Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 1110969" data-attributes="member: 32260">No, they did not.I use a different method that does not trigger containment. It is not exactly an exploit, but rather taking advantage of AVs ignoring some known (and unknown but signalized) attack methods until they are sufficiently prevalent. Furthermore, some methods are hard to fix, like DLL hijacking. Most AVs try to fight it by improving DLL detection, which is insufficient in targeted attacks.In the case of Comodo, the attack that exploits vulnerable but trusted EXE can be especially successful due to two weaknesses:<ol>
<li data-xf-list-type="ol">Poor detection of weaponized DLLs.</li>
<li data-xf-list-type="ol">Poor detection of some UAC bypasses.</li>
</ol>At the same time, Comodo can block most attacks in the wild via Auto-containment and Script Analysis modules. So finally, the attacker must know that the target uses Comodo to have fair chances to pass by the protection.</blockquote>

[QUOTE="Andy Ful, post: 1110969, member: 32260"] No, they did not. I use a different method that does not trigger containment. It is not exactly an exploit, but rather taking advantage of AVs ignoring some known (and unknown but signalized) attack methods until they are sufficiently prevalent. Furthermore, some methods are hard to fix, like DLL hijacking. Most AVs try to fight it by improving DLL detection, which is insufficient in targeted attacks. In the case of Comodo, the attack that exploits vulnerable but trusted EXE can be especially successful due to two weaknesses: [LIST=1] [*]Poor detection of weaponized DLLs. [*]Poor detection of some UAC bypasses. [/LIST] At the same time, Comodo can block most attacks in the wild via Auto-containment and Script Analysis modules. So finally, the attacker must know that the target uses Comodo to have fair chances to pass by the protection. [/QUOTE]

Verification