Author Topic: Comodo firewall bypassed by signed malware  (Read 4702 times)

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5127
Re: Comodo firewall bypassed by signed malware
« Reply #15 on: May 01, 2017, 03:05:10 PM »
I'm not sure why this tread even exists? This a problem for any security software that is based on white listing approach. Because of possible mistakes there is even specific topics to report such errors when malware is incorrectly whitelisted.

https://forums.comodo.com/av-false-positivenegative-detection-reporting/report-trusted-and-whitelisted-malware-here-2017-no-live-malware-t117715.0.html

https://forums.comodo.com/comodo-valkyrie-fls/post-valkyrie-links-in-which-you-believe-that-the-manual-analysis-is-wrong-t80646.0.html

Offline Yousername

  • Comodo's Hero
  • *****
  • Posts: 236
Re: Comodo firewall bypassed by signed malware
« Reply #16 on: May 01, 2017, 07:01:03 PM »
This is not a digitally signed application. Trusted vendors have nothing to do with this, the file was whitelisted by file hashes. I also encountered a similar sample of the same class (Emotet - basically a banking trojan) which also copied a file to appdata and was whitelisted.  The variant that I submitted has been blacklisted now.

On a side note I have tried removing the Trusted Vendors List. It seems that with cloud lookup enabled, it still checks the TVL in the cloud (vendors that are found trusted by cloud scan are added back to the TVL), so removing TVL with cloud lookup enabled is basically pointless. If you were to disable cloud lookup and remove TVL it might result in system files being sandboxed if you aren't careful, and of course usability is impacted.



Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 238
Re: Comodo firewall bypassed by signed malware
« Reply #17 on: May 02, 2017, 12:32:20 AM »
I'm not sure why this tread even exists? This a problem for any security software that is based on white listing approach.
Well, most whitelisting solutions that I know of (NoVirusThanks EXE Radar Pro, VoodooShield, SecureAPlus, ReHIPS) don't have a hidden and constantly updating whitelist that is prone to error. At the most, they have a limited Trusted Vendors List that the user can easily monitor.

However, now that I think about it, your point is quite valid as regards Avast hardened mode/aggressive, and Kaspersky Trusted Applications Mode

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1123
Re: Comodo firewall bypassed by signed malware
« Reply #18 on: May 02, 2017, 02:12:46 AM »
[...] your point is quite valid as regards Avast hardened mode/aggressive, and Kaspersky Trusted Applications Mode

Which are default-allow AVs with a feature to act like default-deny ones

If you were to disable cloud lookup and remove TVL it might result in system files being sandboxed if you aren't careful, and of course usability is impacted.

If you have a stable PC (meaning you don't install new apps because you are fine with the ones you already have), you can disable cloud lookup and remove every entry in the TVL but the ones about Microsoft (and few other apps you use), as shown in this video (from cruelsister) https://www.youtube.com/watch?v=TetSy5vn7_M&ytbChannel=cruelsister1

The problem with CIS is that TVL will be restored when CIS upgrades to a new version (and also when you import your settings), unless they have fixed this bug

Offline AtlBo

  • Comodo Family Member
  • ***
  • Posts: 61
Re: Comodo firewall bypassed by signed malware
« Reply #19 on: May 02, 2017, 01:13:17 PM »
Think this may have been fixed.  I updated two weeks ago with a trimmed TVL, and it did not revert to the full list.


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek