App Review Comodo Firewall Bypassing a Bypass

[Andy Ful]

I'm surprised that the payload itself wasn't contained ...

No surprise, when a trusted application is exploited or abused. A similar situation is for DLL hijacking, Comodo's challenge, Comodo's killer, etc.
However such bypasses are rare at home compared to attacks via EXE loaders and other dangerous malware that can be successfully contained by Comodo. Such attacks can bypass modern protection based on machine learning and detonation in the cloud sandboxes.

 

[Sandbox Breaker - DFIR]

Yeah I dropped Xcitium a couple of months back. I knew something was wrong with the company and the product. You can't expect a noob painter to pull of a Picasso. This is just confirming it all.

 

[Andy Ful]

Yeah I dropped Xcitium a couple of months back. ... This is just confirming it all.

If you mean the bypasses presented on MT, they can probably be important only in Enterprises (due to targeted attacks).
Non-enterprise users should not worry and may consider those bypasses as information about the limitations of Comodo auto-containment without much impact on security.

 

[Sandbox Breaker - DFIR]

If you mean the bypasses presented on MT, they can probably be important only in Enterprises (due to targeted attacks).
Non-enterprise users should not worry and may consider those bypasses as information about the limitations of Comodo auto-containment without much impact on security.

Enterprise only for me. Thanks for the insight Boss Man Thanks for your free tools also I use them all the time

 

[rashmi]

The attack can be contained using a virtual desktop to open the weaponized document.

Can Comodo Virtual Desktop contain the DLL hijacking PoC?

 

[Andy Ful]

Can Comodo Virtual Desktop contain the DLL hijacking PoC?

Yes. Comodo virtualizes any file executed from the Virtual Desktop (also files from the Trusted group).
However, the bypass due to UAC incompatibility (sandbox escape) can probably still work.

 

[rashmi]

However, the bypass due to UAC incompatibility (sandbox escape) can probably still work.

But the UAC incompatibility affects the (optional) "Restriction Level" setting and not the (primary) "Run Virtually" setting.

 

[Andy Ful]

But the UAC incompatibility affects the (optional) "Restriction Level" setting and not the (primary) "Run Virtually" setting.

When the trusted EXE in DLL hijacking is run from a Virtual Desktop, both the trusted EXE and malicious DLL are virtualized. This will stop almost all DLL hijacking attacks that could bypass Comodo without a Virtual Desktop. However, in targeted attacks specially crafted malware initiated by a virtualized DLL can still escape from the sandbox (due to UAC incompatibility or another reason).

 

[ebocious]

It is a product for a special group of users who like Comodo containment.

I'd be interested in learning about best alternatives, or companions that can fill the gaps to get closer to a zero-sum security configuration. I use a standard account with DEP enforced for all processes, and AppCheck Anti-Ransomware Free for its vault feature, in case something gets infected before I have an up-to-the-minute backup. I am of the understanding that Cruel CF can supposedly block unknown processes from phoning home, and that it errs on the side of caution if you use silent mode. But I'm not a tester, and can't vouch for mileage. In the case of an LOLBIN exploit, I wonder if Comodo would even bat an eye.

I've tried H_C before, but it fails to install on some systems, and it's not to my taste anyway. I prefer something I can circumvent on demand via RunAs (or logging into an admin account), or fully unlock without a reboot. This is not intended as an attack on the efficacy of the app. Just personal preference.

 

[ErzCrz]

I'd be interested in learning about best alternatives, or companions that can fill the gaps to get closer to a zero-sum security configuration. I use a standard account with DEP enforced for all processes, and AppCheck Anti-Ransomware Free for its vault feature, in case something gets infected before I have an up-to-the-minute backup. I am of the understanding that Cruel CF can supposedly block unknown processes from phoning home, and that it errs on the side of caution if you use silent mode. But I'm not a tester, and can't vouch for mileage. In the case of an LOLBIN exploit, I wonder if Comodo would even bat an eye.

I've tried H_C before, but it fails to install on some systems, and it's not to my taste anyway. I prefer something I can circumvent on demand via RunAs (or logging into an admin account), or fully unlock without a reboot. This is not intended as an attack on the efficacy of the app. Just personal preference.

@Shadowra is putting out a video tomorrow comparing @danb 's CyberLock with AppGuard. I use CyberLock website and I really like it paired with any other security solution I'm using.

 

[Andy Ful]

I've tried H_C before, ..., and it's not to my taste anyway.

That is normal. Most people cannot live with security based on allowlisting + file reputation. Anyway, the fewer people use it, the more effective it is.
More people could use it with the help of a "Family administrator". But who would like to be a "Family administrator"?

 

[ebocious]

@Shadowra is putting out a video tomorrow comparing @danb 's CyberLock with AppGuard. I use CyberLock website and I really like it paired with any other security solution I'm using.

I remember VS. I got rid of it because it stopped working every time an update was available, and the only way to "update" was to uninstall and replace it with the latest version. Has this been corrected?

Also, I thought VS was more of an anti-executable. Does it protect against fileless attacks?

P.S.: I like the fact that they offer a lifetime license, and it's affordable.

 

[ebocious]

That is normal. Most people cannot live with security based on allowlisting + file reputation. Anyway, the fewer people use it, the more effective it is.
More people could use it with the help of a "Family administrator". But who would like to be a "Family administrator"?

Not I. That's why I don't use HIPS. Not saying H_C is noisy, btw.

 

[ErzCrz]

I remember VS. I got rid of it because it stopped working every time an update was available, and the only way to "update" was to uninstall and replace it with the latest version. Has this been corrected?

Also, I thought VS was more of an anti-executable. Does it protect against fileless attacks?

P.S.: I like the fact that they offer a lifetime license, and it's affordable.

Not had any issues with updates at all. Still runs smoothly. Website mentions Fileless capabilities though I've not tested it myself but @danb can clarify.

"CyberLock includes extremely robust ransomware, script, LOLBins and fileless malware protection capabilities, and is capable of blocking 139 potentially malicious file types."

Indeed. I bought two years at the start of this year and definitely thinking about lifetime if it continues to work well with my setups

 

[ebocious]

Not had any issues with updates at all. Still runs smoothly. Website mentions Fileless capabilities though I've not tested it myself but @danb can clarify.

"CyberLock includes extremely robust ransomware, script, LOLBins and fileless malware protection capabilities, and is capable of blocking 139 potentially malicious file types."

Indeed. I bought two years at the start of this year and definitely thinking about lifetime if it continues to work well with my setups

That's awesome. I might have to give it another try. Thank you!

 

[bazang]

But who would like to be a "Family administrator"?

But "Users that want to use stuff" will not allow M$.

Windows S Mode was a very good thing for home users.

Home users being people killed S Mode.

Home users killed the secure Apple app ecosystem too because they wanted to buy games for 3 Euros less.

People are ALWAYS the problem. ALWAYS.

 

[simmerskool]

That's awesome. I might have to give it another try. Thank you!

I agree with @ErzCrz. I am a 10 yr+ user of Cyberlock, and it has always worked well for me, and @danb is improving it all the time and easily available. I've also installed AppGuard Solo on 2 vm, (not obvious but its license is good for 3 computers iirc) and after AG's learning curve, it also works well for me. I do not run them both on the same computer although I think I've heard it's possible but perhaps not practical. It will be interesting to see @Shadowra's test. This could be a test where the methodology is critical to understanding if one is better, or their strengths and if they have any weaknesses.

 

[Vitali Ortzi]

That is normal. Most people cannot live with security based on allowlisting + file reputation. Anyway, the fewer people use it, the more effective it is.
More people could use it with the help of a "Family administrator". But who would like to be a "Family administrator"?

Did cyberlock pass these tests ?

 

[Andy Ful]

Did cyberlock pass these tests ?

I did not test it and there is no need to do it. People who use CyberLock can hardly be targets of such attacks.

 

[ebocious]

View attachment 286429
But "Users that want to use stuff" will not allow M$.

Windows S Mode was a very good thing for home users.

Home users being people killed S Mode.

Home users killed the secure Apple app ecosystem too because they wanted to buy games for 3 Euros less.

People are ALWAYS the problem. ALWAYS.

Cybercriminals are people. But yes, users do put themselves at risk, be it with warez, or by neglecting their security.