Bypassing Comodo Internet Security (with video)

D

Deleted member 178

Thread author
This post discusses the issues that arise from the reliance on user-mode control flow monitoring techniques for the implementation of systems such as Host Based Intrusion Detection Systems, Sandboxes, Function Tracers, etc. It focuses on a single HIPS product offered by Comodo [1], a well respected company that helps the community by offering a number of their products free of charge. However, the techniques used by this product are not completely bulletproof and can be exploited by malicious agents to disable its protection barriers or circumvent Operating System protections and deliver an unwanted payload.

Throughout the next paragraphs we will briefly analyze the techniques used by the Comodo Internet Security Premium product to install the HIPS technology for monitoring a single application as well as the environmental effects it has inside the processes’ address space. We shall then introduce the dangers and attack vectors this technique creates and eventually provide an example proof of concept technique to stop the monitor’s installation...
Click to expand...

more HERE

now just have to wait the fanboys' retaliations and maybe Comodo's denial :D

 
Last edited by a moderator:
  • Like
Reactions: XhenEd
Koroke San

Koroke San

Level 29
Verified
Jan 22, 2014
1,804
This is a old video. I think they improved their holes in security but i know it's not a 100% bulletproof like umbra total security so anything can happens, who knows :rolleyes:
 
D

Deleted member 178

Thread author
if you have CIS installed , you can check it now, the tool is available at the bottom of the blog post.
 
Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Put it on the Comodo forum, the mods and fanboys will have a right argument, even Melih might join in! If your lucky ;)
 
Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
I never understood why partially limited is their default setting when it's been proved it can be bypassed by ransomware etc.,
 
Jaspion

Jaspion

Level 17
Verified
Jun 5, 2013
841
Tony Cole said:
I never understood why partially limited is their default setting when it's been proved it can be bypassed by ransomware etc.,
Click to expand...
The reason is CIS (or CF/CAV) will always end up sandboxing some legitimate processes. The default level is Partially Limited because it still allows the sandboxed programs to change the system a little. (Whereas higher levels allow less unsandboxed actions; well up to Fully Sandboxed, where you don't allow any unsandboxed actions.) So if, or rather, when you sandbox a legitimate process, it can still make superficial changes to the system, meaning there is a better chance it won't be broken by being sandboxed.
 
  • Like
Reactions: Koroke San
Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
That's very true, I never thought about that. We must remember though that Melih and the Mods recommend limited or higher
 
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,225
I'm really surprised by this post. Note that the testing was completed in the 2011-2012 timeframe, which if memory serves was the initial release of Comodo version 6. At that time a number of things bypassed Comodo at default levels (some Ransomware, Rootkits, and a little simple beauty that I wrote and actually posted about on their forums). All of these things were reported and in spite of some very absurd comments by "Comodo Heros" the developers actually took action on all.

As the years have passed the default sandbox level has improved; even so my suggestion is to set the sandbox at the Full V level with HIPS off (as it really doesn't add anything to protection).
 
  • Like
Reactions: Koroke San
I

illumination

Thread author
Jaspion said:
The reason is CIS (or CF/CAV) will always end up sandboxing some legitimate processes. The default level is Partially Limited because it still allows the sandboxed programs to change the system a little. (Whereas higher levels allow less unsandboxed actions; well up to Fully Sandboxed, where you don't allow any unsandboxed actions.) So if, or rather, when you sandbox a legitimate process, it can still make superficial changes to the system, meaning there is a better chance it won't be broken by being sandboxed.
Click to expand...

I would never even now, use partially limited, it defeats the purpose allowing system changes.. Just as in the video, when Isolated, the pop up appeared, giving the User the chance to click "Dont Isolate it Again" for legitimate processes..
 
You must log in or register to reply here.

Similar threads

Shadowra
    • Like
    • +Reputation
    • Applause
  • Locked
App Review COMODO Internet Security 2025 Premium
Replies
117
Views
16,345
Video Reviews - Security and Privacy
Victor M
Victor M
oldschool
    • Like
    • Applause
Security News Passkey technology is elegant, but it’s most definitely not usable security
Replies
4
Views
1,291
Security News
Wrecker4923
Wrecker4923
Victor M
    • Like
A.I. News Lessons Learned on How to Use Google Gemini AI
Replies
0
Views
931
Technology News
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top