How can I test the antivirus/ antimalware protection and how to optimize profiles?

Hi,

Are there any tests or method to test how well the endpoint client is protected against Malware?
There are so many settings, and the profiles I use are based on the default “Hardened Windows Profile for ITSM 6.10”.

Some random antimalware-tests ran fine without any warning:

So my question is:
Are there any recommended settings and how can I test how secure the protection is and how to tighten it up?

A subforum regarding security/configuration settings or how to optimize profile settings would be very usefull.

Regards.

1.png782×543 29.1 KB

2.png820×633 34.7 KB

oh well…
today’s technologies use “Detection” as a method of “Protection”…therefore the measure of success is based on “detection” of a malware…The protection comes from the ability to detect the malware so that you can stop it…

Any testing is limited to the “malware zoo” they have…
what that means is: they have a library of malware and they see how many of these are detected by an endpoint protection product.

I have two problems with the above…

1)Detection should NOT be your protection
2)Testing is based on who provides you the source of malware…and more importantly Malware Authors are not stupid to release their new creation without first making sure its not detected…

The real enemy is the Undetected Malware, and there is no test against that.

Here is a question:
Why in Cybersecurity industry enterprises spend more money every year, but the problem gets bigger every year?

Hi @melih ,

Thanks for responding.
I understand and respect your point.
And your question is the reason I want my clients to be well protected: “Why in Cybersecurity industry enterprises spend more money every year, but the problem gets bigger every year?”
That’s why I convinced them all to use this platform.

But then, for my own credibility, I (-and I think, every MSP-) have to make sure I have configured the endpoint to my best ability.

Please note that nearly 4 years ago, I also had a client with CCS who was caught with Ransomware (bacon@oddwallps.com). Despite using the default profiles.

So I just opened some test malware scripts and was surprised that nearly nothing was detected or blocked!

Comodo AEP is now promoting it’s AEP as very effective against Cybersecurity and I want to make sure it’s configured OK:
See: https://www.comodo.com/aep/

…

Ransomware problem is growing every day.
So a security policy (read CCS profile) has to be re-evaluated once in a while.

So my question stands: How can I make test or make sure that an endpoint is well protected?
The ‘test’ I did proved otherwise and allowed the ‘malware’ software.

It would be nice to have a subforum regarding profile-settings and optimum settings.

1.png1093×164 14.8 KB

2.png1212×816 59.6 KB

Ah…so the question is more of “what settings/configurations”?
a subgroup is a great idea for that.

Hi @Melih,

Yes. That was my question.
And a subgroup to share ideas regarding profile settings would be great.

This topic could be the first because I still hope to hear how I can block the tested malware…

with Comodo, any untrusted new executable (aka unknown) goes into auto containment…where when run shows a green border around it…
so any new malware you run, if it shows green border around it…then its running in the virtual environment (eg: auto containment) and there shouldn’t be damage…

Yes, It should work like that, but in this case wasn’t working.
I didn’t get a warning and the program wasn’t contained.

The testprogram could create and alter registry keys, create files on the drive and install and activate a keylogger.

Theoretically, HIPS should also kick in but also didn’t.

Note that my used CCS profile was based on the default Hardened profile like I was advised to use a few years ago.

That’s why I think that nowadays with all the daily ransomware messages, it’s a good time to revise the security level of the endpoints.

The subforum will let us learn from each other.

Most likely it wasn’t installed/configure properly…

but I agree subforum will be a great way for the community to help eachother.

btw: What shall we call this subgroup?

I would also be interested. Maybe just “CCS profiles”? The problem is I don’t see lots MSP here willing (or having the time) to share problems and solutions.
Anyway a question: if that test had been done on an endpoint protected by SOCaaP what would have been the result?

@melih,

Yes, maybe it wasn’t configured properly. But as I use the Default Hardened profile as basis (which was configured by Itarian/ Comodo) , more likely everyone using this profile would be vulnerable.
This just proves my point that there should be a way to test and evaluate the endpoint configurations.

Thanks for listening for a solution. I know, I give a lot of positive critics, but it’s only for trying to uplift the allround functionality of the platform so we all can benefit from this.
(In other posts I have some more little suggestions for some minor improvements for this platform, which would increase the basic functionality a lot for us all… Please feel free to ask me more…)

A name could be “Endpoint configuration profiles” or just “CCS profiles” like mentioned above.
But if the staff has a better or more catchy name that would cover the topics, it would also be fine.

Thanks again

Hello,

Can Itarian support tell how I can test or check the settings?
The default "Windows Hardened "profile-settings are still wide open for the test-malware and devices are vulnerable.

Regards

Hello @ailan ,

We are currently preparing all necessary documentation for a subtopic “Best Practices for Configuring Comodo Advanced Endpoint Protection”. It will be ready very soon.

Best regards,
Ilgaz

Hi @Ilgaz,

Sounds good.

Can you tell how long it will take, roughly?
Will my question also be addressed?
We are going toward the end of the year, and more and more malware will become active around these days.

Regards

I’m watching this thread with interest.

Are there any more details on this “windows hardened” profile ?

Hi @originalscan,

We will notify here once the subtopic is created.

Kind Regards,
PremJK

looking forward to see this also

Hi @ilgazy ,
Nearly 2 months further. Still preparing?

Regards.

It looks like you all are collecting A LOT of ‘necessary documentation’ looking at the taken time.

3 months further.
Any info regarding this topic?
When and how to check the endpoint security?

Lately all the activities from Itarian (forum, support, improvements, updates) are very (s)low.

Looking forward to this. I suggest that the default profiles be revised at least every quarter based on the intelligence collected by Comodo around the globe. The goal is to stay proactive and not reactive.