Author Topic: A New Way of Exploiting Antivirus Scanners (comodo was among the tested)  (Read 4144 times)

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
For PUP protection, as well as Protection from 'Whitelisted Malware', besides disabling Cloud Lookup you can follow this guide of Cruelsister on how to customize the Vendor List. By deleting unneeded Vendors from the List as suggested you will notice less system resources consumption from Comodo.

Comodo actually doesn't use too many resources. It's very light and it does its job very quickly when it catches something.

(Edit!) So really the only thing that's ever been wrong with comodo is the way they (the people that make the database) go about whitelisting applications. If a digital signature exists in the cloud and malware has that same signature in that moment, the malware or pup gets allowed.

That needs to change right now. It's like if police would allow a criminal to walk out of a prison just because they're wearing a name tag that says they're a warden. It's dumb if that's all it takes and even though comodo is for advanced users only, you can't expect a user to make changes like that. To turn off the cloud lookup and to go through the locally stored list of vendors like that.

Comodo needs to whitelist things based on an exact match of an SHA256 hash AND a digital signature, or lack there of if the application doesn't have one.

Right now, all it takes for an application to be allowed by comodo is the right nametag at the right time.

(edit end)
« Last Edit: April 25, 2020, 11:53:09 PM by DrAlrek »
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 535
Comodo actually doesn't use too many resources. It's very light and it does its job very quickly when it catches something.

(Edit!) So really the only thing that's ever been wrong with comodo is the way they (the people that make the database) go about whitelisting applications. If a digital signature exists in the cloud and malware has that same signature in that moment, the malware or pup gets allowed.
(edit end)

How are the chances of this happening (more than 10%)? Of course, hackers are ingenious people. But don't you have such or similar danger anyway. But don't you have such or similar danger always.
Hitman Pro checks in the cloud, eset does it. What about Blacklists? In this sense you are safer with voodoshield + cis, using different whitelists?

EDIT: I forget this:

Quote
Comodo needs to whitelist things based on an exact match of an SHA256 hash AND a digital signature, or lack there of if the application doesn't have one.





« Last Edit: April 26, 2020, 02:20:01 AM by prodex »

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
How are the chances of this happening (more than 10%)? Of course, hackers are ingenious people. But don't you have such or similar danger anyway. But don't you have such or similar danger always.
Hitman Pro checks in the cloud, eset does it. What about Blacklists? In this sense you are safer with voodoshield + cis, using different whitelists?

EDIT: I forget this:

Voodooshield also checks against it's own M.L.A.I. and virustotal. I guess I really don't have to worry. Testers on youtube use the defaults of comodo's settings and I've never seen an honest test of comodo where it failed.

The one test I saw where the tester said it failed, they didn't even test the protection comodo offers. They counted the fact that they were able to download malware at all as a fail, without attempting to run the malware.
(Edit1)
Another thing occurred to me just awhile ago. Yes, lots of antivirus programs check things in a cloud database. My issue is that comodo sometimes adds things to the whitelist without checking too deeply into the software vendor in question. And when a bad vendor gets added to the installation's list of trusted vendors...as far as I'm aware...the user has to start a lookup of the vendors in the list to get rid of any of the bad ones in there.
(Edit1 End)
« Last Edit: May 01, 2020, 12:30:36 AM by DrAlrek »
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline mmalheiros

  • Comodo's Hero
  • *****
  • Posts: 315
you can't expect a user to make changes like that. To turn off the cloud lookup and to go through the locally stored list of vendors like that.

Comodo already cheks the hash of files against the Cloud to verify if they are Trusted, Unknown or Malicious. As for Digital Signatures, digitally signed Malware will most often carry a stolen certificate from a shady and relatively unknown company and almost never a certificate from a big and trustworthy company like Adobe, Google, Apple, Microsoft and others.

For me it took less than five minutes to customize the Vendor List following the guide of Cruelsister, all the user has to do is: Select all vendors, then use the search function (magnifier icon) to search for vendors the user wants to keep, uncheck those, and then press Remove to delete all other vendors.

Customizing the vendor list is more about preventing against PUPs and controversial companies like Baidu for example. As well as those Chinese vendors with unreadable characters in the list. It's more about user preference, but Comodo does prevent against PUPs and Whitelisted Malware if you set it up in the right way and it's a easy thing to accomplish. There are room for improvements regarding vendor list customization? Yes sure, and Comodo will eventually get there.

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
Comodo already cheks the hash of files against the Cloud to verify if they are Trusted, Unknown or Malicious. As for Digital Signatures, digitally signed Malware will most often carry a stolen certificate from a shady and relatively unknown company and almost never a certificate from a big and trustworthy company like Adobe, Google, Apple, Microsoft and others.

For me it took less than five minutes to customize the Vendor List following the guide of Cruelsister, all the user has to do is: Select all vendors, then use the search function (magnifier icon) to search for vendors the user wants to keep, uncheck those, and then press Remove to delete all other vendors.

Customizing the vendor list is more about preventing against PUPs and controversial companies like Baidu for example. As well as those Chinese vendors with unreadable characters in the list. It's more about user preference, but Comodo does prevent against PUPs and Whitelisted Malware if you set it up in the right way and it's a easy thing to accomplish. There are room for improvements regarding vendor list customization? Yes sure, and Comodo will eventually get there.

Cool, just so you know, I followed cruelsister1's guide. I removed all signatures that aren't from companies that make things I use and disabled cloud lookup.
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
But doing in this way CIS probably block 99,9% all unknown app... Do you see anytime Voodooshield do something? I don't think so...

But if for you is working, I guess that is ok..

So you're saying in this post I quoted that voodoo with its "Whitelist Cloud" and comodo with it's own cloud database enabled, there'd be no issues?

And yes, every now and then when something I want to check out is allowed by CFW, sometimes voodoo will pop up with a "threat detected" sign. Looking at the names of the detections always reveals some kind of PUP when this happens. I guess the people at comodo working on the database do an analysis based on whether or not the file actually performs any malicious actions. And most of the time, PUPs don't perform any malicious actions that would trigger the behavioral analysis.

I actually saw a tester on youtube configure CFW is a very similar way to how I do mine. Not even one threat got through
here: https://www.youtube.com/watch?v=ral_Cl2tmyM

There's a few differences. I also turn on "do not show popup alerts" in virusscope and file rating and I enable everything in script detection.
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek