Author Topic: Malware vs Comodo Containtment !  (Read 13409 times)

Offline BuketB

  • Comodo's Hero
  • *****
  • Posts: 898
Malware vs Comodo Containtment !
« on: July 14, 2015, 08:59:56 AM »
Hi Everybody !  :)

We would like to share with you the cases for what happens when specific Malwares meet with Comodo's Containtment ? !

Here we have the third case with SpyEye vs Comodo Containment:  

SpyEye is a type of malware which Cybercriminals use to steal online banking credentials, credit card data, passwords, and other personal information. SpyEye has infected more than 1.4 million computers globally, and its silent attack means you’re delivering your information straight to criminals.

SpyEye works like this:

1. SpyEye installs keylogger software which monitors all of your keyboard-clicking activities.
2. SpyEye collects all of the information you type: login credentials, passwords, credit card information, and every other type of personal information imaginable.
3. You deliver this information straight to Cybercriminals.

But when SpyEye meets Comodo’s Containment Technology, where all unknown files go into Containment, the results are devastating for SpyEye:

1. SpyEye tries to install keylogger software.
2. SpyEye FAILS—miserably. In Comodo Containment, malware simply cannot inject code into other processes.
3. Another safe and secure Comodo user !!

Comodo is the only antivirus company that brings proven, battle-tested containment technology to enterprise.

Learn more about The World’s First Automatic Containment Technology:

https://containment.comodo.com

For the previous cases please kindly check: https://blog.comodo.com/category/containment/


« Last Edit: August 05, 2015, 11:14:35 AM by BuketB »

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1157
Re: Malware vs Comodo Containtment !
« Reply #1 on: July 15, 2015, 05:07:08 AM »
Hello BuketB,
only condition that is adequate protection parameters (Comodo)

Offline BuketB

  • Comodo's Hero
  • *****
  • Posts: 898
Re: Malware vs Comodo Containtment !
« Reply #2 on: July 15, 2015, 07:12:01 AM »
Hello ZorKas,

The good, the bad and the ugly:   https://www.youtube.com/watch?v=Uq31kqKiQ4I

We provide you 360 degrees protection, because we protect you from any unknown file not only the malicious files  :-TU :-TU

Kind Regards
Buket

Offline khanyash

  • Comodo's Hero
  • *****
  • Posts: 5246
Re: Malware vs Comodo Containtment !
« Reply #3 on: July 15, 2015, 08:22:32 AM »
Containment technology is good. And Whitelists is an important aspect to Containment technology.

Comodo has a huge Cloud Whitelist to assist Containment technology & make Comodo software (CIS) easy to use for majority of users & enhance usability a lot.

But... https://forums.comodo.com/news-announcements-feedback-cis/user-experience-suggestion-t112004.0.html
As mentioned in the above thread, Cloud should work in a protective way & not mere cloud connection... so that with Unknown & Malware, Safe (Whitelisted) programs are not Contained (Sandboxed) too.

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1157
Re: Malware vs Comodo Containtment !
« Reply #4 on: July 15, 2015, 12:12:57 PM »
Hello ZorKas,

The good, the bad and the ugly:   https://www.youtube.com/watch?v=Uq31kqKiQ4I

We provide you 360 degrees protection, because we protect you from any unknown file not only the malicious files  :-TU :-TU

Kind Regards
Buket
Yes BurketB,
Comodo CIS v.8.2.0.4591 is very good
Here in France the government warned us of the risk.
For my part I use Comodo CIS with the following parameters:
- Antivirus => Dynamics
- Sanbox => On
- HIPS => Secure Mode
- Firewall => Secure Mode
- Viruscope => On
http://www.interieur.gouv.fr/Actualites/L-actu-du-Ministere/Cryptolocker-une-prise-d-otages-en-2.0

Offline BuketB

  • Comodo's Hero
  • *****
  • Posts: 898
Re: Malware vs Comodo Containtment !
« Reply #5 on: July 20, 2015, 09:33:17 AM »
Hey Guys,

Here please kindly check out the second malware case " Shylock vs Comodo Containment "

https://blog.comodo.com/containment/shylock-vs-comodo-containment

We are waiting for your comments about the malware as well.

Kind Regards
Buket

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 485
  • Brazilian / Medicine Student / Love Technology
Re: Malware vs Comodo Containtment !
« Reply #6 on: July 20, 2015, 10:40:33 AM »
Congratulations Comodo  :-TU

I like to see these blog posts, as well as recent news from Comodo  https://www.comodo.com/news/in-the-news.php

Thanks

Offline BuketB

  • Comodo's Hero
  • *****
  • Posts: 898
Re: Malware vs Comodo Containtment !
« Reply #7 on: August 05, 2015, 11:17:11 AM »
Hey Guys,

Here is the third case of Malware vs Comodo Containtment ! What happens when CIS meets SpyEye?  Check here: https://blog.comodo.com/comodo_news/spyeye-vs-comodo-containment/

Kind Regards
Buket

Offline RealNature

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1277
  • Nothing without God
Re: Malware vs Comodo Containtment !
« Reply #8 on: September 29, 2015, 07:50:06 AM »
No surprise here ;D. I already know comodo is rock solid :-TU (:CLP) (:CLP)
Thx guys for your amaizing job :)

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1103
Re: Malware vs Comodo Containtment !
« Reply #9 on: September 30, 2015, 02:52:56 AM »
That's true, but I guess the keylogger comes with another software to hide it, right?
If so, if you run that software as virtualized, maybe something can't work properly because of the virtualization (this happens with some unarmful softwares not yet whitelisted by Comodo).
So the average user will run again the software asking CIS to not virtualize it.
Then, what will happen? You get keylogged!!!

That's why I think (just a personal opinion) it's better to run any unknown software as "Run Restricted --> Untrusted". Like this you will get some pop-up from the HIPS and that can let you better understand what the software is trying to do and decide whether to allow it or not.
Of course, it's user-dependent, but I think CIS warnings are quite clear to understand and manage

Some more references:
https://forums.comodo.com/defense-sandbox-help-cis/spyshelter-test-t109758.0.html
https://forums.comodo.com/format-verified-issue-reports-cis/limited-and-restricted-block-screen-capture-but-untrusted-does-not-m399-t95001.30.html

Offline Der.Reisende

  • Newbie
  • *
  • Posts: 3
Re: Malware vs Comodo Containtment !
« Reply #10 on: November 03, 2016, 08:02:08 AM »
Having (minor but probably dangerous) issues with Comodo Internet Security Premium, v8.4.0.5165:
I'm currently testing the suite against (at least for Comodo) Zero Day malware.
In today's test, multiple ransomware (e.g. Locky) managed to encrypt .js and and .vbs files, however being fully contained on run. All other files (pictures, text files, especially those outside the folder the ransomware was located) were protected by containment.
I also had a CryptoLocker sample, only being able to change the background to black and being able to open drop and open up the usual notifications, no file was encrypted however.

Setup:
Preset: Internet Security (by default), box "show less alarms" unticked in first installation window
Antivirus: on (Realtime), scan memory on startup: no
Firewall: on (Safe Mode)
Auto-Sandbox: on
Virusscope: on (only monitor sandboxed apps)
HIPS: on (Safe Mode, "Set Popup alerts to verbose mode")
File reputation: on (autoupload, trust signed apps, detect PUP)

The test can be seen here: https://malwaretips.com/threads/03-11-2016-11.65095/#post-560722
Note that you need to create an account / to log in to view the thread. I tried to write down there everything I thought would be of use, though I'm no expert.
P.S. Second opinion scanners, McAfee GetSusp and SysInternals TCPView / Autoruns tell me the system should be clean (after clearing sandbox).

Looking forward to your feedback.

EDIT: Mods please move the message if wrong thread. Thank you!
« Last Edit: November 03, 2016, 08:06:14 AM by Der.Reisende »

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Malware vs Comodo Containtment !
« Reply #11 on: November 03, 2016, 03:37:13 PM »
Hi  Der.Reisende,

Welcome to the forums. I just tested it on a virtual machine with beta version and I see no problem. It would be great if you could check it with the beta as well.  :)
(exception being wallpaper change which is a known issue)

Offline Der.Reisende

  • Newbie
  • *
  • Posts: 3
Re: Malware vs Comodo Containtment !
« Reply #12 on: November 03, 2016, 06:11:50 PM »
Hi  Der.Reisende,

Welcome to the forums. I just tested it on a virtual machine with beta version and I see no problem. It would be great if you could check it with the beta as well.  :)
(exception being wallpaper change which is a known issue)
Thank you for your warm welcome qmarius!
Sorry for the late reply.
I gave CIS 10 BETA a spin (inside a ShadowDefender containment), same issue here. Interesting for me to see is that .jpeg and .txt files I put in the folder just to see what happens were not harmed, again only the script files? I found some option in Comodo Sandbox Settings (both 8 and 10 BETA) which is enabled by default, excluding specific folders from containment. "Downloads" is one of them, and it's actually the folder the malware is located at.
I will try to deactivate that for the next pack tomorrow (better said today), just to see what happens.
However, I still don't get why containment seems to work just fine on almost every file I ran from that location (e.g. a ZBot malware was blocked just fine yesterday, obviously VM aware, gone just after run), only failing partly for some scripted ransomware? And ransomware only being able to hit specific file formats? Note that from the first 4 malwares of that pack, the first 2 crashed, number 3 dropped some weird stuff (the fake taskmanager etc., all getting contained on run), and number 4 being the Locky encrypting all those script files (and only them) inside the malware folder in Downloads. This after triggering rundll32.exe and staying silent for about a minute (though calling outbound).




Offline lyonel

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Malware vs Comodo Containtment !
« Reply #13 on: November 04, 2016, 04:56:55 AM »
it's a great thing this new feature.

it try to find a program with the possibility to allow on my pc's a restricted list of extensions ( xlsx,pptx,docx,pdf,jpeg,dlllog ...) and if a cryto want to rename all my files in .zepto, it can't do it because .zepto is not present in the allowed extension list.

maybe this possibility could be added together with the container if it encounters a bug

French Translator of / Traducteur pour le Français de: CIS, CMS, CCAV, COHE, CB, ITSM

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Malware vs Comodo Containtment !
« Reply #14 on: November 04, 2016, 07:21:50 AM »
Many thanks. Initially, I have tested it on "Desktop" folder and no changes were made. It appears that javascript files from "Downloads" folder were altered. I have reported your issue. As a precaution, for the meantime, you could disable "Shared Spaces" feature.

Hope it helps.

// bug 1987

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek