We would like to share with you the cases for what happens when specific Malwares meet with Comodo’s Containtment ? !
Here we have the third case with SpyEye vs Comodo Containment:
SpyEye is a type of malware which Cybercriminals use to steal online banking credentials, credit card data, passwords, and other personal information. SpyEye has infected more than 1.4 million computers globally, and its silent attack means you’re delivering your information straight to criminals.
SpyEye works like this:
SpyEye installs keylogger software which monitors all of your keyboard-clicking activities.
SpyEye collects all of the information you type: login credentials, passwords, credit card information, and every other type of personal information imaginable.
You deliver this information straight to Cybercriminals.
But when SpyEye meets Comodo’s Containment Technology, where all unknown files go into Containment, the results are devastating for SpyEye:
SpyEye tries to install keylogger software.
SpyEye FAILS—miserably. In Comodo Containment, malware simply cannot inject code into other processes.
Another safe and secure Comodo user !!
Comodo is the only antivirus company that brings proven, battle-tested containment technology to enterprise.
Learn more about The World’s First Automatic Containment Technology:
That’s true, but I guess the keylogger comes with another software to hide it, right?
If so, if you run that software as virtualized, maybe something can’t work properly because of the virtualization (this happens with some unarmful softwares not yet whitelisted by Comodo).
So the average user will run again the software asking CIS to not virtualize it.
Then, what will happen? You get keylogged!!!
That’s why I think (just a personal opinion) it’s better to run any unknown software as “Run Restricted → Untrusted”. Like this you will get some pop-up from the HIPS and that can let you better understand what the software is trying to do and decide whether to allow it or not.
Of course, it’s user-dependent, but I think CIS warnings are quite clear to understand and manage
Having (minor but probably dangerous) issues with Comodo Internet Security Premium, v188.8.131.5265:
I’m currently testing the suite against (at least for Comodo) Zero Day malware.
In today’s test, multiple ransomware (e.g. Locky) managed to encrypt .js and and .vbs files, however being fully contained on run. All other files (pictures, text files, especially those outside the folder the ransomware was located) were protected by containment.
I also had a CryptoLocker sample, only being able to change the background to black and being able to open drop and open up the usual notifications, no file was encrypted however.
Preset: Internet Security (by default), box “show less alarms” unticked in first installation window
Antivirus: on (Realtime), scan memory on startup: no
Firewall: on (Safe Mode)
Virusscope: on (only monitor sandboxed apps)
HIPS: on (Safe Mode, “Set Popup alerts to verbose mode”)
File reputation: on (autoupload, trust signed apps, detect PUP)
[u]The test can be seen here: https://malwaretips.com/threads/03-11-2016-11.65095/#post-560722[/u]
Note that you need to create an account / to log in to view the thread. I tried to write down there everything I thought would be of use, though I’m no expert.
P.S. Second opinion scanners, McAfee GetSusp and SysInternals TCPView / Autoruns tell me the system should be clean (after clearing sandbox).
Looking forward to your feedback.
EDIT: Mods please move the message if wrong thread. Thank you!
Welcome to the forums. I just tested it on a virtual machine with beta version and I see no problem. It would be great if you could check it with the beta as well.
(exception being wallpaper change which is a known issue)
Thank you for your warm welcome qmarius!
Sorry for the late reply.
I gave CIS 10 BETA a spin (inside a ShadowDefender containment), same issue here. Interesting for me to see is that .jpeg and .txt files I put in the folder just to see what happens were not harmed, again only the script files? I found some option in Comodo Sandbox Settings (both 8 and 10 BETA) which is enabled by default, excluding specific folders from containment. “Downloads” is one of them, and it’s actually the folder the malware is located at.
I will try to deactivate that for the next pack tomorrow (better said today), just to see what happens.
However, I still don’t get why containment seems to work just fine on almost every file I ran from that location (e.g. a ZBot malware was blocked just fine yesterday, obviously VM aware, gone just after run), only failing partly for some scripted ransomware? And ransomware only being able to hit specific file formats? Note that from the first 4 malwares of that pack, the first 2 crashed, number 3 dropped some weird stuff (the fake taskmanager etc., all getting contained on run), and number 4 being the Locky encrypting all those script files (and only them) inside the malware folder in Downloads. This after triggering rundll32.exe and staying silent for about a minute (though calling outbound).
it try to find a program with the possibility to allow on my pc’s a restricted list of extensions ( xlsx,pptx,docx,pdf,jpeg,dlllog …) and if a cryto want to rename all my files in .zepto, it can’t do it because .zepto is not present in the allowed extension list.
maybe this possibility could be added together with the container if it encounters a bug
With disabling this option, nothing outside the sandbox takes harm, thank you for pointing out A colleague at the Malwaretips forum also mentioned this, and I just finished a malware pack including Locky and CryptoLocker Ransomware. I had the background changed again (easy to restore, far from being annoying, however a known issue, someone stated above), and the notifications windows of CL appeared (fully contained, with a green frame, so was Google Chrome for the pages opened for the ransom note). Not a single file was hit by the multiple ransomware items (including those in the downloads folder now)!
It feels good you guys here are so quick in looking up those issues and try to help users, thank you a lot!
P.S. I’m now aware that if you change the sandbox level to “untrusted”, all malware should terminate instantly. However, our tests are to show the stock protection, that little but mighty setting preventing to alter anything in “Downloads” folder is however activated for comfort reasons
EDIT: Speaking of current Comodo Internet Security v184.108.40.20665, should be the same for v10 BETA once the “Downloads” folder is included by containment (unticked the box in Sandbox settings).
Thanks to all others of course too, for having a look into that matter!