App Review Comodo's challenge part 2.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
This video is a continuation of the previous one. I used the default settings of Internet Security configuration + enabled HIPS + most restrictive Auto-Containment for all Unrecognized files.
I also confirmed that the Comodo Firewall cannot be fixed and the stopped Comodo's service does not work after manual start.

 

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,164
Looking forward to watching.

Out of curiosity does the CMD create a start-up entry or is it simply changing the service to disabled?

Anyway, nice test. I just would love to see an example of an infection or attack where this happens real world but one can keep searching ;)

P.S. You need to restart the machine when changing the configuration. CF/CIS use to prompt you in older versions but doesn't seem to beyond after first installation these days for some reason.
 
Last edited:

simmerskool

Level 36
Verified
Top Poster
Well-known
Apr 16, 2017
2,589
I LIKE the text on the screen to explain as you go thru the video, how it is set, what to expect...
Does the video have sound? Not saying it should have sound, just wonder if I'm the only one hearing sillence in my headphones as I watch...
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
Looking forward to watching.

Out of curiosity does the CMD create a start-up entry or is it simply changing the service to disabled?

None of them.

Anyway, nice test. I just would love to see an example of an infection or attack where this happens real world but one can keep searching ;)

You will probably be disappointed (the chances of seeing it in a widespread attack are close to 0).:)

P.S. You need to restart the machine when changing the configuration. CF/CIS use to prompt you in older versions but doesn't seem to beyond after first installation these days for some reason.

Yes, I know. The system was restarted several times before I made the optimal video.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
I LIKE the text on the screen to explain as you go thru the video, how it is set, what to expect...
Does the video have sound? Not saying it should have sound, just wonder if I'm the only one hearing sillence in my headphones as I watch...

I tried to add some music, but my taste is unpopular (jazz rock, hard rock, progressive rock, etc.). The music did not help in understanding the video.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
Well Comodo with or without HIPS, the result is the same :)

And for Comodo's Fanboy (or cry babys), the Sandbox was activated, see the video :)

There are probably some tolerable and strong settings that could stop the attack method. But not the default config + HIPS (see Comodo's challenge part 2).
Anyway, the full attack has to also include UAC bypass or very convincing social engineering, except for the lateral movement scenario. The setup from Comodo's challenge part 2 will prevent many UAC bypasses, so many in-the-wild attacks can be prevented.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
Thanks again @Andy Ful for testing again. Your testing methodology is thorough and professional from start to finish, and you make it so easy to follow and understand what's happening with every step of the way (y) Also thank you for testing the Fix it! alert.

I saw you used HIPS on safe mode, but in post #60 of Part 1, you mentioned Comodo crashed. I'm surprised it would crash in Safe mode. In paranoid mode I'd expect crashes and even worse: the crippling of the system making it unbootable :D
 
Last edited:

rashmi

Level 11
Jan 15, 2024
548
I watched both tests.
1. It doesn't matter what containment setting you use because Comodo is trusting the attack file as the user is starting it, not an unknown program. Comodo won't contain the attack file.
2. The attack seems to bypass HIPS in the default internet security configuration. I don't know if you will test HIPS in proactive configuration.
3. You may run the attack file in containment to see if it breaks out of the containment or disables Comodo.
 

rashmi

Level 11
Jan 15, 2024
548
Could you please redo the test with "COMODO - Proactive Security" configuration? This configuration offers the best system protection HIPS wise...
I asked him for the attack files. If he sends the attack files, I'll do a few tests on my system with the current beta 3. I won't prepare a video because I don't know these things.
 
  • Like
Reactions: Nevi and roger_m

rashmi

Level 11
Jan 15, 2024
548
Isn’t that how most attacks start? With effective social engineering tricking the user to run something? What you said here doesn’t make too much sense.
It is from the developer's reply for the first test. I simplified that setting different sandbox restrictions means nothing because...
Regarding mentioned video. Here HIPS module not only deny any malicious cmd execution but also protects CIS internal processes, keys, files etc. So here the analyst disabled it first using admin rights. After that point, none of the sensitive processes, keys, files are protected. I think “disable CF” script also writes to registry to stop cmdvirth.exe thats why he required a restart at that point. So basically he is also stopping containment too.

So if HIPS was not disabled by admin at first place, this case wont happen anyway. Even if that state if an Unknown application launching CMD, CIS would contain it whereas the user is launching it themselves.
So Its not a programmatic attack but user himself, on the computer is turning things off.
 
F

ForgottenSeer 107474

@rashmi I understand that you repost the official answer which says that Comodo behavior is by design and it is not a bypass.

I agree that when it is by design it is not a bypass, but I also agree with @Trident that most social enginering and staged phishing attacks start by luring a user to launch an application or poisoned document themselves.

Therefor the design decision of Comodo is questionable at the least, since most of these intrusions start by fooling the user to ckick-start unsafe code themselves
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I agree that when it is by design it is not a bypass
Vulnerabilities by definition are design or implementation errors that can compromise the confidentiality, integrity and availability of information. So a poor design choice can be classified as weakness/vulnerability. Normally AV vendors consider as vulnerability everything that can not be fixed by releasing a definition/heuristic/behavioural profile.

This POC doesn’t exploit modules to execute arbitrary code, but impairs defences. It is not to be underestimated. Comodo has just written it off carelessly.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Vulnerabilities by definition are design or implementation errors that can compromise the confidentiality, integrity and availability of information. So a poor design choice can be classified as weakness/vulnerability. Normally AV vendors consider as vulnerability everything that can not be fixed by releasing a definition/heuristic/behavioural profile.

This POC doesn’t exploit modules to execute arbitrary code, but impairs defences. It is not to be underestimated. Comodo has just written it off carelessly.
They always deny any issues because of lack of information or if information is given, they mention that it is out of scope of their product.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
Thanks again @Andy Ful for testing again. Your testing methodology is thorough and professional from start to finish, and you make it so easy to follow and understand what's happening with every step of the way (y) Also thank you for testing the Fix it! alert.

I saw you used HIPS on safe mode, but in post #60 of Part 1, you mentioned Comodo crashed. I'm surprised it would crash in Safe mode. In paranoid mode I'd expect crashes and even worse: the crippling of the system making it unbootable :D

Normally, the Safe Mode + default Internet Security configuration should work well (although it is disabled by default). In my case, Comodo crashed in much more restricted configuration. If I correctly remember It was Proactive configuration with settings similar to @cruelsister + maxed Script Analysis. I noticed that this setup is unusable (blocked many things), so I tried to restore the default settings of Script Analysis. In this moment Comodo showed errors, the system behaved strangely, and I could not fix it. :confused:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
I watched both tests.
1. It doesn't matter what containment setting you use because Comodo is trusting the attack file as the user is starting it, not an unknown program. Comodo won't contain the attack file.

Yes, it "trusts" in some way the POC in the settings presented in the video. The trust comes from the fileless method. Comodo can trust many LOLBins, does not contain some file types, and CmdLines. So one can say that it assumes them as trusted or more precisely as not so dangerous. It is possible to add some additional restrictions to block the attack (as I mentioned in the first thread about Comodo).

2. The attack seems to bypass HIPS in the default internet security configuration. I don't know if you will test HIPS in proactive configuration.

Look here:
https://malwaretips.com/threads/comodos-challenge-part-2.129514/post-1078812

3. You may run the attack file in containment to see if it breaks out of the containment or disables Comodo.

There is no need. The POC was not prepared to escape the sandbox.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
In my case, Comodo crashed in much more restricted configuration. If I correctly remember It was Proactive configuration with settings similar to @cruelsister + maxed Script Analysis. I noticed that this setup is unusable (blocked many things), so I tried to restore the default settings of Script Analysis. In this moment Comodo showed errors, the system behaved strangely, and I could not fix it. :confused:

A few years ago when I used Comodo with the much more restrictive HIPS "Paranoid mode", the only way I could manage to make this mode usable without crippling Windows was to immediately put it in "Learning mode", then reboot several times, log out and back in, do most of the basic stuff I would normally do on a daily basis such as open the web browser, email client, any office apps, and most of the basic Windows actions such as open Explorer, check updates, settings, etc...This way rules would be automatically created on the fly.

It's not ideal, of course, but there was no other way otherwise it would bork Windows because the HIPS would block something critical that Windows needs to function properly. it seems the same issue, maybe to a lesser extent but an issue nonetheless, occurs with HIPS in Proactive mode. Obviously Learning mode must be done on a known, clean system, and the user must take care not to incur infection while doing so :)

EDIT

Perhaps Comodo devs could consider baking into the product, a minimum set of rules that allows Windows to function at a basic level whenever the user wants enable HIPS in any mode.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top