https://www.youtube.com/watch?v=Rf9FwVwywM0 一樣是 cruelsister1 的影片 昨天觀看她測試360的影片 被她底下的一段留言吸引 Also, I did point out in an earlier Comodo video that malware that is signed AND zero day will not be sandboxed. 今天總算找到之前她實證的影片 若惡意軟體具有數位簽章(我非本科 不太懂 digital signature 的機制) 即使 Comodo Firewall(CF) 已開沙盒 系統仍可被此惡意軟體感染 所以管理 Trusted Vendors List(TVL) 還蠻重要的 設定 HIPS 為 Safe Mode 可以掩蓋 Sandbox 此弱點 缺點是使用者自己要懂得如何決定 (記得刪掉清單後不要勾選 Enable Cloud Lookup 免得又被加回來) (TVL是比對數位簽章 不是比對名字 啊我一開始是這麼認為的 XD) 這影片對 CF 的使用者蠻重要的 我把影片中的文字重現如下 縮寫 RAT: Remote Access Trojans RasAuto services: Remote Access Auto Connection Manager and Remote Access Connection Manager Prelude This video uses Comodo Firewall version 8.4.0.5076. Since it was produced Comodo has released a beta version(10.0.0.5144) of Comodo Internet Security. Note two things: 1).The Trusted Vendors List is as extensive as it was in version 8.4 and 2).the results seen in this video would be identical if we used the version 10 beta. Fade to the vdieo... I'd like to finish up both the RAT series and my vidoes for a while with something I presented to Comodo about 6 months ago: Today we will run the RAT with the following settings in place: 1).AV on, Sandbox on (Untrusted), HIPS off; 2).AV on, Sandbox on, HIPS on (Safe Mode). (In each of the above the Firewall is at Safe Mode) First off, let's change the Sandbox level from the not so good Default level to the very good Untrusted level: Note that above in addition to the signed RAT we have been using I've included an unsigned one. As this would be typical of any malware that you may come across let's first run that one first while monitoring for the dll drop into Program Data: Everything was contained within the sandbox, and the RAT wasn't even allowed to drop the dll. No reboot is needed as the sytem remains clean. Now let's try the signed RAT, monitor for the drop then reboot... Well that sucked, but really isn't surprising. Just like AppGuard the RAT was trusted because of the quality of the certificate and was able to drop the dll and call up run32dll.exe to execute it. RasAuto was started and the dll is operating via svchost. And the issue of Comodo not being able to start on the reboot? A little added something was included in the RAT to take Comodo down. It was expedient to do so as a firewall no longer operating can't be expected to alert, log or pervent Outbound connections. Now on to something that I was delighted to see, and that is (surprisingly) the HIPS module... Now to move on to Comodo Firewall with HIPS active. We'll set it at the Default "Safe Mode" level then run the RAT. Spoiler Alert!!!- We will be getting a HIPS popup. Please note that added is a choice to Block, Terminate, and Reverse. This is what we will choose... Did you notice the dll drop into Program Data, then the HIPS module actually trashing it after we hit the Block, Terminate, and Reverse function? Seems very nice, but let's reboot and verify that the the dll is actually gone and our RasAuto services are not active... Looks like the Reverse function of the HIPS module worked just fine and gave us protection in spite of the failure of the Sandbox. Although the "Block, Terminate, and Reverse" choice of the HIPS alert is not new (it's been there since at least version 8.2), I've never really seen a need to enable the HIPS since the Sandbox is normally fine enough by itself. But for maximum security against my malware it may not be a bad idea to throw the HIPS into Safe Mode- at least until we see what's in the upcoming major build of Comodo products. Finally- I'm off this week on a rather extended assignment, so see you guys again in the Fall... -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 180.176.189.187 ※ 文章網址: https://www.ptt.cc/bbs/AntiVirus/M.1476713799.A.28B.html ※ 編輯: fema (180.176.189.187), 10/17/2016 22:42:20 ※ 編輯: fema (180.176.189.187), 10/17/2016 22:53:28 ※ 編輯: fema (180.176.189.187), 10/17/2016 22:56:27