Author Topic: Why Comodo's Antivirus security is different  (Read 9235 times)

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 135
Re: Why Comodo's Antivirus security is different
« Reply #15 on: April 30, 2020, 02:41:34 PM »
Nunzio- Just noticed that the symbol [at] (for "at")  does not show up for messages. You can instead just have the first line be: ECHO off

Sorry for that!!!

Meghan

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Why Comodo's Antivirus security is different
« Reply #16 on: April 30, 2020, 03:54:50 PM »
Hello cruelsister,

I tried your trick with notepad and included:
ECHO off
:top
START %SystemRoot%\system32\calc.exe
GOTO top
Saved as a .bat file on desktop.
When I ran it I got a warning. I clicked allow, then it ran contained. However, reset the container does not work. There are currently 581 contained apps in the container and it seems to be holding at that. Also interesting is that I cannot find the VTRoot folder in the C drive. I have show hidden folders on. Then I turn on show protected folders on and still not there. Also on the desktop are two (hidden or protected) desktop.ini files that contain:
[.ShellClassInfo]
LocalizedResourceName=[at]%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

and:
[.ShellClassInfo]
LocalizedResourceName=[at]%SystemRoot%\system32\shell32.dll,-21799

[LocalizedFileNames]
3D Vision Photo Viewer.lnk=[at]%ProgramFiles(x86)%\NVIDIA Corporation\3D Vision\nvstlink.exe,-2003

I'm wondering if there is a bug or did I over look something or do something wrong?

PS- I am using standard proactive mode in CIS 12.2.2.7036

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Why Comodo's Antivirus security is different
« Reply #17 on: April 30, 2020, 04:13:49 PM »

Also interesting is that I cannot find the VTRoot folder in the C drive.
 

The VTRoot directory is only visible (it will be created) when a contained application makes any changes to the file system.
Calc.exe does not make any changes so VTRoot will not be there.
When you Reset the Container VTRoot will be removed from the C drive.

Try below in a bat file and VTRoot wiil be created because explorer.exe makes some changes to the file system.


ECHO off
START %SystemRoot%\explorer.exe

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Why Comodo's Antivirus security is different
« Reply #18 on: April 30, 2020, 04:17:34 PM »

Also on the desktop are two (hidden or protected) desktop.ini files that contain:
...


This is normal behavior when you have show hidden folders and show protected folders on.
They are both on my desktop too.

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Why Comodo's Antivirus security is different
« Reply #19 on: April 30, 2020, 04:44:56 PM »
The VTRoot directory is only visible (it will be created) when a contained application makes any changes to the file system.
Calc.exe does not make any changes so VTRoot will not be there.
When you Reset the Container VTRoot will be removed from the C drive.

Try below in a bat file and VTRoot wiil be created because explorer.exe makes some changes to the file system.


ECHO off
START %SystemRoot%\explorer.exe
OK, so the VTROOT folder is not always there. After running the bat file, it did open explorer one time contained. Going through the contained explorer, I was not allowed access to the VTROOT folder, but I did find it through the uncontained explorer.

Strangely, When I reset the container this time, the number of contained apps on the advanced view of CIS went back down to what it was after running cruelsisters batch file (581). But, the VTROOT folder is still showing up in explorer with the same 5 icon and thumb cache files. Also, after closing CIS GUI, the taskbar icon disappeared and would not return after reopening CIS. (normally it's always there)This seems like buggy behavior. So I 'm wondering if the container is actually empty, even though the GUI shows it to contain 581 contained apps. Because if they were there, they'd be in the VTROOT folder, correct?

EDIT: Only after unblocking the cruelsister test files did the VTROOT folder disappear.
EDIT 2: Everything seems to be sorted out after a reboot. If a mod sees this and wants a log file, let me know.
« Last Edit: April 30, 2020, 05:12:21 PM by CommodoUser2019 »

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Why Comodo's Antivirus security is different
« Reply #20 on: April 30, 2020, 05:15:18 PM »
OK, so the VTROOT folder is not always there.

Correct.

Going through the contained explorer, I was not allowed access to the VTROOT folder, but I did find it through the uncontained explorer.

Also correct, I think it's by design that VTRoot cannot be accessed through containment.

So I 'm wondering if the container is actually empty, even though the GUI shows it to contain 581 contained apps. Because if they were there, they'd be in the VTROOT folder, correct?

The VTRoot directory only keeps track of the files system changes made by any application run in contaiment. As such Containment does not store the contained application itself in VTRoot and does not run it from there.

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 135
Re: Why Comodo's Antivirus security is different
« Reply #21 on: April 30, 2020, 06:31:23 PM »
And also notice that the Script Analysis function (which is on by default-with the Recommended notation) MUST ALWAYS BE LEFT ON!!!!! If it is disabled Scriptors will not be automatically shunted to containment, and thus will be allowed to run. Once again, you can try this for yourself with the above listed loop batch( but be prepared to manually reboot your system).

So NEVER EVER (never, ever) uncheck the "Perform Script Analysis" setting in Advanced Protection!!!!!!!

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Why Comodo's Antivirus security is different
« Reply #22 on: April 30, 2020, 06:45:03 PM »
That should be chiselled in stone and put above one's bed. :) :) :)

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Why Comodo's Antivirus security is different
« Reply #23 on: April 30, 2020, 09:11:55 PM »
Agreed about Script Analysis. Mine is at default settings. If anything, I would activate more protection there but at this time I not familiar with the settings.

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 636
Re: Why Comodo's Antivirus security is different
« Reply #24 on: May 08, 2020, 03:22:43 AM »
And also notice that the Script Analysis function (which is on by default-with the Recommended notation) MUST ALWAYS BE LEFT ON!!!!! If it is disabled Scriptors will not be automatically shunted to containment, and thus will be allowed to run. Once again, you can try this for yourself with the above listed loop batch( but be prepared to manually reboot your system).

So NEVER EVER (never, ever) uncheck the "Perform Script Analysis" setting in Advanced Protection!!!!!!!

I tried with another antivirus and it was enough for me to close the DOS prompt without restarting the PC.
Instead with Comodo opened many screens and with difficulty with zeroing the container I blocked everything.
Bye!
Nunzio

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 636
Re: Why Comodo's Antivirus security is different
« Reply #25 on: May 13, 2020, 08:15:18 AM »
However, in my opinion it was really a shame to abandon the Comodo Cloud Antivirus project. ;)

In my opinion it was an excellent product both in terms of graphics, functionality, lightness and protection.

It was enough to improve it on some aspects such as the detection rate, integrate a web protection with heuristics and blacklist and it would have been the TOP.
For sure he would have beaten many other free and paid cloud antivirus.

A cloud brother and lighter than Comodo Antivirus would have accompanied him great also for users looking for a simple and effective solution. ;)
Bye!
Nunzio

Offline porkpiehat

  • Newbie
  • *
  • Posts: 20
Re: Why Comodo's Antivirus security is different
« Reply #26 on: August 05, 2020, 10:09:03 AM »
An excellent summary of the strength of Comodo's containment.

1). I'm glad that fileless malware was highlighted as Comodo provides lockdown protection against Scriptors of various types (wscript, vbs, powershell, python, etc) by means of the Script Analysis function (which works hand in hand with Containment). Most (all) other security solutions do not provide such a blanket protection.

(For any that would like to verify for themselves, let's consider a (very) simple loop script- one which will do nothing but open up a cascading series of Calculators:

ECHO off
:top
START %SystemRoot%\system32\calc.exe
GOTO top

Paste the above into notepad, and save as calc.bat

You can run it safely and see what gets plopped into Containment- flush Containment, and all is back to normal. You can try this also with your regular AV and see what happens).

2). In addition to fileless malware, Comodo will also protect quite well against things that malware authors use as replacements for Scripts- certutil, MpCmdRun, and BTSAdmin. Also it will stop very nasty things like malware utilizing Schtasks. I did a number of videos using malware coded around this to show how inadequate popular security products were at providing Boot Time protection.

In short, if you would like to be confident about being protected for malware, use Comodo. If you would rather worry, use something else.

M


so cool... after disabling my AV (which stopped it in its tracks) it ran in containment, and was flushed to clear..... simple demo, which worked a treat.  :-TU

Offline porkpiehat

  • Newbie
  • *
  • Posts: 20
Re: Why Comodo's Antivirus security is different
« Reply #27 on: August 05, 2020, 12:29:11 PM »
Agreed about Script Analysis. Mine is at default settings. If anything, I would activate more protection there but at this time I not familiar with the settings.

likewise.... if someone would be so kind as to offer up an optimum setting for this, it would be greatly appreciated by many of us...  :-TU

Offline porkpiehat

  • Newbie
  • *
  • Posts: 20
Re: Why Comodo's Antivirus security is different
« Reply #28 on: August 05, 2020, 02:02:25 PM »
And also notice that the Script Analysis function (which is on by default-with the Recommended notation) MUST ALWAYS BE LEFT ON!!!!! If it is disabled Scriptors will not be automatically shunted to containment, and thus will be allowed to run. Once again, you can try this for yourself with the above listed loop batch( but be prepared to manually reboot your system).

So NEVER EVER (never, ever) uncheck the "Perform Script Analysis" setting in Advanced Protection!!!!!!!

so, the default 'runtime detection' settings are to be left 'as is'? What about *\acrord32.exe? that is off in both columns..

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Why Comodo's Antivirus security is different
« Reply #29 on: August 05, 2020, 03:45:22 PM »
likewise.... if someone would be so kind as to offer up an optimum setting for this, it would be greatly appreciated by many of us...  :-TU

I have enabled everything except *\cmd.exe embedded code detection under the runtime detection tab. See image. Here is a more comprehensive list of what can be added: https://forums.comodo.com/index.php?action=dlattach;topic=61263.0;attach=123619;image
The only problem setting for me was the cmd.exe, so I disabled it (which I believe was the default setting). There are 54 entries in list shown at link above and 21 entries in default settings.

« Last Edit: August 05, 2020, 03:53:04 PM by CommodoUser2019 »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek