Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Comodo
Comodo Internet Security 2025 was obliterated by an exploit!
Message
<blockquote data-quote="rashmi" data-source="post: 1105964" data-attributes="member: 107361"><p>For those interested, there is additional information about this topic on Comodo forums.</p><p>[URL unfurl="true"]https://forums.comodo.com/t/poc-bypass-auto-sandbox-cis/362726[/URL]</p><p>A moderator's response.</p><p>"I only took a quick look at the source code and I can tell what the issue is. By default cis does not protect access to the service control manager defined as *\RPC Control\ntsvcs so you would need to add that path to the protected COM interfaces section. The source code also contains code that attempts to access the SCM via a named pipe so you can also add *\Device\NamedPipe\ntsvcs to the protected files section to cover the named pipe access.</p><p></p><p>With that said, there is a compatability issue with windows UAC that prevents containment restriction levels being set to the desired restriction level for applications that require administrator rights. This means if you set the containment rule to use a restriction level higher than partially limited e.g. limited, restricted, or untrusted and you run an application that requests admin rights/elevation, then cis will lower the restriction level to partially limited. So you don’t get the protection provided by the higher restriction levels.</p><p></p><p>Therefore you need to completely disable UAC by setting the enableLUA registry value to 0. This is important to note as using SCM requires admin rights and setting UAC to never notify, doesn’t actually disable UAC itself as it just won’t pop up an UAC alert and will auto grant elevation to admin.</p><p></p><p>Edit: oh and there is yet another bug that affects cis on windows 11 with regards to using restriction levels. Whenever an application is executed by windows explorer, which happens when you use your mouse to run apps, the restrictions that are supposed to be applied don’t get set so you get tricked into a false sense of security."</p></blockquote><p></p>
[QUOTE="rashmi, post: 1105964, member: 107361"] For those interested, there is additional information about this topic on Comodo forums. [URL unfurl="true"]https://forums.comodo.com/t/poc-bypass-auto-sandbox-cis/362726[/URL] A moderator's response. "I only took a quick look at the source code and I can tell what the issue is. By default cis does not protect access to the service control manager defined as *\RPC Control\ntsvcs so you would need to add that path to the protected COM interfaces section. The source code also contains code that attempts to access the SCM via a named pipe so you can also add *\Device\NamedPipe\ntsvcs to the protected files section to cover the named pipe access. With that said, there is a compatability issue with windows UAC that prevents containment restriction levels being set to the desired restriction level for applications that require administrator rights. This means if you set the containment rule to use a restriction level higher than partially limited e.g. limited, restricted, or untrusted and you run an application that requests admin rights/elevation, then cis will lower the restriction level to partially limited. So you don’t get the protection provided by the higher restriction levels. Therefore you need to completely disable UAC by setting the enableLUA registry value to 0. This is important to note as using SCM requires admin rights and setting UAC to never notify, doesn’t actually disable UAC itself as it just won’t pop up an UAC alert and will auto grant elevation to admin. Edit: oh and there is yet another bug that affects cis on windows 11 with regards to using restriction levels. Whenever an application is executed by windows explorer, which happens when you use your mouse to run apps, the restrictions that are supposed to be applied don’t get set so you get tricked into a false sense of security." [/QUOTE]
Insert quotes…
Verification
Post reply
Top
