In the future please don’t link to a wilders page. When the test is officially available we mods will link to the official testing groups page and make a sticky of it. Thanks.
Ok sorry, I didnt know that, I wanted to post relevant information being discussed in wilders like there is malware able to bypass the sandbox.
This is what they said
Here is ok. Some of the malware drops PE out of sandbox onto real machine. I have given this feedback to comodo and I think they will improve the sandbox function.
I have never seen malware drop out of the sandbox. Also it is a little fishy that Jiangmin did so good. The reason I say fishy is that I believe most of their malware samples are ones that are prevalent in the asian market, so that means AV vendors that are based in the asian market will see those samples first compared to companies located in other parts of the world. I would hope that they use malware that is a good representation of the whole world not just one part of it. But this is just my opinion of it based on personal experience.
I havent seen a malware bypass the sandbox lately but seems that PCSL found some and they have reported the problem to comodo so comodo can fix it, they are not hiding nothing.
also I think they are mistaking dropped file for a real system infection. Remember v4 had many more dropped files onto the hard drive compared to V5 and if you didn’t know how the comodo sandbox specifically works you would assume that the system was infected even though it is not.
I asked about this in wilders forums, if the PE files remain active or not, lets see what they say.
Probably the files are not active = the computer is not infected…
Anyway with this new feedback Comodo should improve the sandbox.
Anyway even if Comodo is able to monitor every single file and registry change created by the application sandboxed, should be everything be deleted? what if is not a malware…
more importantly look at the dynamic detection detection, check out how many comodo catches dynamically and also look at the FP’s not that high especially compared to others.
well I don’t know how they counted the dynamic detection, did they just count the AV pop ups, the HIPS pop ups, sandbox? Their test does not say how they counted dynamic detection, we need more information on how they came up with their numbers.
Although I said Anti Virus product on its own can’t protect you, its good to see the 3rd party confirmations of the good work our AV Labs have done in getting us a top notch detection ratio.
As of now i have yet not discussed Dynamic Detection part with Jeffrey wrt to results, but in general he stated following about methodology:
For HIPS test, mostly we make the detection based on the notification of the HIPS module, e.g. if the HIPS notify the users there is a malicious behavior and users should make a deny decision, we then deny the execution. When there is no clear notification that show the behavior is malicious or dangerous, we make the allow decision. And the final decision is whether there is an infection to the PC(cause data loss, infection of system files, etc. ) We make this also in our Total protection test.
For sandbox, in dynamic block test, if it automatically executes in sandbox and no files leak out of the sandbox, then it is a successful block. For dynamic test, if it is automatically sandboxed, then it is regarded as a fp and if the window with three options: sandbox, allow, deny. Then we choose allow and then see if the client block the installation of normal software.
So far my discussion with Jeffrey has been limited to his definition of false-positive wrt Sandbox. So i have yet to gather information from Jeffrey if he has encountered any malware which by passed Sandbox and was able to infect system in the sense that it was able to persist.
In general as you know Sandbox doesn’t allow to drop files in privileged folders, like Windows or start up folders.
