Advice Request Comodo Embedded Code Detection -- What to Add?

[shmu26]

What are some script interpreters that it's good to add to the default list?
The first thing that comes to my mind is bitsdmin.

@AtlBo, any thoughts?

 

[509322]

What are some script interpreters that it's good to add to the default list?
The first thing that comes to my mind is bitsdmin.

It's pointless to ask if there is no detailed explanation as to how the COMODO embedded code detection works. If it only inspects for cmd, PoSh, wscript, then adding a bunch of command line utilities, .NET Framework and other stuff to it will amount to nothing.

It isn't going to magically detect all malicious script code. It has to pattern match and there is a limit to that. If you don't know the extent of its pattern matching functionality and capabilities, then it is an exercise in futility to just start blindly slapping processes onto a default list.

This is a question for COMODO support.

Good luck on that one.

 

[SHvFl]

What is the point? You use the hips module only?
If you use the sandbox everything will be isolated so who cares if the script is saying hello world or it's the most advanced ransomware. Worry more about the hundreds of bugs that you adding applications to a comodo module will produce.

 

[shmu26]

What is the point?

1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: The big issue here is that Comodo needs to write the script to a file type that the interpreter will recognize. So I suspect that you are right, it won't work for new interpreters, because Comodo won't know what file type to use. On the other hand, the list is customisable, you can add anything you want.
I don't know how to test it, if you can give me an idea...

 

[SHvFl]

1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: No one on the Comodo forum is willing to define for me exactly what an "embedded script" is, but they have expanded the list, and it is designed to be customizable, so it should be able to handle additional interpreters.

Why would an app that managed to get access would want to use scripts? The reason they use scripts it's because antivirus companies suck in detecting them and they usually download the payload. Don't think in any universe an application that has access will try and use other windows applications to do its job.
Maybe i am missing your goal though so good luck.

 

[509322]

1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: No one on the Comodo forum is willing to define for me exactly what an "embedded script" is, but they have expanded the list, and it is designed to be customizable, so it should be able to handle additional interpreters.

Really ?

What is the extent of its pattern matching capabilities then ? How does it differentiate between legit and malicious code ?

Put the entirety of C:\ into the list then.

 

[shmu26]

Really ?

What is the extent of its pattern matching capabilities then ? How does it differentiate between legit and malicious code ?

Put the entirety of C:\ into the list then.

It does not differentiate. It prompts for everything defined as a "script".

 

[509322]

It does not differentiate. It prompts for everything defined as a "script".

Then what does it do ?

How does it work ?

 

[shmu26]

Why would an app that managed to get access would want to use scripts? The reason they use scripts it's because antivirus companies suck in detecting them and they usually download the payload. Don't think in any universe an application that has access will try and use other windows applications to do its job.
Maybe i am missing your goal though so good luck.

I guess I didn't explain myself very well. Let's say I open a malicious PDF doc that calls bitsadmin to download the payload. I want Comodo to block the fileless script that calls bitsadmin. Does that make sense?

 

[shmu26]

Comodo needs to write the script to a file type that the interpreter will recognize.

So if this is true, why is code detection enabled by default for rundll32? What type of script file is associated with it?
In fact, I don't get prompts from Comodo for rundll32, when I should.
My tentative conclusion: Embedded code detection is just another one of those half-baked Comodo things that don't behave as expected.

 

[Andytay70]

What version of comodo is this code detection in as i'm running 11.0.0.6728 and don't see this option?.

 

[509322]

I guess I didn't explain myself very well. Let's say I open a malicious PDF doc that calls bitsadmin to download the payload. I want Comodo to block the fileless script that calls bitsadmin. Does that make sense?

So if this is true, why is code detection enabled by default for rundll32? What type of script file is associated with it?
In fact, I don't get prompts from Comodo for rundll32, when I should.
My tentative conclusion: Embedded code detection is just another one of those half-baked Comodo things that don't behave as expected.

You have to know how it works. How does it parse\identify the code and for which processes ?

You assume that by adding processes to the default list that it is going to work for each and every process added to the list - and it just isn't.

Without a detailed explanation from COMODO support of how it works and the extent of its capabilities, it is all guessing and speculation.

 

[shmu26]

What version of comodo is this code detection in as i'm running 11.0.0.6728 and don't see this option?.

It's there.
Settings/Advanced protection/Miscellaneous/Do heuristic...

 

[shmu26]

You have to know how it works. How does it parse\identify the code and for which processes ?

You assume that by adding processes to the default list that it is going to work for each and every process added to the list - and it just isn't.

Without a detailed explanation from COMODO support of how it works and the extent of its capabilities, it is all guessing and speculation.

They won't explain it, and they probably don't understand it themselves.
All I can say from my limited experience is that it does a good job catching command lines for cmd (if you enable it) and powershell.

 

[Eddie Morra]

If Comodo owned a bakery shop, they'd be going down on charges of fraud for not delivering more than half the amount of bread the customer paid for.

Luckily for them, they do not own a bakery shop for selling bread.

 

[Andytay70]

It's there.
Settings/Advanced protection/Miscellaneous/Do heuristic...

Ah, found it maybe i need glasses duh!

Thanks @shmu26,

 

[shmu26]

If Comodo owned a bakery shop, they'd be going down on charges of fraud for not delivering more than half the amount of bread the customer paid for.

Luckily for them, they do not own a bakery shop for selling bread.

 

[509322]

All I can say from my limited experience is that it does a good job catching command lines for cmd (if you enable it) and powershell.

That tells me it is parsing only for cmd and PoSh. So if you add other processes you will get nothing from it.

And even then it sounds as if they don't include cmd in the default list because it can generate a lot of alerts... I'm assuming there are alerts associated with this feature.

 

[509322]

Only foolish people want to be bothered with COMODO's crap and put up with no answers. Heck, if you want that kind of punishment you get enough of it just from Windows.

 

[shmu26]

That tells me it is parsing only for cmd and PoSh. So if you add other processes you will get nothing from it.

And even then it sounds as if they don't include cmd in the default list because it can generate a lot of alerts... I'm assuming there are alerts associated with this feature.

Yes, cmd produces too many alerts for the average noob to survive. That is why they modified the default config and disabled code detection for cmd.
The other monitored processes are much rarer and don't run on my system, such as java and python.