VoodooShield ?

So just uninstall the AV component, and use something lighter and more effective, instead. Go with the free AV of your choice + Comodo Firewall.

 

No ! an exploit is an exploit, a malware is a malware. different things. now binaries can delivers exploits.

 

what you mean by that?

 

1 Fileless malware, unpatched vulnerabilities, exploits, LOL bins -- these terms are often mentioned in the same breath. But they are not identical.
Fileless malware is very happy when it finds an unpatched vulnerability in a program, because then it can exploit that vulnerability in order to do things such as run a LOL bin.

2 If you have Voodooshield, you don't need to enhance Comodo's embedded code detection. Embedded code detection works better for some processes than for others. For certain processes, it might not work at all. It needs proper testing, which has never been done as far as I know, I can only comment based on my own very limited experiences with it.
Comodo is built to protect against file-based attacks. Embedded code detection attempts to catch the command lines in fileless attacks and turn them into files, so Comodo can handle them.

 

I've seen a handful of videos where comodo firewall was tested against fileless malware with HIPS enabled, nothing got through, at least not without the tester purposefully clicking "allow" LOTS of times. That was with the default settings as far as I know.

Comodo firewall and CIS on proactive security with all of the options to "do not show popup alerts" enabled and set to "block requests" with the container settings set to block instead of sandbox has never failed to stop malware in any testing I've done on my own VM's either. It really is the best free security suite. And if you enable embedded code detection for everything that's there by default in the script settings, the HIPS is even beefier than before.

Still, VoodooShield is easier to figure out if you're not an advanced user. The prompts it gives you are much easier for a normal user to understand, but with CIS and CFW you kind of need to know quite a few things in advance if you expect it to work well for you. You have to research things about it on comodo's forums and read up on their FAQ thing on their site.

Like I said previously in this thread, I primarily use comodo to force my VPN upon my daily used applications, but the application whitelisting, behavioral analysis from its virusscope component and the HIPS are all just a plus on top of VoodooShield.

 

I entered in the MAC address of my VPN into comodo's list of networks and created a ruleset that forces any applications I label with that ruleset to only be able to connect to the internet through my VPN. That way, if my VPN client crashes, or doesn't open on system startup for some reason, I don't accidentally connect and start browsing without my VPN turned on.

 

Yeah, comodo's virus database kinda sucks, Usually only gets a 60% to 70% detection of 7 to 14 day old malware. The whitelisting, HIPS, firewall, web filter and behavioral analysis from their virusscope component is the main reason why people use it.
their web filter is pretty good though.

 

I see, my VPN does that automatically, auto killswitch

 

Yes, My VPN has a killswitch too, but killswitch features in VPN clients only work when the client is still running while it's disconnected from one of its servers. I've set up Comodo's firewall to be a secondary killswitch that will work even when my VPN's client isn't running. So on the slim chance of the VPN client crashing or failing to start at system startup, I have a little bit of anti-idiot protection on my PC.

 

Mine cut internet until the client run properly. I guess it depends the VPN.

 

I'm using Windscribe and its killswitch (or firewall, as it calls it) blocks all internet traffic when disconnected, regardless of whether their client is running or not. But with some VPNs, the killswitch only works when the client software is running, making it close to useless in my opinion.

 

How does one test fileless malware? It's hard to find, and even harder to define. Most Youtube testers are testing script files, that is what Comodo is good at blocking, and in truth, that is the common variety that the average user should be worried about. In real life, Comodo will protect. I was talking more about the virtues of Voodooshield regarding the "what if" type of scenario, where the system is attacked by an advanced fileless malware.

 

Oh...Well, I also...almost compulsively run everything I use inside of the supervision of sandboxie, basically everything except for my games. Which would certainly protect from fileless malware, even if it only contains it.

 

You could get by with less security software. @guest's killswitch idea solves your VPN problem, so you can ditch Comodo. Your signature says you have SAP, which you also don't need because you have plenty of protection without it. I will not comment on Sandboxie because there are enough threads on that hotly debated issue already.
All you need is Voodooshield + Windows Defender (tweaked by ConfigureDefender, if you want to be super-secure).

 

Windows defender kind of sucks. It gets good detection, but it makes my boot time longer

@guest didn't really have an idea for a killswitch other than to use the one built into my VPN client, I explained why I use comodo firewall to enforce my VPN.

 

Try it with only Defender + Voodoo, or only Defender + Comodo Firewall, and tell me if the boot time is still longer.
I think it will be shorter. Practically speaking, you are well protected whether you choose Voodoo or you choose CF, since you obviously know how to configure CF.

 

1. TRUE or FALSE

The command line:

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9909

is safe or malicious ?

2. TRUE or FALSE

a kernel exploit led to the above rundll32 command line and is now persistent on the system ?

3. TRUE or FALSE

the system is compromised ?

4. TRUE or FALSE

The command line:

"C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15”

is safe or malicious ?

Same questions 2 and 3 above about the presence of an exploit and compromised system.

Here is the answer for amateurs:

"Just because a security software stops or blocks something does not mean that the system is not compromised (is not necessarily safe to use). Unless a security software completely prevents any exploit in and of itself, the system is compromised and now needs remediation. Exactly what remediation depends upon the nature of the exploit. In the case of Double Pulsar\Eternal Blue, by the time an alert for rundll32 appears, the system is compromised with a persistent kernel exploit. If you, as the user do not realize this, once you disable your security software, the system can be even further compromised. Alerts don't mean a thing if the user does not know what they mean (and does not take proper actions) or the user selects "Allow" or the user disables the protection at any point after the alert. By the time COMODO or Voodooshield throw alerts, the system is already compromised in the case of kernel exploits. Neither one prevents EB\DP; the system is compromised."

 

Good points.
1 Any intelligent person who sees that malware is trying to run commands on his computer will clean his system, or reinstall it, or restore a system image, each according to his own tastes.

2 Kernel exploits are rare, and we cannot realistically expect our security software to stop them. At best, security softs can mitigate damage until the system is cleaned up.

 

How do you spot malicious commands being run?

 

Using the example you gave, our security soft is prompting us that rundll32 suddenly wants to do something strange and unexpected. Our security soft could be Voodooshield, ERP, ReHIPS, etc.

 

I've done testing already. My boot time with my current setup (as is displayed in the signature on the timestamp of this post) is 12 seconds or less. When I was using windows defender with CFW, my boot time was anywhere between 17 to 25 seconds. WD's ram and CPU usage is piggish and clunky too and often caused slowdowns and temporary freezing of certain apps while they were loading things. My load times in online games were slightly longer when using WD too.

With S.A.P. I can disable cloud uploading temporarily while I play games online, CFW doesn't auto-upload anything besides EXE, DLLs, scripts, SYS's and that sort of thing and Voodoo doesn't auto-upload anything at all. Sandboxie of course doesn't upload anything or use too many resources either.

What I have might be ridiculous and overkill, but it works.

 

You know best what works on your system.

 

Again, I've done my own tests. It works.