Would Comodo have stopped the Stuxnet worm? | News / Announcements / Feedback

aweir14150

Comodo's Hero

Offline

Posts: 338

Would Comodo have stopped the Stuxnet worm?

« on: December 28, 2010, 09:38:56 AM »

Would it stop a malware with a stolen digital signature from installing? Huh


	Logged

kagun

Left the Forums
Comodo's Hero

Offline

Posts: 1141

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #1 on: December 28, 2010, 09:45:53 AM »

depends on the config and how a user would answer any/all alerts....
I guess some if not all would be sandboxed because of, you know, they are unknown files after all Wink

As for digi certs, well, anything can happen...


	Logged

Chiron

Global Moderator
Comodo's Hero

Offline

Posts: 5780

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #2 on: December 28, 2010, 01:31:52 PM »

The next version should be immune to signed malware.


	Logged

How To Install Comodo Firewall

How To Stay Safe While Online

Siketa

Comodo's Hero

Offline

Posts: 3290

ZIG ZAG

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #3 on: December 28, 2010, 02:53:58 PM »

Quote from: Chiron on December 28, 2010, 01:31:52 PM

The next version should be immune to signed malware.

That's good to hear!

Can you share something or give us a hint?


« Last Edit: December 28, 2010, 03:08:10 PM by siketa »	Logged

SpeedyPC

Comodo's Hero

Offline

Posts: 510

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #4 on: December 28, 2010, 02:55:21 PM »

Quote from: siketa on December 28, 2010, 02:53:58 PM

That's good to hear!

Can you shares some clue or give us a hint?

+1 Sound very interesting Cheesy


	Logged

ASUS G75VX-T4153H, Avast Free v8.0.1489, Outpost Firewall Pro 8.1, W8 64bit, Firefox & IceDragon (NS/AdP/LP/TSB/TL/Web/Ghost/VT), Thunderbird (AdP), Hitman Pro, MBAM, WinPatrol, EEK, Secunia PSI, CCleaner, Zemana AL Free, Macrium Reflect Free

disPPlay

Malware Research Group
Comodo's Hero

Offline

Posts: 843

WE <3 COMODO

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #5 on: December 28, 2010, 05:50:02 PM »

Quote from: SpeedyPC on December 28, 2010, 02:55:21 PM

+1 Sound very interesting Cheesy

Agree with you.


	Logged

Valentin N

Malware Research Group
Comodo's Hero

Offline

Posts: 2833

Usability Study Group

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #6 on: December 28, 2010, 05:57:30 PM »

Quote from: aweir14150 on December 28, 2010, 09:38:56 AM

Would it stop a malware with a stolen digital signature from installing? Huh

To answer you question: I don't think it will due to the safe digital signature.

I recommend you to have "unrecognized files will be treated as Untrusted" and unmark Automaticaly trust files from trusted installer in Sandbox Settings.

unknown files will be automatically sandboxed and you will get more pop ups but that's worth it; you will be protected.

Regards,
Valentin N


« Last Edit: December 28, 2010, 06:09:52 PM by Valentin N »	Logged

Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 5.9

Keep CTM alive by voting

HeffeD

Global Moderator
Comodo's Hero

Offline

Posts: 6624

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #7 on: December 28, 2010, 06:04:15 PM »

Quote from: Valentin N on December 28, 2010, 05:57:30 PM

and unmark Automaticaly install files from trusted vendors in Execution control Settings.

I think you are unclear on what this setting does. It's not like the old, don't use the trusted vendors list option.

If an installer is trusted (either by CIS or by the user) any files created by this installer are also considered trusted to keep them from being sandboxed during the install.

If you trust the installer, why wouldn't you want the respective files to stay out of the sandbox?


	Logged

Please read the Forum Policy!

Breast Cancer Awareness
American Cancer Society

Valentin N

Malware Research Group
Comodo's Hero

Offline

Posts: 2833

Usability Study Group

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #8 on: December 28, 2010, 06:08:04 PM »

Quote from: HeffeD on December 28, 2010, 06:04:15 PM

I mean sandbox settings. Sorry my mistake. I have modified my previous post.

Regards,
Valentin N


	Logged

Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 5.9

Keep CTM alive by voting

HeffeD

Global Moderator
Comodo's Hero

Offline

Posts: 6624

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #9 on: December 28, 2010, 06:42:54 PM »

Quote from: Valentin N on December 28, 2010, 06:08:04 PM

I mean sandbox settings. Sorry my mistake. I have modified my previous post.

But again, I don't think you are understanding what this option does.

A quick example with Automatically trust files from trusted files enabled:

I want to install MyFavoriteApp.exe. This application uses a .bat file or two to unpack files or copy files to respective folders, or perhaps runs a script. This application is not on the trusted vendor list. I get an alert asking if the installer should be allowed to run. I say yes... Great success!! Installation went without a hitch! Grin

OK, now we disable Automatically trust files from trusted files:

Again, we want to install MyFavortieApp.exe. We tell CIS, yes, let the installer run at the alert. Oh, but wait, this .bat file is unrecognized! I'll sandbox it for you! Install fails because the .bat or script wants to do some things that our isolation level doesn't allow. OK, I click on the don't isolate again link in the sandbox alert, but this doesn't help because the install has already failed. So, we try again and the install gets past the original .bat, but hey, there's another one I don't recognize! Sandbox! Click don't isolate... Try to install again... Rinse and repeat for however many components of the installer that are unrecognized.

I wouldn't recommend disabling this. Sure, I guess you could say you're more secure because each unrecognized file is getting sandboxed, but really, do you want it to do that? If you don't trust all the components of an installer, you don't actually trust the installer, now do you? Lips Sealed


	Logged

Please read the Forum Policy!

Breast Cancer Awareness
American Cancer Society

aweir14150

Comodo's Hero

Offline

Posts: 338

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #10 on: December 29, 2010, 01:03:09 AM »

So, if a malware is signed, it will be treated as unknown? Huh

sorry for the confusion, I thought Comodo only automatically sandboxed unknown, unsigned files.

There are 4 possible categories...

signed, known
signed, unknown
unsigned, known
unsigned, unknown.

Am I correct?


« Last Edit: December 29, 2010, 01:04:46 AM by aweir14150 »	Logged

Chiron

Global Moderator
Comodo's Hero

Offline

Posts: 5780

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #11 on: December 29, 2010, 02:47:35 AM »

Quote from: aweir14150 on December 29, 2010, 01:03:09 AM

So, if a malware is signed, it will be treated as unknown? Huh

It doesn't just matter that a file is signed. In order for it to be trusted the digital signature must be in the TVL. Otherwise the file is unknown and will be sandboxed (with the information that the file is signed provided in the popup).


	Logged

How To Install Comodo Firewall

How To Stay Safe While Online

aweir14150

Comodo's Hero

Offline

Posts: 338

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #12 on: December 29, 2010, 02:56:48 AM »

Ok, now I see...and thanks for the clarification. Thumb Up


	Logged

Valentin N

Malware Research Group
Comodo's Hero

Offline

Posts: 2833

Usability Study Group

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #13 on: December 29, 2010, 05:10:20 AM »

Quote from: HeffeD on December 28, 2010, 06:42:54 PM

Thank you for the explanation and for improving my knowledge regarding this option. I hope you also understand why I recommended those settings.

Regards,
Valentin N


	Logged

Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 5.9

Keep CTM alive by voting

SiberLynx

Comodo's Hero

Offline

Posts: 2163

Re: Would Comodo have stopped the Stuxnet worm?

« Reply #14 on: December 29, 2010, 05:25:25 AM »

Quote from: HeffeD on December 28, 2010, 06:04:15 PM

I think you are unclear on what this setting does...

True! ... again

Unfortunately as it stands now - he is unclear of anything he is posting as far as I am concerned so far... Just posting a lot of ... and more & whole load of **** around the place

Well, blame me again ... and again

"personal attack"? "flamebait" ? whatever ... please go ahead

Cheers! & Happy New Year! to all of you


« Last Edit: December 29, 2010, 05:28:54 AM by SiberLynx »	Logged

admin; XP Pro, SP3 (32bit); CIS 3.14.130099.587 (firewall only; Proactive with Defense+)- that is the only Comodo's thing I need; Emsisoft - Mamutu Behavioural Blocker or Full EAM
Win 7 x64: Comodo Firewall 3.14; Emsisoft Anti-Malware

Tags:

Pages: [1] 2

« previous next »

Jump to:

SSL Certificate

Free Virus Removal

Firewall

Page created in 0.055 seconds with 20 queries.

Design by 7dana.com