Advice Request Comodo Embedded Code Detection -- What to Add?

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Jul 3, 2015
8,148
1
31,237
8,388
Middle Earth
What are some script interpreters that it's good to add to the default list?
The first thing that comes to my mind is bitsdmin.

@AtlBo, any thoughts?
 
Last edited:
  • Like
Reactions: Moonhorse and vtqhtr413
shmu26 said:
What are some script interpreters that it's good to add to the default list?
The first thing that comes to my mind is bitsdmin.
Click to expand...

It's pointless to ask if there is no detailed explanation as to how the COMODO embedded code detection works. If it only inspects for cmd, PoSh, wscript, then adding a bunch of command line utilities, .NET Framework and other stuff to it will amount to nothing.

It isn't going to magically detect all malicious script code. It has to pattern match and there is a limit to that. If you don't know the extent of its pattern matching functionality and capabilities, then it is an exercise in futility to just start blindly slapping processes onto a default list.

This is a question for COMODO support.

Good luck on that one.
 
  • Like
Reactions: In2an3_PpG, shmu26 and Eddie Morra
What is the point? You use the hips module only?
If you use the sandbox everything will be isolated so who cares if the script is saying hello world or it's the most advanced ransomware. Worry more about the hundreds of bugs that you adding applications to a comodo module will produce.
 
  • Like
Reactions: kylprq, ZeroDay, In2an3_PpG and 2 others
SHvFl said:
What is the point?
Click to expand...
1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: The big issue here is that Comodo needs to write the script to a file type that the interpreter will recognize. So I suspect that you are right, it won't work for new interpreters, because Comodo won't know what file type to use. On the other hand, the list is customisable, you can add anything you want.
I don't know how to test it, if you can give me an idea...
 
Last edited:
  • Like
Reactions: ZeroDay, Kuttz, vtqhtr413 and 1 other person
shmu26 said:
1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: No one on the Comodo forum is willing to define for me exactly what an "embedded script" is, but they have expanded the list, and it is designed to be customizable, so it should be able to handle additional interpreters.
Click to expand...
Why would an app that managed to get access would want to use scripts? The reason they use scripts it's because antivirus companies suck in detecting them and they usually download the payload. Don't think in any universe an application that has access will try and use other windows applications to do its job.
Maybe i am missing your goal though so good luck.
 
  • Like
Reactions: In2an3_PpG, Eddie Morra and shmu26
shmu26 said:
1 To catch scripts coming from a trusted app that was exploited
2 To enhance firewall protection

@Lockdown: No one on the Comodo forum is willing to define for me exactly what an "embedded script" is, but they have expanded the list, and it is designed to be customizable, so it should be able to handle additional interpreters.
Click to expand...

Really ?

What is the extent of its pattern matching capabilities then ? How does it differentiate between legit and malicious code ?

Put the entirety of C:\ into the list then.
 
  • Like
Reactions: In2an3_PpG and Eddie Morra
Lockdown said:
Really ?

What is the extent of its pattern matching capabilities then ? How does it differentiate between legit and malicious code ?

Put the entirety of C:\ into the list then.
Click to expand...
It does not differentiate. It prompts for everything defined as a "script".
 
  • Like
Reactions: kylprq and vtqhtr413
SHvFl said:
Why would an app that managed to get access would want to use scripts? The reason they use scripts it's because antivirus companies suck in detecting them and they usually download the payload. Don't think in any universe an application that has access will try and use other windows applications to do its job.
Maybe i am missing your goal though so good luck.
Click to expand...
I guess I didn't explain myself very well. Let's say I open a malicious PDF doc that calls bitsadmin to download the payload. I want Comodo to block the fileless script that calls bitsadmin. Does that make sense?
 
  • Like
Reactions: vtqhtr413
shmu26 said:
Comodo needs to write the script to a file type that the interpreter will recognize.
Click to expand...
So if this is true, why is code detection enabled by default for rundll32? What type of script file is associated with it?
In fact, I don't get prompts from Comodo for rundll32, when I should.
My tentative conclusion: Embedded code detection is just another one of those half-baked Comodo things that don't behave as expected.
 
  • Like
Reactions: ZeroDay, vtqhtr413 and Eddie Morra
What version of comodo is this code detection in as i'm running 11.0.0.6728 and don't see this option?.
 
shmu26 said:
I guess I didn't explain myself very well. Let's say I open a malicious PDF doc that calls bitsadmin to download the payload. I want Comodo to block the fileless script that calls bitsadmin. Does that make sense?
Click to expand...

shmu26 said:
So if this is true, why is code detection enabled by default for rundll32? What type of script file is associated with it?
In fact, I don't get prompts from Comodo for rundll32, when I should.
My tentative conclusion: Embedded code detection is just another one of those half-baked Comodo things that don't behave as expected.
Click to expand...

You have to know how it works. How does it parse\identify the code and for which processes ?

You assume that by adding processes to the default list that it is going to work for each and every process added to the list - and it just isn't.

Without a detailed explanation from COMODO support of how it works and the extent of its capabilities, it is all guessing and speculation.
 
  • Like
Reactions: ZeroDay, Eddie Morra and shmu26
Lockdown said:
You have to know how it works. How does it parse\identify the code and for which processes ?

You assume that by adding processes to the default list that it is going to work for each and every process added to the list - and it just isn't.

Without a detailed explanation from COMODO support of how it works and the extent of its capabilities, it is all guessing and speculation.
Click to expand...
They won't explain it, and they probably don't understand it themselves.
All I can say from my limited experience is that it does a good job catching command lines for cmd (if you enable it) and powershell.
 
  • Like
Reactions: ZeroDay, kylprq and vtqhtr413
shmu26 said:
All I can say from my limited experience is that it does a good job catching command lines for cmd (if you enable it) and powershell.
Click to expand...

That tells me it is parsing only for cmd and PoSh. So if you add other processes you will get nothing from it.

And even then it sounds as if they don't include cmd in the default list because it can generate a lot of alerts... I'm assuming there are alerts associated with this feature.
 
  • Like
Reactions: Eddie Morra and shmu26
Lockdown said:
That tells me it is parsing only for cmd and PoSh. So if you add other processes you will get nothing from it.

And even then it sounds as if they don't include cmd in the default list because it can generate a lot of alerts... I'm assuming there are alerts associated with this feature.
Click to expand...
Yes, cmd produces too many alerts for the average noob to survive. That is why they modified the default config and disabled code detection for cmd.
The other monitored processes are much rarer and don't run on my system, such as java and python.
 
  • Like
Reactions: vtqhtr413
Status
Not open for further replies.

You may also like...