Author Topic: Rogue Anti Virus products..  (Read 44556 times)

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: Rogue Anti Virus products..
« Reply #15 on: June 08, 2009, 12:24:23 AM »
comodo did not detect recycler virus ...
Hi deecrepit,

The topic here is "Rogue Antivirus". The infection you are referring to is different as far as I know, but in any case the it fits perfectly to what Melih mentioned - Prevention, which is correct.

One of the preventive measures regarding such types of infection is disabling Autoruns completely through the system. All devices... USBs included. That is must have layer of protection in addition to any other layers installed.

There are very good and detailed instructions how to disable Autoruns completely.
Recently MS fixed some bugs it that area too. There was a security patch a month or so ago.

In addition there is a Tool for immunizing flash sticks pen-drives & so on (flash disinfector). The prevention measure again.

The “convenience” of having auto-execution from devices has to be forgotten.

But what is interesting in this context - you did not mention what part of CIS as you think missed that. I may be wrong, but you should have the Alert from Defense+  in the first place.

Or you are saying that there was no Defense+ Alerts?

*** Added probably the discussion about that should be placed in a separate thread. Moderators will decide.

My regards
« Last Edit: June 08, 2009, 12:30:02 AM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline HarpGuy

  • Comodo Family Member
  • ***
  • Posts: 97
  • Little is that which a Blues Harp can't improve.
Re: Rogue Anti Virus products..
« Reply #16 on: July 30, 2009, 11:04:28 PM »
The Common Computing Security Standards (CCSS) forum now has a feature that can help the user identify rogueware.

SEE:  http://www.ccssforum.org/trusted-vendors.php

Offline HarpGuy

  • Comodo Family Member
  • ***
  • Posts: 97
  • Little is that which a Blues Harp can't improve.
Re: Rogue Anti Virus products..
« Reply #17 on: September 14, 2009, 03:04:07 PM »

And ZDNet just wrote a nice article...

The Ultimate Guide to Scareware Protection
http://blogs.zdnet.com/security/?p=4297


And here's a gallery of scareware-related screenshots...

http://news.zdnet.com/2346-12691_22-342083.html

Pretty interesting.

Subgud

  • Guest
Re: Rogue Anti Virus products..
« Reply #18 on: September 14, 2009, 05:11:42 PM »
I was so lucky :-TD beeing infected by scareware 3 yrs ago. It poped up at my screen saying that i had around 300 infected files and that i needed to download a program to remove thees threats. I was not so experienced with computers at that time so I downloadet and payed 29.99$ for a program to help me.

He he. Luckily i did not loose more than those 29.99. And after searching the internet I used MBAM and SAS to get my computer clean.

When you have an infection like that it is scary and you get fooled.

Offline johnherland

  • Newbie
  • *
  • Posts: 2
Re: Rogue Anti Virus products..
« Reply #19 on: June 22, 2010, 06:57:30 AM »
i was using comodo trial version recently i got key of comodo internet security complete 2010 .
when i was surfing the net i face 5 rogue virus and it run completely in my pc and comodo didn't detect the any of the rogue  virus. the file downloaded by this rogue is there in my pc i scan the file by right click and it didn't detect the rogue virus .then i again scan with sandbox then a pop up came and it shows tht its acess ur shell and show me the option to terminate or allow this.
the point is comodo has 42 lakh antimalware database and it didn't detect the rogue virus.
and again i infected with this virus and its tht powerful tht it delete all me files automatically i locked my files in folder lock and these files are also deleted . when i restarted my pc then window is corrupted and i hve to install the window again.
can anyone tell me is comodo is powerful or i hve to switch to another antivirus to protect my pc

Offline clockwork

  • Comodo's Hero
  • *****
  • Posts: 2213
  • Oxygen requires Chuck Norris to live
Re: Rogue Anti Virus products..
« Reply #20 on: June 22, 2010, 09:08:48 AM »
if your settings would be well, comodo would avoid infections BEFORE they happen. disable the comodo sandbox, and switch defense+ to safe mode.
as an antivirus i would suggest Avira personal free (enable expert mode in settings, and go through it one time). its one of the good ones.

if you disabled the sandbox, and run defense+ in safe mode, nothing can run automatically without your allowing! the rogue wouldnt have been installed, even if the av (comodo or avira example) would not know it!

comodo firewall and defense+ is one of the best, combined with avira free its a very good combination, which would not been beaten easily by anything else.

comodos sandbox is not suggestable, like you experienced now. COMODO should take care of this problems (rogue and sandbox so often appear in the same posts!!!)

but if You allow something to be executed, then it might infect you (but you will be asked before by defense+ if you want to allow "name" to be executed). thats one little rest of risk, and its in your hands then.

if you would use additional sandboxIE (a real sandbox program, free if you dont WANT to pay for it, it gives you the choice, while giving nearly all needed features in both cases)
then even if you would get "infected", after the browser is closed ALL changes would be erased. with this combination you are very safe in a big amount of situations.

BUT be careful to make the settings right before first using. otherwise you might have a false mind of been protected, or the sandboxIE would maybe never be emptied.

« Last Edit: June 22, 2010, 09:30:39 AM by clockwork »
"If there is a problem, it`s something interesting. Try to circumvent or fix it.
In the old ages there has been no support. That`s why we got the brain we have today.
Otherwise we would only be able to call a number and listen.
But there wasnt a phone...."

Offline bcman

  • Malware Research Group
  • Comodo Family Member
  • *****
  • Posts: 94
Re: Rogue Anti Virus products..
« Reply #21 on: June 22, 2010, 09:57:27 AM »
I don't recomand to disable the sandbox. If it is enabled then everything is unkown will run in it and can not affect the system

Offline clockwork

  • Comodo's Hero
  • *****
  • Posts: 2213
  • Oxygen requires Chuck Norris to live
Re: Rogue Anti Virus products..
« Reply #22 on: June 22, 2010, 11:50:53 AM »
I don't recomand to disable the sandbox. If it is enabled then everything is unkown will run in it and can not affect the system

and you are sure, that you read what the poster before me wrote???

because it HAS BEEN allowed to run in the comodo sandbox, it had the chance to execute and infect the pc AND erase all DATA :O
this sandbox doesnt protect as it should. and even more, in some cases its more dangerous to have it run.

comodo until version 4 was secure, without sandbox. and with sandbox now, ONLY questions have been reduced from defense+. but its NOT like if the sandbox would make the comodo more secure in any cases.

for example: this rogue, even if it was "sandboxed by comodo" had the rights to make internet connections by default. i dont know if they changed this default rule in 4.1. but as you see, sandbox is not like sandbox, first of all in this case.
it reduces questions, for userfriendlyness.... and as it often is, userfriendlyness can be insecure somehow.

JohnHerland, i have no idea why you faced 5 rogue-malwareprograms while browsing. i have the idea, maybe your pc is infected, and thats why you are facing more and more things. maybe its a rootkit, hidden from antivirus products.... just in case, i wanted to mention it.
i never faced a rogue antivirus when i browsed the internet. if i would, sandboxIE had erased it after i closed my browser....
comodo sandbox doesnt erase like a sandbox should.
AND one thing: an antivirus is not your father. its a friend, but he cant know everything. so load only things that you know, and test them with an antivirus if they are clean ..... at least as clean like the last virussignatureupdate says. if you dont know a program, then "google" about it.
security programs should be load only with reputation from known sites, and maybe with a link from a much more trusted site, to be sure that you get the real homepage.
« Last Edit: June 22, 2010, 12:15:53 PM by clockwork »
"If there is a problem, it`s something interesting. Try to circumvent or fix it.
In the old ages there has been no support. That`s why we got the brain we have today.
Otherwise we would only be able to call a number and listen.
But there wasnt a phone...."

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Rogue Anti Virus products..
« Reply #23 on: June 22, 2010, 05:17:00 PM »
and you are sure, that you read what the poster before me wrote???

because it HAS BEEN allowed to run in the comodo sandbox, it had the chance to execute and infect the pc AND erase all DATA :O
this sandbox doesnt protect as it should. and even more, in some cases its more dangerous to have it run.

comodo until version 4 was secure, without sandbox. and with sandbox now, ONLY questions have been reduced from defense+. but its NOT like if the sandbox would make the comodo more secure in any cases.

for example: this rogue, even if it was "sandboxed by comodo" had the rights to make internet connections by default. i dont know if they changed this default rule in 4.1. but as you see, sandbox is not like sandbox, first of all in this case.
it reduces questions, for userfriendlyness.... and as it often is, userfriendlyness can be insecure somehow.

JohnHerland, i have no idea why you faced 5 rogue-malwareprograms while browsing. i have the idea, maybe your pc is infected, and thats why you are facing more and more things. maybe its a rootkit, hidden from antivirus products.... just in case, i wanted to mention it.
i never faced a rogue antivirus when i browsed the internet. if i would, sandboxIE had erased it after i closed my browser....
comodo sandbox doesnt erase like a sandbox should.
AND one thing: an antivirus is not your father. its a friend, but he cant know everything. so load only things that you know, and test them with an antivirus if they are clean ..... at least as clean like the last virussignatureupdate says. if you dont know a program, then "google" about it.
security programs should be load only with reputation from known sites, and maybe with a link from a much more trusted site, to be sure that you get the real homepage.
From my understanding of the post he may have encountered an elevated alert popup and gave it access. Hopefully I'm right.

[at] johnherland, can you please PM me the malware so I can check it out?

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Rogue Anti Virus products..
« Reply #24 on: June 22, 2010, 09:17:13 PM »
[at] johnherland, can you please PM me the malware so I can check it out?
Thanks for the malware (I bet you don't hear that too often) ;)

Here's the links for the two:
http://www.virustotal.com/analisis/a685017df31eabc29aacfed5af8746184ad3f5180ab302845a64a805ec04e6f7-1277255012
http://camas.comodo.com/cgi-bin/submit?file=a685017df31eabc29aacfed5af8746184ad3f5180ab302845a64a805ec04e6f7

http://www.virustotal.com/analisis/36d37bd7b0fa05a600cc6438dea9b77d1d0e2c841760a5c4dd6237e10773f422-1277254997
http://camas.comodo.com/cgi-bin/submit?file=36d37bd7b0fa05a600cc6438dea9b77d1d0e2c841760a5c4dd6237e10773f422
http://anubis.iseclab.org/?action=result&task_id=14fa66d5265ce7d14d5ef9334b50e9752&format=html

The first can't run in the sandbox and in fact Anubis could not execute it saying "Either your file is not a valid Windows executable or some of its startup-dependencies have not been met."

When I run them the second is able to run in the sandbox (I disabled the AV). The "installation" freezes and doesn't advance. I blocked all firewall alerts. I have installed a pic of the "installation".

I have my configuration configured as explained here:
http://forums.comodo.com/install-setup-configuration-help-cis/how-to-configure-comodo-firewall-for-maximum-protection-t57944.0.html;msg406533#msg406533
Also, I am running Windows 7 x64.

johnerland, can we please get some more information about how this rogue bypassed CIS on your computer? What was your security setup and how did you answer any alerts?

[attachment deleted by admin]

Offline johnherland

  • Newbie
  • *
  • Posts: 2
Re: Rogue Anti Virus products..
« Reply #25 on: June 23, 2010, 07:54:10 AM »
chiron the second file (packupdate107_2129.exe)tht u hve tested is know caught by comodo but his time the database is 5188.
when i face this rogue the comodo database is 5115. i hve send this file by mail to this address (malwaresubmit[at]avlab.comodo.com).
may be they added to there database.
the one tht corrupt my window is came from some online gaming site i don't know the exact site
thnks for responding to my question.
and tell me one thing can i use this comodo in my laptop a lot of personal information like credit card  bank information is there
comodo is capable of take care of all these things.

Offline clockwork

  • Comodo's Hero
  • *****
  • Posts: 2213
  • Oxygen requires Chuck Norris to live
Re: Rogue Anti Virus products..
« Reply #26 on: June 23, 2010, 11:49:58 AM »
when you look at tests about comodo firewall and its defense+ section, you will see that it is one of the very good programs.
but no product can be perfect, if the user doesnt make the right settings. dont forget that.

as an antivirus, i would again suggest to use avira free edition. (disable the antivirus of comodo before, if)

its a real good combination. security depends on good settings (avira: activate the expert mode to be able to make all settings).

personally i would not suggest to use the comodo sandboxfeature.

in result, comodo will be my first choice for firewall and defense+
and
avira free edition will be my choice for antivirus
and
sandboxIE will be first choice for a real sandbox.
all 3 are free versions, all 3 are one of the bests.
(with the right settings of course!)
« Last Edit: June 23, 2010, 11:57:05 AM by clockwork »
"If there is a problem, it`s something interesting. Try to circumvent or fix it.
In the old ages there has been no support. That`s why we got the brain we have today.
Otherwise we would only be able to call a number and listen.
But there wasnt a phone...."

Offline bob3160

  • avast! Contractor
  • Comodo Family Member
  • ***
  • Posts: 83
  • Organ donors lead extended lives!
Re: Rogue Anti Virus products..
« Reply #27 on: July 05, 2010, 04:21:36 PM »
Do you have a rebuttal for the following You Tube video which clearly shows how easy it is to totally bypass
Comodo and installs a rogue Antivirus ???
http://www.youtube.com/watch?v=4AYeIDI4CB4


Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Rogue Anti Virus products..
« Reply #28 on: July 05, 2010, 04:34:29 PM »
Do you have a rebuttal for the following You Tube video which clearly shows how easy it is to totally bypass
Comodo and installs a rogue Antivirus ???
http://www.youtube.com/watch?v=4AYeIDI4CB4
It at least looks to me like they have located a bug in the sandbox. I'm sure it'll be fixed soon.

I also wouldn't mind a comment from the Staff to confirm my suspicions.

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: Rogue Anti Virus products..
« Reply #29 on: July 06, 2010, 03:44:05 AM »
Hi Guys,

It seems to me that this particular thread (the old one ) went "a bit" !ot!
Disabling Autoruns / "Rogue Antivirus" & new issues with Comodo's "sandbox" that cannot possibly ever be fixed are different/separate  issues

Are we talking about the same thing?   88)

Cheers!
« Last Edit: July 06, 2010, 03:47:24 AM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek