https://www.youtube.com/watch?v=Rf9FwVwywM0
一样是 cruelsister1 的影片
昨天观看她测试360的影片 被她底下的一段留言吸引
Also, I did point out in an earlier Comodo video that malware that is signed
AND zero day will not be sandboxed.
今天总算找到之前她实证的影片
若恶意软件具有数位签章(我非本科 不太懂 digital signature 的机制)
即使 Comodo Firewall(CF) 已开沙盒 系统仍可被此恶意软件感染
所以管理 Trusted Vendors List(TVL) 还蛮重要的
设定 HIPS 为 Safe Mode 可以掩盖 Sandbox 此弱点 缺点是使用者自己要懂得如何决定
(记得删掉清单后不要勾选 Enable Cloud Lookup 免得又被加回来)
(TVL是比对数位签章 不是比对名字 啊我一开始是这么认为的 XD)
这影片对 CF 的使用者蛮重要的 我把影片中的文字重现如下
缩写
RAT: Remote Access Trojans
RasAuto services: Remote Access Auto Connection Manager and Remote Access
Connection Manager
Prelude
This video uses Comodo Firewall version 8.4.0.5076. Since it was produced
Comodo has released a beta version(10.0.0.5144) of Comodo Internet Security.
Note two things:
1).The Trusted Vendors List is as extensive as it was in version 8.4 and
2).the results seen in this video would be identical if we used the version
10 beta.
Fade to the vdieo...
I'd like to finish up both the RAT series and my vidoes for a while with
something I presented to Comodo about 6 months ago:
Today we will run the RAT with the following settings in place:
1).AV on, Sandbox on (Untrusted), HIPS off;
2).AV on, Sandbox on, HIPS on (Safe Mode).
(In each of the above the Firewall is at Safe Mode)
First off, let's change the Sandbox level from the not so good Default level
to the very good Untrusted level:
Note that above in addition to the signed RAT we have been using I've
included an unsigned one. As this would be typical of any malware that you may
come across let's first run that one first while monitoring for the dll drop
into Program Data:
Everything was contained within the sandbox, and the RAT wasn't even allowed
to drop the dll. No reboot is needed as the sytem remains clean.
Now let's try the signed RAT, monitor for the drop then reboot...
Well that sucked, but really isn't surprising. Just like AppGuard the RAT was
trusted because of the quality of the certificate and was able to drop the dll
and call up run32dll.exe to execute it. RasAuto was started and the dll is
operating via svchost.
And the issue of Comodo not being able to start on the reboot? A little added
something was included in the RAT to take Comodo down. It was expedient to do
so as a firewall no longer operating can't be expected to alert, log or
pervent Outbound connections.
Now on to something that I was delighted to see, and that is (surprisingly)
the HIPS module...
Now to move on to Comodo Firewall with HIPS active. We'll set it at the
Default "Safe Mode" level then run the RAT.
Spoiler Alert!!!- We will be getting a HIPS popup. Please note that added is a
choice to Block, Terminate, and Reverse. This is what we will choose...
Did you notice the dll drop into Program Data, then the HIPS module actually
trashing it after we hit the Block, Terminate, and Reverse function?
Seems very nice, but let's reboot and verify that the the dll is actually gone
and our RasAuto services are not active...
Looks like the Reverse function of the HIPS module worked just fine and gave
us protection in spite of the failure of the Sandbox.
Although the "Block, Terminate, and Reverse" choice of the HIPS alert is not
new (it's been there since at least version 8.2), I've never really seen a
need to enable the HIPS since the Sandbox is normally fine enough by itself.
But for maximum security against my malware it may not be a bad idea to throw
the HIPS into Safe Mode- at least until we see what's in the upcoming major
build of Comodo products.
Finally- I'm off this week on a rather extended assignment, so see you guys
again in the Fall...