App Review Comodo Firewall Bypassing a Bypass

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister

Bot

AI-powered Bot
Apr 21, 2016
4,477
Thanks for sharing this video! It provides useful insights on bypassing Comodo Firewall. Let's discuss and learn more about it.
 
  • Love
Reactions: Behold Eck

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558


It is crucial to set the UAC to never notify, before making the reg tweak (just like in the video). If not, the user will not be able to elevate programs and most programs will not be able to update. And worst, the user will not be able to revert the reg tweak.

I do not recommend this method:
  1. One can still use the "Comodo challenge" to dismantle Comodo protection with no warnings.
  2. One can use DLL hijacking to infect the system. Even if normally the infection would use only standard privileges, now it will run with high privileges (no elevation warning).
  3. File Explorer will run with high privileges (normally it always runs with standard privileges).
  4. Some web browser processes will run with high privileges (dangerous behavior).
  5. Most applications will run with high privileges, even if normally they should run with standard privileges.
  6. etc.
Post edited.
There were some reports about issues after setting EnableLUA = 0 (problem with elevating programs):
https://superuser.com/questions/1823984/disabled-enablelua-in-regedit-cant-run-as-administrator
But I think that they were related to Standard User Account.
 
Last edited:

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,217
Nice video. I wonder whether still a issue with Comodo Containment set as Untrusted or just set to Block. I'm the sort who would click Block in general but useful information. Just not sure I'd disable UAC and I don't quite get how that allowed those files to escape.

Incidentally CIS/CF only ever contained a handful of things for me. Either installing an unknown program which I see a pop-up for or silently it contains my ASUS OEM Notification and Keyboard Host and their interaction with osd.exe (On screen display). I could do with a tip on creating a allow rule for that specifically.

Anyway, great to see the issue being highlighted and one solution.
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,554
Nice video. I wonder whether still a issue with Comodo Containment set as Untrusted or just set to Block. I'm the sort who would click Block in general but useful information. Just not sure I'd disable UAC and I don't quite get how that allowed those files to escape.

Incidentally CIS/CF only ever contained a handful of things for me. Either installing an unknown program which I see a pop-up for or silently it contains my ASUS OEM Notification and Keyboard Host and their interaction with osd.exe (On screen display). I could do with a tip on creating a allow rule for that specifically.

Anyway, great to see the issue being highlighted and one solution.
Submit it to Valkyrie it should be flagged safe
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,554
It is crucial to set the UAC to never notify, before making the reg tweak (just like in the video). If not, the user will not be able to elevate programs and most programs will not be able to update. And worst, the user will not be able to revert the reg tweak.

I do not recommend this method:
  1. One can still use the "Comodo challenge" to dismantle Comodo protection with no warnings.
  2. One can use DLL hijacking to infect the system. Even if normally the infection would use only standard privileges, now it will run with high privileges (no elevation warning).
  3. File Explorer will run with high privileges (normally it always runs with standard privileges).
  4. Some web browser processes will run with high privileges (dangerous behavior).
  5. Most applications will run with high privileges, even if normally they should run with standard privileges.
  6. etc.
Does your comodo challenge work with block instead of containment ?
And what about default deny in other av software via similar settings in hips , application control?
btw is there any danger with anti viruses mini filters scanning, running executables under a driver with system privileges in order to scan them ?
I recall project zero concluded at that time when they tested av programs is that the way they access file to detect them is usually done with dangerous privileges and they tested at least back then had major issues


 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
Does your comodo challenge work with block instead of containment ?

The "block" setting is a containment setting. Comodo Challenge works with the block setting because nothing is contained (all is trusted).

And what about default deny in other av software via similar settings in hips , application control?

I was able to bypass all tested software except some paranoid settings.

btw is there any danger with anti viruses mini filters scanning, running executables under a driver with system privileges in order to scan them ?
I recall project zero concluded at that time when they tested av programs is that the way they access file to detect them is usually done with dangerous privileges and they tested at least back then had major issues

Yes, if AV is exploited.
 
Last edited:

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,554
The "block" setting is a containment setting. Comodo Challenge works with the block setting because nothing is contained (all is trusted).



I was able to bypass all tested software except some paranoid settings.



Yes, if AV is exploited.
Seems like Microsoft should really push some good SDKs for security software to use to be better isolated since they are so privileged and to reduce issues not just security ones but usability like what happened with crowdstrike
Anyway I do hope comodo abandon their containment solution to something that uses a hypervisor as nowadays pretty much every modern machine has a virtualization instructions and enough performance
pretty sure all things things will naturally happen in the future and more criminals abusing drivers , injecting dlls , exploiting privileged security processes would get us even quicker the the right route
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
In @Andy Ful's "Comodo's Challenge" thread, I had brought up the problem of Comodo's inefficiency in virtual machines.

The "Comodo challenge" works because all used executables are benign and trusted. If there is any Comodo's inefficiency in virtual machines, it is unrelated to the "Comodo challenge". I did not notice any inefficiency in my tests. When I used the file that was not trusted in some settings ( like for cmd[.]exe ), the attack was blocked.

In the case of the @cruelsister video, she used custom UAC settings because the Comodo sandbox cannot fully contain processes running with high privileges when UAC is enabled. In the custom UAC settings, the attack can be blocked. In the original attack, the default UAC settings were used, so the attack was successful. There is no inefficiency related to the virtual machine.
 
Last edited:

rashmi

Level 12
Jan 15, 2024
562
The "Comodo challenge" works because all used executables are benign and trusted. If there is any Comodo's inefficiency in virtual machines, it is unrelated to the "Comodo challenge". I did not notice any inefficiency in my tests. When I used the file that was not trusted in some settings ( like for cmd[.]exe ), the attack was blocked.

In the case of the @cruelsister video, she used custom UAC settings because the Comodo sandbox cannot fully contain processes running with high privileges when UAC is enabled. In the custom UAC settings, the attack can be blocked. In the original attack, the default UAC settings were used, so the attack was successful. There is no inefficiency related to the virtual machine.
I recall your tests clearly. I just informed @cruelsister that Comodo had problems functioning properly on virtual machines, which I mentioned in your thread as well. Please note that I didn't mean Comodo would block your POC if you tested it on a real system.

I already had information about UAC from Comodo forums, which I also shared in another recent POC thread. You quoted and responded to my post in that thread.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
I recall your tests clearly. I just informed @cruelsister that Comodo had problems functioning properly on virtual machines, which I mentioned in your thread as well. Please note that I didn't mean Comodo would block your POC if you tested it on a real system.

I already had information about UAC from Comodo forums, which I also shared in another recent POC thread. You quoted and responded to my post in that thread.

I know. I posted here to explain that in any case, the results did not depend on Comodo's inefficiency in virtual machines, but were expected due to the used settings and the way how Comodo works. :)(y)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
I am unsure why Comodo Sandbox allows process elevation in the Untrusted and Restricted level. This flaw results from considering the sandbox an unbeatable solution.
It is also possible that Comodo staff think that such bypasses are related to businesses, where people use Standard User Account (password known only to Administrators), so the bypass will be prevented.
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
The issue is not so much of Comodo but more User Account Control and how it interacts with various Security applications. At the most basic, UAC can either have Elevation notifications suppressed by setting the UAC slider at "Never Notify.". Although this will indeed prevent any notifications, UAC will still be active.

With UAC active it interacts with Comodo Containment by forcing certain items into running at the Partially Limited level, and not at a more restrictive level. For almost all files (fair or foul) this is not an issue- but for this particular mechanism it is. So although the recent videos utilize TDSSKiller as the payload, one can easily switch to a Data Stealer or Ransomware instead (although the biggest use so far has been against SEP).

The resolution for this Comodo-UAC issue is trivial:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

(modify 1 (Default) to 0.

I am unsure why Comodo Sandbox allows process elevation in the Untrusted and Restricted level
It doesn't. A Red popup warning of attempted Elevation will result (in Silent Mode it will just block the request without any popup).
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,217
I'm just changing the below setting to checked and Block.

1730141575195.png
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,554
I am unsure why Comodo Sandbox allows process elevation in the Untrusted and Restricted level. This flaw results from considering the sandbox an unbeatable solution.
It is also possible that Comodo staff think that such bypasses are related to businesses, where people use Standard User Account (password known only to Administrators), so the bypass will be prevented.
Can you rerun the comodo challenge with the registry change and uac set to never notify
Just to settle this and see if their non hypervisor sandbox is actually decent for enterprise use like they claim with zerodwell 100% protection marketing

Oh and best if you can use cruelsister settings on the xcitium (more updated client over the free consumer one )
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
The resolution for this Comodo-UAC issue is trivial:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

(modify 1 (Default) to 0.

This tweak will introduce more weaknesses than is worth. It reverts several years of Microsoft work on patching privilege escalation flaws, by introducing a general priviledge escallation flaw. I do not think that Comodo staff is going to recommend it.

It doesn't. A Red popup warning of attempted Elevation will result (in Silent Mode it will just block the request without any popup).

Understand.
In your settings, the the Silent Mode is enabled, so that particular exploit cannot work. This is probably the best resolution, because it does not introduce system weaknesses on the contrary to disabling LUA.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
It doesn't. A Red popup warning of attempted Elevation will result (in Silent Mode it will just block the request without any popup).
So, it does with user consent. I would expect from the Untrusted level to reject the elevation request even if the user accepted the request. I suspect that Comodo did not implement it because most program installations would not run at all in the sandbox after rejecting the elevation request. But, who would want to install unknown applications in the sandbox set to Untrusted?:unsure:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
Can you rerun the comodo challenge with the registry change and uac set to never notify
It is not necessary. The Comodo challenge will work silently with no alerts at all. That registry tweak means = programs executed by the user run by default with high privileges (elevation not needed). Without that reg tweak, programs run by default with standard rights and must request for elevation if necessary.

Just to settle this and see if their non hypervisor sandbox is actually decent for enterprise use like they claim with zerodwell 100% protection marketing
You will not see anything like that, because the Comodo challenge does not run in sandbox. It runs as a trusted process outside the sandbox. There is no escaping from the sandbox.

Oh and best if you can use cruelsister settings on the xcitium (more updated client over the free consumer one )

Cannot test Xcitium, but applying @cruelsister settings would not change anything.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top