Advice Request Comodo Embedded Code Detection -- What to Add?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
What are some script interpreters that it's good to add to the default list?
The first thing that comes to my mind is bitsdmin.

@AtlBo, any thoughts?
 
Last edited:
5

509322

What are some script interpreters that it's good to add to the default list?
The first thing that comes to my mind is bitsdmin.

It's pointless to ask if there is no detailed explanation as to how the COMODO embedded code detection works. If it only inspects for cmd, PoSh, wscript, then adding a bunch of command line utilities, .NET Framework and other stuff to it will amount to nothing.

It isn't going to magically detect all malicious script code. It has to pattern match and there is a limit to that. If you don't know the extent of its pattern matching functionality and capabilities, then it is an exercise in futility to just start blindly slapping processes onto a default list.

This is a question for COMODO support.

Good luck on that one.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
What is the point? You use the hips module only?
If you use the sandbox everything will be isolated so who cares if the script is saying hello world or it's the most advanced ransomware. Worry more about the hundreds of bugs that you adding applications to a comodo module will produce.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
What is the point?
1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: The big issue here is that Comodo needs to write the script to a file type that the interpreter will recognize. So I suspect that you are right, it won't work for new interpreters, because Comodo won't know what file type to use. On the other hand, the list is customisable, you can add anything you want.
I don't know how to test it, if you can give me an idea...
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: No one on the Comodo forum is willing to define for me exactly what an "embedded script" is, but they have expanded the list, and it is designed to be customizable, so it should be able to handle additional interpreters.
Why would an app that managed to get access would want to use scripts? The reason they use scripts it's because antivirus companies suck in detecting them and they usually download the payload. Don't think in any universe an application that has access will try and use other windows applications to do its job.
Maybe i am missing your goal though so good luck.
 
5

509322

1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: No one on the Comodo forum is willing to define for me exactly what an "embedded script" is, but they have expanded the list, and it is designed to be customizable, so it should be able to handle additional interpreters.

Really ?

What is the extent of its pattern matching capabilities then ? How does it differentiate between legit and malicious code ?

Put the entirety of C:\ into the list then.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Really ?

What is the extent of its pattern matching capabilities then ? How does it differentiate between legit and malicious code ?

Put the entirety of C:\ into the list then.
It does not differentiate. It prompts for everything defined as a "script".
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Why would an app that managed to get access would want to use scripts? The reason they use scripts it's because antivirus companies suck in detecting them and they usually download the payload. Don't think in any universe an application that has access will try and use other windows applications to do its job.
Maybe i am missing your goal though so good luck.
I guess I didn't explain myself very well. Let's say I open a malicious PDF doc that calls bitsadmin to download the payload. I want Comodo to block the fileless script that calls bitsadmin. Does that make sense?
 
  • Like
Reactions: vtqhtr413

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Comodo needs to write the script to a file type that the interpreter will recognize.
So if this is true, why is code detection enabled by default for rundll32? What type of script file is associated with it?
In fact, I don't get prompts from Comodo for rundll32, when I should.
My tentative conclusion: Embedded code detection is just another one of those half-baked Comodo things that don't behave as expected.
 

Andytay70

Level 15
Verified
Top Poster
Well-known
Jul 6, 2015
737
What version of comodo is this code detection in as i'm running 11.0.0.6728 and don't see this option?.
 
5

509322

I guess I didn't explain myself very well. Let's say I open a malicious PDF doc that calls bitsadmin to download the payload. I want Comodo to block the fileless script that calls bitsadmin. Does that make sense?

So if this is true, why is code detection enabled by default for rundll32? What type of script file is associated with it?
In fact, I don't get prompts from Comodo for rundll32, when I should.
My tentative conclusion: Embedded code detection is just another one of those half-baked Comodo things that don't behave as expected.

You have to know how it works. How does it parse\identify the code and for which processes ?

You assume that by adding processes to the default list that it is going to work for each and every process added to the list - and it just isn't.

Without a detailed explanation from COMODO support of how it works and the extent of its capabilities, it is all guessing and speculation.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You have to know how it works. How does it parse\identify the code and for which processes ?

You assume that by adding processes to the default list that it is going to work for each and every process added to the list - and it just isn't.

Without a detailed explanation from COMODO support of how it works and the extent of its capabilities, it is all guessing and speculation.
They won't explain it, and they probably don't understand it themselves.
All I can say from my limited experience is that it does a good job catching command lines for cmd (if you enable it) and powershell.
 
5

509322

All I can say from my limited experience is that it does a good job catching command lines for cmd (if you enable it) and powershell.

That tells me it is parsing only for cmd and PoSh. So if you add other processes you will get nothing from it.

And even then it sounds as if they don't include cmd in the default list because it can generate a lot of alerts... I'm assuming there are alerts associated with this feature.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
That tells me it is parsing only for cmd and PoSh. So if you add other processes you will get nothing from it.

And even then it sounds as if they don't include cmd in the default list because it can generate a lot of alerts... I'm assuming there are alerts associated with this feature.
Yes, cmd produces too many alerts for the average noob to survive. That is why they modified the default config and disabled code detection for cmd.
The other monitored processes are much rarer and don't run on my system, such as java and python.
 
  • Like
Reactions: vtqhtr413
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top