How containment works for outbound connections of malware.


use of CIS and CAV (6882)

I did a test with a malware known as Virus Total for about 52 antivirus houses (the largest and also the smallest) that COMODO did not detect among the definitions. This malware is placed in the sandbox and attempts connections to IP addresses which are obviously blocked by the firewall. However, the application remains running and Viruscope does not intervene by letting it run in the sandbox by continuing to attempt to connect to IP addresses (blocked by the firewall). Only if you reset the sandbox or restart your PC, will the application stop. With the firewall active, outgoing connections are blocked, although I expected that being a malicious app Viruscope should have stopped it. The problem occurs in CAV or CIS with firewall disabled, the app runs in the sandbox (therefore it does not create problems for the operating system) but makes connections to IP addresses.

Being malicious in the sandbox, the app is not dangerous, correct?
In the sense that even if it makes outgoing connections (which with the firewall disabled in CIS or without firewall in CAV) my or my PC data is not provided outside?
From what I read and I think I understood in the CIS guide regarding containment, I understood that it is so.

Below are the Virus Total details of the tested malware:

I did a test with Kaspersky Security Cloud Free. I deactivated file protection, otherwise it would have eliminated it immediately (which CAV and CIS did not do) and as soon as I launched the malware the app control system blocked it immediately after running it and therefore it was eliminated. I would say the perfect execution of KSC.

I am curious about your expert opinions, certainly more experienced than me to be able to reassure me that in these cases even with CAV (in CIS I always have the firewall active) I am safe. :wink: :slight_smile:

I appreciate you want constant reassurance, but do not double post with the same questions again and again. You already have one thread going on this and have been given the answer(s) and guidance. Continue with anything further in the original thread