Comodo Cloud AV Test Results & Reviews

[Jon79]

[at]Jon79 that is related to the embedded code detection for interpreters such as powershell, wscript, cscript, etc, for sandboxing of so called "fileless" malware.

So, is it a feature of CIS only? Is CCAV still vulnerable?

[Yousername]

Not sure. Looking at the test results it looks like CCAV failed in one instance where Comodo protected, but I think CCAV also has this feature to a certain extent.

[Jon79]

Not sure. Looking at the test results it looks like CCAV failed in one instance where Comodo protected, but I think CCAV also has this feature to a certain extent.

Actually, CIS failed too, it got 5 yellow dots (versus the 1 red + 4 yellow dots of CCAV).

Yellow dot = It indicates a blocked malicious software placed on a victim’s workstation as a result of applying  an exploit in a drive-by download attack. The color also symbolizes an unblocked hacker connection with an infected workstation by a firewall module. In this case, a cybercriminal may still try other security bypass techniques

Red dot = both the attack on a browser and a download and run of malicious software by a PowerShell interpreter wasn’t blocked by an antivirus application

What it's not clear to me is how they judged a PowerShell interpreter running in the sandbox...

[Jon79]

By the way, at page 20 they wrote

The exception of this rule is also Comodo software, which has implemented a local sandbox mechanism and unknown files scanning in the cloud, both ensuring that running unknown applications and scripts (.ps1, wscript.exe, .vba, .cmd, .bat, cmd.exe, .pl, .pdf, powershell.exe and others) won't access a network so they won't do any serious damage to the system

They tested CCAV v1.10, while the option to block internet connections to sandboxed apps was introduced in v1.11.
So, I think that CCAV v1.11 or later will get at least the same results of CIS

[Yousername]

At the default level, CIS does not block connections by using the firewall, which is why there was an "unblocked hacker connection" for the 5 test scenarios. Blocking connections require user interaction if I recall the default settings correctly. Interpreters can be used to steal data, that's why "fileless" attacks are targeting infrastructures and banks and such.

The "hacker connection" can be blocked manually when you see a Firewall alert in CIS, or by setting the firewall to block outgoing requests for both CCAV and CIS. You won't get a connection alert in CCAV unlike CIS however, so CCAV protection is dependent on those settings.

In terms of the CCAV fail, it looks like a PS interpreter was not caught by the sandbox based on these results. Comodo caught all of them.

They can easily determine whether the interpreters are running in the sandbox by checking the contained apps.

[Jon79]

[...] setting the firewall to block outgoing requests [...]

The version of CCAV they tested (v1.10) didn't have that option and sandboxed apps were able to connect to internet

In terms of the CCAV fail, it looks like a PS interpreter was not caught by the sandbox based on these results.

I think the interpreter was able to connect to internet even if working inside the sandbox (see above) and download the payload, so probably that's the reason of the red dot

[Yousername]

Red dot = both the attack on a browser and a download and run of malicious software by a PowerShell interpreter wasn’t blocked by an antivirus application

This leads me to believe that the interpreter was missed during the attack stage, and then the interpreter downloaded the payload which lead to a compromised system. If the interpreter was in the sandbox and downloads the payload, the payload which is the unrecognized child of the interpreter would be contained. Or the executed script would be contained. So it would have been a yellow dot if the interpreter was contained.

[Jon79]

Red dot = both the attack on a browser and a download and run of malicious software by a PowerShell interpreter wasn’t blocked by an antivirus application

This leads me to believe that the interpreter was missed during the attack stage, and then the interpreter downloaded the payload which lead to a compromised system. If the interpreter was in the sandbox and downloads the payload, the payload which is the unrecognized child of the interpreter would be contained. Or the executed script would be contained. So it would have been a yellow dot if the interpreter was contained.

As long as they know what containment means

The exception of this rule is also Comodo software, which has implemented a local sandbox mechanism and unknown files scanning in the cloud, both ensuring that running unknown applications and scripts (.ps1, wscript.exe, .vba, .cmd, .bat, cmd.exe, .pl, .pdf, powershell.exe and others) won't access a network so they won't do any serious damage to the system

This makes me think the trick is about blocking Internet connection, but we will never know until we ask them

[Yousername]

Yes blocking connections is the key between a yellow dot and a green dot. I'm not concerned at all about the yellow dots since a single tweak in both CIS and CCAV settings would prevent the "hacker connections." As for the red dot of CCAV it will need an explanation from them. It is always advisable to take any AV results with a grain of salt.

[Jon79]

https://www.youtube.com/watch?v=jp9HlczMOPc

CCAV vs. some ransomwares 

[Redstraw]

https://www.youtube.com/watch?v=jp9HlczMOPc

CCAV vs. some ransomwares 

The recognizer didn't show any popup in this test?

[Jon79]

The recognizer didn't show any popup in this test?

Well, if the ransomware is sandboxed, it can't modify files (for example, pictures) in the real system, so maybe that's why there's no VirusCope popups... and this is the reason why I made a wish to add an option for VirusCope to monitor every app (not only sandboxed ones)

https://forums.comodo.com/wishlist-ccav/add-an-option-in-ccav-for-viruscope-to-monitor-either-sandboxed-apps-or-all-apps-t119870.0.html

[Yousername]

I think the recognizer is still in test mode, meaning that if it detects something, the user won't be notified. They are making sure the recognizers do not produce many false positives when they enable detection alerts again.

[BlueTesta]

Comodo Cloud AV Review By Malware Blocker
https://www.youtube.com/watch?v=utW0ydR26ZU

[Melih]

Comodo Cloud AV Review By Malware Blocker
https://www.youtube.com/watch?v=utW0ydR26ZU

if everything caught in our containment/auto sandbox...and then sent to valkyrie and turned into either good file or malware...why do u need another av? (i am trying to understand the logical reason for future improvements)