very quickly. It is some kind of a permission issue, I think anyway . Thank you!

 

Hehehe, I agree, how funny! It sounds like CS is going away until the fall... if she does not have time to create and post the VS video before she leaves, maybe she can at least tell us her findings .

 

Findings would be good but I do like CS's vids. Somehow she manages to makes security vids comprehensible and entertaining. The music is always great, the vids are snappy and they are easy to follow with a beginning, a middle and a conclusion. Bit like a good public speaker - tell them what your going to say, tell them and them tell them what you said!

 

My take on the Efficiacy test mystery:
- when Dan made first video, the EfficacyTest.exe was unknown to Comodo
- Comodo has to feed its blacklist and machine learning, so unknow exe's will be analyzed
- offline/cloud analyses of the he EfficacyTest.exe made Comodo decide it was a safe (Valkyrie?)
- Comodo seems to have a safe parent feature (like VS) which disables some components to reduce FP's

Only way to check whether something has been changes is to run the 1000 sample file again with EfficacyTest.exe

Until 1000 sample test is restested, let's focus on VS.

 

Sorry about that stapp... we really went on a tangent there, and a lot of it was my fault, although I am certain that none of us meant for it to go that far . I think for a lot of reasons, my malware testing days are over .

BTW, I think you told me that you have seen dismhost blocks with VS, and you do not experience the freeze issue, is this correct? thank you!

 

I agree... let's fix the freeze issue . Thank you Kees!

 

Cool, thank you for letting me know! I think we have enough info for Vlad, and hopefully he will be able to look at it in a couple of days!

 

Yeah, I would much prefer to see the video, but she may not have time before she leaves, so we might have to wait until the fall .