App Review Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
H

hjlbx

I know exactly what the argument is going to be -- that it isn't malware. It is the same argument applied to a script I write to delete your entire drive without your consent. Technically, it isn't malware. Really ? I'd bet you'd consider it malware after deleting your entire drive.

Mark my words...
 
  • Like
Reactions: Deleted member 2913, RoboMan and Der.Reisende
H

hjlbx

vivid said:
As a rule of thumb : it is a bypass when you right-click on the file > run it in the Sandbox and changes are made to real system. (CIS case)
Click to expand...

Really ?

I submitted a Zbot sample to COMODO Engineering not long ago that completely disabled COMODO upon execution. All CIS modules were completely disabled, but the GUI was still running.

All you have to do is download a few Virussign malware packs and eventually you will find something that can disable COMODO HIPS and\or sandbox.
 
  • Like
Reactions: Ana_Filiz, Deleted member 2913, ZeroDay and 2 others
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
hjlbx said:
Really ?

I submitted a Zbot sample to COMODO Engineering not long ago that completely disabled COMODO upon execution. All CIS modules were completely disabled, but the GUI was still running.

All you have to do is download a few Virussign malware packs and eventually you will find something that can disable COMODO HIPS and\or sandbox.
Click to expand...

Not sure what to say.. I have submitted bypasses that were fixed. I could post it after version 10 is released.
CIS virtualization is tricky as it provides more compatibility. If you have a driver installed then (for compatibility purposes) you could make use of that driver and action will not be virtualized by default. Example: run Process Hacker, exit Process Hacker, virtualize Process Hacker and terminate non-virtualized application. This is possible because you have launched a driver upon first run and virtualized instance makes use of that driver.
 
Last edited:
  • Like
Reactions: Deleted member 2913, ZeroDay, shmu26 and 1 other person
H

hjlbx

vivid said:
Not sure what to say.. I have submitted bypasses that were fixed. I could post it after version 10 is released.
CIS virtualization is tricky as it provides more compatibility. If you have a driver installed then (for compatibility purposes) you could make use of that driver and action will not be virtualized by default. Example: run Process Hacker, exit Process Hacker, virtualize Process Hacker and terminate CIS. This is possible because you have launched a driver upon first run and virtualized instance makes use of that driver.
Click to expand...

I can find no rhyme nor reason as to what, when, and why COMODO fixes some things and not others.

I submit all the sample directly to Haibo Zhang - Director of COMODO Engineering (Beijing, China).

I worked for months collecting data for the "disappearing rules" bug. It has been submitted repeatedly to everyone - Haibo, Artyom (Ukraine -responsible for the rules module) and BuketB.

But you're right... the COMODO tech did rate Thingthing.exe as Safe - I checked the Safe List. Sure enough, it's rated as Trusted. You were right and I was wrong.

I suppose we can write it off as a mis-rating by the tech.
 
  • Like
Reactions: Deleted member 2913, ZeroDay, shmu26 and 2 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,346
vivid said:
FYI verdict changed to malware.
http://i.imgur.com/HK7aHB5.png
Click to expand...
Damn, someone with power took action. I am sure experts don't do analysis at a Sunday evening for a random file that already was checked.
As you see someone just changed the verdict. It is still saying "Human Expert Analysis Date: 2016-10-22 22:46:34 ( 8 days ago )"
 
  • Like
Reactions: Deleted member 2913, shmu26, Davidov and 2 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
SHvFl said:
Damn, someone with power took action. I am sure experts don't do analysis at a Sunday evening for a random file that already was checked.
As you see someone just changed the verdict. It is still saying "Human Expert Analysis Date: 2016-10-22 22:46:34 ( 8 days ago )"
Click to expand...
It's great to see Comodo guys acted fast on this one!
Great share by the OP and interesting discussion here!

EDIT: Also big thanks to @cruelsister for picking that one up!
At the time I tested that one with a default Internet Security Preset (+HIPS @ Security Preset) configured CIS, sandbox wasn't triggered, pretty sure because of the previous whitelisting.
As for it's actions it changes fonts and immediately restarts the PC. Haven't seen anything more like in the initial video on this one, as by restart my ShadowDefender session ended.
 
Last edited:
  • Like
Reactions: Venustus, Deleted member 2913, DardiM and 1 other person
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
SHvFl said:
That's not what i said. Check the expert analysis date. Now someone changed the verdict because they were informed about this post probably.
Click to expand...

Click on "Human Expert Analysis" tab. :)

Human Expert Analysis Results
Analysis Start Date: 2016-10-22 22:32:14 ( 8 days ago )
Analysis End Date: 2016-10-22 22:46:34 ( 8 days ago )
File Upload Date: 2016-10-22 20:25:13 ( 8 days ago )
Update Date: 2016-10-30 17:50:55 ( 26 minutes ago )
Human Expert Analyst Feedback: malware
Verdict: Malware
 
  • Like
Reactions: Venustus, Deleted member 2913, shmu26 and 3 others

Similar threads

DardiM
    • Like
Malware Analysis 5 samples - download the real obfuscated Jscript code used to download 2 payloads- Jan,13 2017
Replies
22
Views
5,378
Malware Analysis Archive
DardiM
DardiM
DardiM
    • Like
Malware Analysis Analysis of the obfuscation techniques used on Anexo_Email_Visualizar.JPG.js - 8/53
Replies
15
Views
1,912
Malware Analysis Archive
DardiM
DardiM
DardiM
    • Like
Malware Analysis POSTNORD_1755.js - error on the path/name - payload: CryptoLocker
Replies
4
Views
1,599
Malware Analysis Archive
DardiM
DardiM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top