Bypassing Comodo Internet Security (with video)

  • Thread starter Thread starter Deleted member 178
  • Start date Start date
D

Deleted member 178

Thread author
This post discusses the issues that arise from the reliance on user-mode control flow monitoring techniques for the implementation of systems such as Host Based Intrusion Detection Systems, Sandboxes, Function Tracers, etc. It focuses on a single HIPS product offered by Comodo [1], a well respected company that helps the community by offering a number of their products free of charge. However, the techniques used by this product are not completely bulletproof and can be exploited by malicious agents to disable its protection barriers or circumvent Operating System protections and deliver an unwanted payload.

Throughout the next paragraphs we will briefly analyze the techniques used by the Comodo Internet Security Premium product to install the HIPS technology for monitoring a single application as well as the environmental effects it has inside the processes’ address space. We shall then introduce the dangers and attack vectors this technique creates and eventually provide an example proof of concept technique to stop the monitor’s installation...
Click to expand...

more HERE

now just have to wait the fanboys' retaliations and maybe Comodo's denial :D

 
Last edited by a moderator:
  • Like
Reactions: XhenEd
This is a old video. I think they improved their holes in security but i know it's not a 100% bulletproof like umbra total security so anything can happens, who knows :rolleyes:
 
if you have CIS installed , you can check it now, the tool is available at the bottom of the blog post.
 
Put it on the Comodo forum, the mods and fanboys will have a right argument, even Melih might join in! If your lucky ;)
 
I never understood why partially limited is their default setting when it's been proved it can be bypassed by ransomware etc.,
 
Tony Cole said:
I never understood why partially limited is their default setting when it's been proved it can be bypassed by ransomware etc.,
Click to expand...
The reason is CIS (or CF/CAV) will always end up sandboxing some legitimate processes. The default level is Partially Limited because it still allows the sandboxed programs to change the system a little. (Whereas higher levels allow less unsandboxed actions; well up to Fully Sandboxed, where you don't allow any unsandboxed actions.) So if, or rather, when you sandbox a legitimate process, it can still make superficial changes to the system, meaning there is a better chance it won't be broken by being sandboxed.
 
  • Like
Reactions: Koroke San
That's very true, I never thought about that. We must remember though that Melih and the Mods recommend limited or higher
 
I'm really surprised by this post. Note that the testing was completed in the 2011-2012 timeframe, which if memory serves was the initial release of Comodo version 6. At that time a number of things bypassed Comodo at default levels (some Ransomware, Rootkits, and a little simple beauty that I wrote and actually posted about on their forums). All of these things were reported and in spite of some very absurd comments by "Comodo Heros" the developers actually took action on all.

As the years have passed the default sandbox level has improved; even so my suggestion is to set the sandbox at the Full V level with HIPS off (as it really doesn't add anything to protection).
 
  • Like
Reactions: Koroke San
Jaspion said:
The reason is CIS (or CF/CAV) will always end up sandboxing some legitimate processes. The default level is Partially Limited because it still allows the sandboxed programs to change the system a little. (Whereas higher levels allow less unsandboxed actions; well up to Fully Sandboxed, where you don't allow any unsandboxed actions.) So if, or rather, when you sandbox a legitimate process, it can still make superficial changes to the system, meaning there is a better chance it won't be broken by being sandboxed.
Click to expand...

I would never even now, use partially limited, it defeats the purpose allowing system changes.. Just as in the video, when Isolated, the pop up appeared, giving the User the chance to click "Dont Isolate it Again" for legitimate processes..
 
You must log in or register to reply here.

You may also like...