App Review Comodo's challenge part 2.

[Andy Ful]

Content source

https://youtu.be/0Q61r4Mi4kk

This video is a continuation of the previous one. I used the default settings of Internet Security configuration + enabled HIPS + most restrictive Auto-Containment for all Unrecognized files.
I also confirmed that the Comodo Firewall cannot be fixed and the stopped Comodo's service does not work after manual start.

 

[ErzCrz]

Looking forward to watching.

Out of curiosity does the CMD create a start-up entry or is it simply changing the service to disabled?

Anyway, nice test. I just would love to see an example of an infection or attack where this happens real world but one can keep searching

P.S. You need to restart the machine when changing the configuration. CF/CIS use to prompt you in older versions but doesn't seem to beyond after first installation these days for some reason.

 

[simmerskool]

I LIKE the text on the screen to explain as you go thru the video, how it is set, what to expect...
Does the video have sound? Not saying it should have sound, just wonder if I'm the only one hearing sillence in my headphones as I watch...

 

[Andy Ful]

Looking forward to watching.

Out of curiosity does the CMD create a start-up entry or is it simply changing the service to disabled?

None of them.

Anyway, nice test. I just would love to see an example of an infection or attack where this happens real world but one can keep searching

You will probably be disappointed (the chances of seeing it in a widespread attack are close to 0).

P.S. You need to restart the machine when changing the configuration. CF/CIS use to prompt you in older versions but doesn't seem to beyond after first installation these days for some reason.

Yes, I know. The system was restarted several times before I made the optimal video.

 

[ErzCrz]

None of them.

You will probably be disappointed (the chances of seeing it in a widespread attack are close to 0).

Yes, I know. The system was restarted several times before I made the optimal video.

Thanks. Just my issue solving brain trying to get a better understanding

 

[Shadowra]

Well Comodo with or without HIPS, the result is the same

And for Comodo's Fanboy (or cry babys), the Sandbox was activated, see the video

 

[Andy Ful]

I LIKE the text on the screen to explain as you go thru the video, how it is set, what to expect...
Does the video have sound? Not saying it should have sound, just wonder if I'm the only one hearing sillence in my headphones as I watch...

I tried to add some music, but my taste is unpopular (jazz rock, hard rock, progressive rock, etc.). The music did not help in understanding the video.

 

[Andy Ful]

Well Comodo with or without HIPS, the result is the same

And for Comodo's Fanboy (or cry babys), the Sandbox was activated, see the video

There are probably some tolerable and strong settings that could stop the attack method. But not the default config + HIPS (see Comodo's challenge part 2).
Anyway, the full attack has to also include UAC bypass or very convincing social engineering, except for the lateral movement scenario. The setup from Comodo's challenge part 2 will prevent many UAC bypasses, so many in-the-wild attacks can be prevented.

 

[wat0114]

Thanks again @Andy Ful for testing again. Your testing methodology is thorough and professional from start to finish, and you make it so easy to follow and understand what's happening with every step of the way Also thank you for testing the Fix it! alert.

I saw you used HIPS on safe mode, but in post #60 of Part 1, you mentioned Comodo crashed. I'm surprised it would crash in Safe mode. In paranoid mode I'd expect crashes and even worse: the crippling of the system making it unbootable

 

[Pico]

Could you please redo the test with "COMODO - Proactive Security" configuration? This configuration offers the best system protection HIPS wise...

 

[rashmi]

I watched both tests.
1. It doesn't matter what containment setting you use because Comodo is trusting the attack file as the user is starting it, not an unknown program. Comodo won't contain the attack file.
2. The attack seems to bypass HIPS in the default internet security configuration. I don't know if you will test HIPS in proactive configuration.
3. You may run the attack file in containment to see if it breaks out of the containment or disables Comodo.

 

[rashmi]

Could you please redo the test with "COMODO - Proactive Security" configuration? This configuration offers the best system protection HIPS wise...

I asked him for the attack files. If he sends the attack files, I'll do a few tests on my system with the current beta 3. I won't prepare a video because I don't know these things.

 

[rashmi]

Isn’t that how most attacks start? With effective social engineering tricking the user to run something? What you said here doesn’t make too much sense.

It is from the developer's reply for the first test. I simplified that setting different sandbox restrictions means nothing because...

Regarding mentioned video. Here HIPS module not only deny any malicious cmd execution but also protects CIS internal processes, keys, files etc. So here the analyst disabled it first using admin rights. After that point, none of the sensitive processes, keys, files are protected. I think “disable CF” script also writes to registry to stop cmdvirth.exe thats why he required a restart at that point. So basically he is also stopping containment too.

So if HIPS was not disabled by admin at first place, this case wont happen anyway. Even if that state if an Unknown application launching CMD, CIS would contain it whereas the user is launching it themselves.
So Its not a programmatic attack but user himself, on the computer is turning things off.

 

[LennyFox]

@rashmi I understand that you repost the official answer which says that Comodo behavior is by design and it is not a bypass.

I agree that when it is by design it is not a bypass, but I also agree with @Trident that most social enginering and staged phishing attacks start by luring a user to launch an application or poisoned document themselves.

Therefor the design decision of Comodo is questionable at the least, since most of these intrusions start by fooling the user to ckick-start unsafe code themselves

 

[Trident]

I agree that when it is by design it is not a bypass

Vulnerabilities by definition are design or implementation errors that can compromise the confidentiality, integrity and availability of information. So a poor design choice can be classified as weakness/vulnerability. Normally AV vendors consider as vulnerability everything that can not be fixed by releasing a definition/heuristic/behavioural profile.

This POC doesn’t exploit modules to execute arbitrary code, but impairs defences. It is not to be underestimated. Comodo has just written it off carelessly.

 

[SHvFl]

Vulnerabilities by definition are design or implementation errors that can compromise the confidentiality, integrity and availability of information. So a poor design choice can be classified as weakness/vulnerability. Normally AV vendors consider as vulnerability everything that can not be fixed by releasing a definition/heuristic/behavioural profile.

This POC doesn’t exploit modules to execute arbitrary code, but impairs defences. It is not to be underestimated. Comodo has just written it off carelessly.

They always deny any issues because of lack of information or if information is given, they mention that it is out of scope of their product.

 

[Andy Ful]

Thanks again @Andy Ful for testing again. Your testing methodology is thorough and professional from start to finish, and you make it so easy to follow and understand what's happening with every step of the way Also thank you for testing the Fix it! alert.

I saw you used HIPS on safe mode, but in post #60 of Part 1, you mentioned Comodo crashed. I'm surprised it would crash in Safe mode. In paranoid mode I'd expect crashes and even worse: the crippling of the system making it unbootable

Normally, the Safe Mode + default Internet Security configuration should work well (although it is disabled by default). In my case, Comodo crashed in much more restricted configuration. If I correctly remember It was Proactive configuration with settings similar to @cruelsister + maxed Script Analysis. I noticed that this setup is unusable (blocked many things), so I tried to restore the default settings of Script Analysis. In this moment Comodo showed errors, the system behaved strangely, and I could not fix it.

 

[Andy Ful]

Could you please redo the test with "COMODO - Proactive Security" configuration? This configuration offers the best system protection HIPS wise...

https://malwaretips.com/threads/comodos-challenge-part-2.129514/post-1078812

 

[Andy Ful]

I watched both tests.
1. It doesn't matter what containment setting you use because Comodo is trusting the attack file as the user is starting it, not an unknown program. Comodo won't contain the attack file.

Yes, it "trusts" in some way the POC in the settings presented in the video. The trust comes from the fileless method. Comodo can trust many LOLBins, does not contain some file types, and CmdLines. So one can say that it assumes them as trusted or more precisely as not so dangerous. It is possible to add some additional restrictions to block the attack (as I mentioned in the first thread about Comodo).

2. The attack seems to bypass HIPS in the default internet security configuration. I don't know if you will test HIPS in proactive configuration.

Look here:
https://malwaretips.com/threads/comodos-challenge-part-2.129514/post-1078812

3. You may run the attack file in containment to see if it breaks out of the containment or disables Comodo.

There is no need. The POC was not prepared to escape the sandbox.

 

[wat0114]

In my case, Comodo crashed in much more restricted configuration. If I correctly remember It was Proactive configuration with settings similar to @cruelsister + maxed Script Analysis. I noticed that this setup is unusable (blocked many things), so I tried to restore the default settings of Script Analysis. In this moment Comodo showed errors, the system behaved strangely, and I could not fix it.

A few years ago when I used Comodo with the much more restrictive HIPS "Paranoid mode", the only way I could manage to make this mode usable without crippling Windows was to immediately put it in "Learning mode", then reboot several times, log out and back in, do most of the basic stuff I would normally do on a daily basis such as open the web browser, email client, any office apps, and most of the basic Windows actions such as open Explorer, check updates, settings, etc...This way rules would be automatically created on the fly.

It's not ideal, of course, but there was no other way otherwise it would bork Windows because the HIPS would block something critical that Windows needs to function properly. it seems the same issue, maybe to a lesser extent but an issue nonetheless, occurs with HIPS in Proactive mode. Obviously Learning mode must be done on a known, clean system, and the user must take care not to incur infection while doing so

EDIT

Perhaps Comodo devs could consider baking into the product, a minimum set of rules that allows Windows to function at a basic level whenever the user wants enable HIPS in any mode.