Does Defense+ offer protection against the Blackhole Exploit Kit?

I recently visited a website that I later on learned had been reported to be infected with the Blackhole Exploit Kit. I was wondering if Comodo can help protect against such exploits? I’m running CIS 5.12.256249.2599 with Proactive Security configuration.

Also, are there any signs that would hint if you’ve been infected or not, or can it happen completely silently? I did not notice anything strange happening, no plug-in crashes etc. Several security scans show no detections on my PC. If someone could tell me if there’s a way to know for sure, I’d greatly appreciate it.

Thanks.

I would imagine the sandbox would protect you against this exploit. Perhasps consider using the No Script plugin to block flash and java exploits on unknown websites.

I also asked if Comodo Internet Security protected from exploits. I think it protects from most exploits. The only kind of exploit CIS might not protect from is java exploits. If you think you computer is infected you might want to try HitManPro and Malwarebytes. I hope this helps.
ad18 :slight_smile:

I also recommend Sandboxie. Anything that completely isolates your browser from your hard disk is the best protection to make sure no malware can access the hard drive.

Yeah from what I know as well Java exploit can bypass CIS. For the rest you are protected. I bet $100 one mod here will post about Java after me LOL! :slight_smile:

Even if the sandbox is set to untrusted or blocked?

Easiest way to block Java exploit is to install the latest Java update 1.7.10 and disable Java in browsers. It is so rare you meet a web site with Java it is worth the effort to enable it for that one web site which you think can be trusted (I have only seen Java in demos of scientific stuff) . This will block Java exploits from drive by downloads which are the problem.

Thanks a lot for the answers, guys.

I currently do not even have Java installed on this system so I should be safe in that regard, but what about javascript exploits? Does Comodo protect against those? The site I visited was reported to carry suspicious javascript code injection.

By the way, for clarification, at the time of accessing the website I was using v.5 of CIS, not v.6, so I’m wondering if the protection still applies. Also, assuming one has been affected by such an exploit, should it show up in a security scan or is it sophisticated enough to hide its behavior from most, if not all, scan engines? I’ve ran scans with CIS, CCE, MBAM, Hitman Pro, Sophos, Norton Power Eraser, TDSSKiller, RogueKiller, you name it… the only thing any of those picked up was by CCE, and it was an abnormal system settings “Disabled MsConfig”. Wondering if it can even be related.

If you don’t need java get rid of it - simple
also NoScript for firefox/waterfox and ScriptSafe for chrome/dragon are well worth the added few seconds it takes to use - creating a whitelist or allowing certain scripts to run on a per site basis
As far as my understanding if you are running a virtual browser you are safe from these/all exploits, reset the sandbox and pow there gone :wink: If this is incorrect I’d like to hear about it…

I am pretty sure you are right. Exploits have a hard time escaping from a sandbox.

I’m pretty sure that with V5 or V6 you would be protected against this. However, to make sure nothing went wrong (which I’m almost certain it did not) you can make sure your computer is not infected by following the advice I give in my article about How to Know If Your Computer Is Infected.

Please let me know if you have any questions.

Thanks.

Thanks a lot, Chiron. I followed the instructions in your article and the only things found were:

  1. “abnormal system settings: Disabled MsConfig” by CCE scan.
  2. an unknown autorun entry “DeFragPath” by AutorunAnalyzer
  3. Rootkit.HiddenValue[at]0 at “HKEY_CURRENT_USER\Software\Microsoft\Windows\NT\CurrentVersion\Windows\load” by CIS scan. Comodo could not remove this but after upgrading from CIS v5 to v6, it was never detected again.

My question is, since these are not actual files but rather registry entries etc. I cannot upload them to Valkyrie and other websites for checking, so how can I verify the safety of these? Or alternatively, can you give your opinion on whether or not these are indications of an exploit attack?

Thanks

Did you disable this yourself?

Right-clicking on the result provides you the option to jump to the folder where the file associated with that registry key is sitting. Please upload the file to VirusTotal and post a link to the results. I don’t think it’s evidence of anything wrong, but just to be sure…

As long as it is no longer detected I wouldn’t worry about it.

I don’t recall doing this, no. I’ve used a lot of security software in the past few days, ComboFix etc. so I’m wondering if it has been done by one of those.

Right-clicking on the result provides you the option to jump to the folder where the file associated with that registry key is sitting. Please upload the file to VirusTotal and post a link to the results.

Thanks for a prompt reply!

Okay, it was probably caused by one of those. You can either ignore CCE’s warning or allow it to enable it again. That’s entirely up to you.

Okay, it looks clean. I’ve gone ahead and asked for it to be added to the whitelist in this post so that the next time you check it will already be whietlisted.

From that I see no evidence that your computer was infected. Thus, it appears that regardless of whether the exploit was active or not your computer was not infected.

Ok, thanks for clearing that up! I appreciate it.

Hey Chiron, instead of starting a new thread I’d like to quickly ask you something:

In your article to installing Comodo, for v5 there was a guide for making all applications/files protected through Defense+. Is it possible to do so in v6 also, or is it done automatically? I read your article but couldn’t find mentions to it.

That was only done to protect it from ransomware. In V6 this same level of protection can be obtained by switching the Behavioral Blocker to Restricted. That’s why I don’t mention it anymore.

I would think that comodo would have done something about Java exploits by now.

May I ask, aside from “disabling of javascript in the browser etc” what rule maybe the best for Java…? Java 7 Update 11 is out but since Java is a favorite piece to be always exploited what maybe the best rule that can isolate it from doing harm when exploited?

I was thinking more on a user not familiar with Comodo’s Behavioral Blocker or “if” BB is turned-off (HIPS only + Firewall). Is it advisable to run it virtually in the kiosk always…? What maybe some implications if it was run there? Just asking here…what if stuff…