https://www.youtube.com/watch?v=Rf9FwVwywM0 一样是 cruelsister1 的影片 昨天观看她测试360的影片 被她底下的一段留言吸引 Also, I did point out in an earlier Comodo video that malware that is signed AND zero day will not be sandboxed. 今天总算找到之前她实证的影片 若恶意软体具有数位签章(我非本科 不太懂 digital signature 的机制) 即使 Comodo Firewall(CF) 已开沙盒 系统仍可被此恶意软体感染 所以管理 Trusted Vendors List(TVL) 还蛮重要的 设定 HIPS 为 Safe Mode 可以掩盖 Sandbox 此弱点 缺点是使用者自己要懂得如何决定 (记得删掉清单後不要勾选 Enable Cloud Lookup 免得又被加回来) (TVL是比对数位签章 不是比对名字 啊我一开始是这麽认为的 XD) 这影片对 CF 的使用者蛮重要的 我把影片中的文字重现如下 缩写 RAT: Remote Access Trojans RasAuto services: Remote Access Auto Connection Manager and Remote Access Connection Manager Prelude This video uses Comodo Firewall version 8.4.0.5076. Since it was produced Comodo has released a beta version(10.0.0.5144) of Comodo Internet Security. Note two things: 1).The Trusted Vendors List is as extensive as it was in version 8.4 and 2).the results seen in this video would be identical if we used the version 10 beta. Fade to the vdieo... I'd like to finish up both the RAT series and my vidoes for a while with something I presented to Comodo about 6 months ago: Today we will run the RAT with the following settings in place: 1).AV on, Sandbox on (Untrusted), HIPS off; 2).AV on, Sandbox on, HIPS on (Safe Mode). (In each of the above the Firewall is at Safe Mode) First off, let's change the Sandbox level from the not so good Default level to the very good Untrusted level: Note that above in addition to the signed RAT we have been using I've included an unsigned one. As this would be typical of any malware that you may come across let's first run that one first while monitoring for the dll drop into Program Data: Everything was contained within the sandbox, and the RAT wasn't even allowed to drop the dll. No reboot is needed as the sytem remains clean. Now let's try the signed RAT, monitor for the drop then reboot... Well that sucked, but really isn't surprising. Just like AppGuard the RAT was trusted because of the quality of the certificate and was able to drop the dll and call up run32dll.exe to execute it. RasAuto was started and the dll is operating via svchost. And the issue of Comodo not being able to start on the reboot? A little added something was included in the RAT to take Comodo down. It was expedient to do so as a firewall no longer operating can't be expected to alert, log or pervent Outbound connections. Now on to something that I was delighted to see, and that is (surprisingly) the HIPS module... Now to move on to Comodo Firewall with HIPS active. We'll set it at the Default "Safe Mode" level then run the RAT. Spoiler Alert!!!- We will be getting a HIPS popup. Please note that added is a choice to Block, Terminate, and Reverse. This is what we will choose... Did you notice the dll drop into Program Data, then the HIPS module actually trashing it after we hit the Block, Terminate, and Reverse function? Seems very nice, but let's reboot and verify that the the dll is actually gone and our RasAuto services are not active... Looks like the Reverse function of the HIPS module worked just fine and gave us protection in spite of the failure of the Sandbox. Although the "Block, Terminate, and Reverse" choice of the HIPS alert is not new (it's been there since at least version 8.2), I've never really seen a need to enable the HIPS since the Sandbox is normally fine enough by itself. But for maximum security against my malware it may not be a bad idea to throw the HIPS into Safe Mode- at least until we see what's in the upcoming major build of Comodo products. Finally- I'm off this week on a rather extended assignment, so see you guys again in the Fall... --

※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 180.176.189.187 ※ 文章网址: https://webptt.com/cn.aspx?n=bbs/AntiVirus/M.1476713799.A.28B.html ※ 编辑: fema (180.176.189.187), 10/17/2016 22:42:20 ※ 编辑: fema (180.176.189.187), 10/17/2016 22:53:28 ※ 编辑: fema (180.176.189.187), 10/17/2016 22:56:27