Hi friends.I’ve seen that other Security Suites like Kaspersky and Norton have a feauture called Network Attack Blocker or Intrusion Prevention.I want to know does CFW block this kind of Attacks for example Metasploit Attacks??
Thanks.
Hi wilmington,
Comodo Defense+ is a Host Intrusion Prevention System (HIPS), while this differs from Network Intrusion Prevention System it (HIPS) will protect the machine it is running on by monitoring all activity.
This article here might help in clarifying the differences between the two.
I know that HIPS protects against Intrusions but exactly this kind of attacks (I mean Metasploit) can be detected and blocked???I saw that one of these Exploits is for garabbing screenshots that uses Netapi.dll or somethings similar(I’m not sure).As I know the HIPS works inside system but this attack is from outside the system,So what HIPS can do?This kinds of attacks are Network Attack!!Do you ever heard of Metasplot and its mechanism of action??
Hi wilmington,
Heard about it, yes.
Know much about, no.
Sorry I can not tell how HIPS would react to this, I hope someone with knowledge about this joins in with some information.
Thanks.
Metasploit is a framework that contains loads of exploits and mechanisms to attack users.
It’s hard to say that CIS protects against ‘all’ attacks, if you have a sample attack please provide more details about which one was used.
I have no specified attack sample.My purpose is usual attacks that some products like Norton(IPS) and Kaspersky(Nerwork Attack Blocker) defend the system against.I dont’t know about Network Shield of Avast Free (that I’m using ) works like IDS of Norton and Kaspersky or not??I know Norton defends against approximately 2000 attacks and Kaspersky 1000.
If you use only actual versions of programs and OS, additionally a router, additionally a desktop firewall, you are most probably not inside the victim frame of those exploiters.
“Exploit” is not regular.
If it was regular for programs and computers to get exploited, we would all be lost 
Norton protects you against 2000, kaspersky against 1000 (like you said),
well,
kaspersky users must be lost 
and norton users must be lost
on the day when there are 2000+1 threats
Dont forget,
whenever you see a threat report, a news about shocking virus activities, or other stuff like this,
look at the source.
You will be surprised that companies who charge you before they protect you
will be the most prominent
detectors of
threats
and
devils
…
and they are ready to safe you
its just 49,95
They have to create a need, because you have to pay first.
If you use only actual versions of programs and OS, additionally a router, additionally a desktop firewall, you are most probably not inside the victim frame of those exploiters.So it means a firewall like Comodo can not protect against this kind of exploits itself alone.Therefore we need a Router and Updating our programs additionally to be safe. ;)
It’s always wise to have a layered security approach. Keeping programs updated is a layer even though the BO detection of CIS will bail your rear end out with a lot of programs vulnerabilities.
A lot of people will have a router which will act as an extra layer of defense against hacking.
There is no such thing as 100% security no matter how tough the tools being used. Only dictators and crooked sale people will say they can deliver 100% security…
I dont want to learn an answer one day the hard way.
So i use several layers of protection.
What i tried to say:
If EXPLOIT is something usual,
you can not be protected against it.
EXPLOIT is not usual, as long as you are fixing.
(Installing a firewall on an unpatched operation system.
That is not safe. Even if its “X”!)
CIS failed.
How can I protect myself from this attack?
As far as I know you can’t. None of the modern internet security suites can protect you against this. But you don’t have to worry about this unless you face top hacker. And even with top hackers they use other tools.
First of all I’m the same Willmington.I have to use different usernames because comodo blocks when your ip changed. [But I’m not spammer as I know,also maybe you know ;D]
Some guys asked how to block this kind of attacks?
I must say the Avast Network Shield can block <> metasploits as I know but I’ve never tested it.
Some Security Suites such as Kaspersky and Norton can block just known like Avast.
Some Security Suites just offer you to update your Windows to protect against this kind of attacks.
But I don’t know Agnitum Outpost can block or not?This program has a feauture called Attack Detection than includes Low Level Network Attacks.Anyone can test Agnitum Outpost?
What is the best security suite to block metasploit attacks? From all the research I’ve done, Comodo Firewall seems to be the best firewall, but what security suite can I pair it with for maximum protection? From what I’ve looked up, it seems that its Norton. But since that viktor.exe virus can kill Norton, there must be a better alternative.
Well.I’ve tested 2 Metasploits and this is result:
- exploit/windows/smb/ms08_067_netapi
- payload windows/meterpreter/reverse_tcp
- payload windows/shell/bind_tcp
Attacker OS: Windows 7 x64
Target: Windows XP x86 SP1 (Not Updated and Patched) On Virtual Mchine (VMWare)
Defense=Disabled
AV=Disabled
FW=Custom Policy and Safe Mode
Comodo Successfully Blocked Using Payloads By Blocking Incoming Packets In Global Rules. ;D
See attached picture for more info.
If you want to challenge Comodo FW by another Exploit/Payload,leave a reply containing Exploit/Payload name,I will test it.
[attachment deleted by admin]
Client side attacks, like the one used on the video, can always be made in a way to bypass security suites, the good thing is an attacker will usually need some kind os social engineering to use these kind of attack.
Having a patched system and some security tools will protect you againts most exploits, as far as i know nothing can really protect you against new exploits.
In the metasploit video it’s comodo 5.10.228257.2253. I ripped down a Very high quality youtube video of this in action.I don’t think the people were aware of how high a quality of a video i was able to rip.Everything is clear in my video. its a 49 meg video. I also downloaded the latest http://www.metasploit.com/ tester program. I have sent this in email to a Comodo developer to download the Video & Tester from my dropbox and test them. What’s cool is you actually can see how some of their exploit software is working in my video rip.
This certainty can’t hurt to try ;D
Furthermore notice at the top of the screen the attack is running CIS 5.10 in Oracle Virtual Box with Windows 7 which is not supported by Comodo because i have heard that virtual box is not a complete virtual machine.You really can’t see all that i can see in your video.Until it’s a native PC against this and not a unsupported virtual Box instead of Vmware we will never know.Or at least hopefully Comodo will know now.
Here’s the video cleaned up by me! after clicking on link, scroll down and click slow download
http://luckyshare.net/4145601760/Comodo Internet Security AV Sandbox bypass.wmv
Ok guys.I tried to testing some other softwares such as :
Outpost Pro 7.5
Online Armor Free 6
Kaspersky Internet Security 13
Norton Antivirus 20
and the result:
-First Comodo FW:
In case of being attacker IP in Public zone , Comodo blocks it.But if attacker IP is in Trusted zone for example :Home network,Unfortunately Comodo allows attacker to use Payload.I think this is important because if you have a Private Local Network to sharing files/folders with your family ,Other computers can use Metasploits to gain access to for example: Screen and can capture that.
-Outpost Pro behaves like Comodo if NetBIOS be allowed.But Outpost has a feauture called Presets(Predefined rules) for known applications such as : SVCHost that does not allow specified process to connect through abnormal ports(In Block Most Mode),but if Auto Learning mode be active it will create rules automatically for well known applications in case of request that may cause successfull Exploits.
In Rules Wizard Mode it will ask you and you must make decision to allow trusted process to connect or not that is like A Joke because how you can know this is normal request or not.
-Online Armor behaves similar for Trusted zones.
-But Kaspersky Internet Security and Norton Antivirus can detect and block attacks even if attacker IP be in Trusted or Local zone.KIS needs just Network Attack Blocker component to be active.It works fine even if other components like Firewall or Application Control ,etc. be Disabled.