App Review Comodo's killer.

[Andy Ful]

Nice .
Did you tested it on HIPS + Paranoid
And clear the default HIPS configuration .

I tested Comodo on usable settings. Paranoid HIPS could probably show some alerts.

 

[vitao]

can you provide me this file? i would like to do some testings and some videos

 

[Andy Ful]

can you provide me this file? i would like to do some testings and some videos

I do not share this one. The video is already available, so Comodo users and staff are informed.
In the attack, the shortcut does not use scripting (Comodo would alert/contain the attack via Script Analysis). This method is not commonly known (can be dangerous).
I don't want to make any more fuss than necessary.

Here is the attack flow:
Malicious ISO download (contains a shortcut and some hidden files) ----> shortcut to TDSS Killer executed by the user -----> shortcut runs TDSS Killer with CmdLine to kill Comodo ----> No UAC alert because LUA is disabled ----> TDSS Killer installs the driver and restarts Windows ----> the driver kills Comodo

The attack is successful because it uses only Trusted resources.

 

[rashmi]

I'm considering starting a thread discussing Comodo's containment policies, balancing usability and security.

The impact of the policies is something I have yet to investigate. For tests, can you and @vitao run the POCs against these containment policies?

In Proactive Configuration, remove the last or All Applications - Unrecognized policy from Auto-Containment. Place the three policies in the same order at the bottom in Auto-Containment.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File Age - Less than 1 hour

 

[Andy Ful]

In Proactive Configuration, remove the last or All Applications - Unrecognized policy from Auto-Containment. Place the three policies in the same order at the bottom in Auto-Containment.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File Age - Less than 1 hour

My POCs are not blocked.
The reason is that the files contained in the ISO container have the creation time of the original files used when the attacker created the ISO on his computer. For example, TDSSKiller has the original date from the year 2019.
The same applies to all removable media mounted by Windows handler and archives unpacked by Windows built-in unpacker.
So the file age must be unlimited for the first two rules to block the POCs that use removable media or archives.

Edit.
7-Zip unpacks archives while adding the current creation time. So when 7-Zip is configured to open by default archives and disk images, the 1-hour File age rule will work as intended.
However, the 1-hour File age rule will not work for executables stored on flash drives.

 

[rashmi]

My POCs are not blocked.
The reason is that the files contained in the ISO container have the creation time of the original files used when the attacker created the ISO on his computer. For example, TDSSKiller has the original date from the year 2019.
The same applies to all removable media mounted by Windows handler and archives unpacked by Windows built-in unpacker.
So the file age must be unlimited for the first two rules to block the POCs that use removable media or archives.

Edit.
7-Zip unpacks archives while adding the current creation time. So when 7-Zip is configured to open by default archives and disk images, the 1-hour File age rule will work as intended.
However, the 1-hour File age rule will not work for executables stored on flash drives.

For my information, what browser and download manager did you use to get the ISO file?

We just need to remove the "file age" criteria for the policies; Comodo should then block your and @vitao's POCs.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)

These policies target Comodo's trusted vendor list and cloud whitelist; Comodo should block "trusted" files from removable media or downloaded from the internet.

I haven't verified whether these Comodo policies prevent trusted applications' auto-updates; we can create a "whitelist" policy with an essential vendor list and use the "ignore" option.

Experienced users who don't like Comodo's huge trusted vendor list and cloud whitelist may prefer these policies.

 

[Andy Ful]

For my information, what browser and download manager did you use to get the ISO file?

It is unimportant because the ISO file is not an executable/application. In my tests I used Edge.

We just need to remove the "file age" criteria for the policies; Comodo should then block your and @vitao's POCs.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)

These rules should work in the same way as:
Action - Run Virtually, File Group - All Applications, File Origin - Removable Media
Action - Run Virtually, File Group - All Applications, File Origin - Internet
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)

Simply, all applications executed from Removable Media and Internet are contained. The Unrecognized applications are contained everywhere. The Proactive setup includes also three Block rules for Malicious Applications, Suspicious Locations, and Containment Folders
These settings will contain most of my POCs and prevent most malware including 0-day ones. It is a very strong setup.
It is possible to bypass such a setup by using shortcuts + abusing the Trusted applications already installed in the system (LOLBins, MS Office, etc.). For example, Comodo's challenge method used in my video is not blocked (shortcut + LOLBin abused) and all my POCs are not blocked when running office macros.
I would also enable Embedded Code Detection for cmd[.]exe (to prevent many attacks via shortcuts), and block macros in office applications.

Post edited.

 

[Andy Ful]

It is possible to use the below setup:

1. Apply Proactive Configuration.
2. Add the rule: Action - Run Virtually, File Group - All Applications, File Origin - Removable Media <------ this protects flash drives
3. Modify default rule: Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File age: 1 day (or 1 hour)
4. Add the rule to contain 7-Zip application (c:\Program Files\7-Zip\7zFM.exe). Set 7-Zip as the default application to open archives and disk images (ISO, IMG, etc.).
   With this rule, the 7-Zip GUI works similarly to Comodo's Virtual Desktop. Anything opened from the 7-Zip application (even text documents) is contained.
5. In Script Analysis, enable Embedded Code Detection for cmd[.]exe.
6. In the office applications, block macros.

The below will be restricted by the File age: 1 day (or 1 hour):

• When downloading applications from the Internet, they have a fresh "creation time".
• Files copied from the flash drives to the hard disk have a fresh "creation time".

When using Comodo Internet Security (instead of Comodo Firewall + Microsoft Defender), I would propose the file age recommended by Comodo: File age: 3 days.
Comodo's signatures for new malware are rather poor.

WARNING
To open files from disk images and archives with no containment, one must use another archiver application or Windows built-in features:
Right click >> Open with >> Windows Explorer

Post edited and updated.

 

[rashmi]

It is unimportant because the ISO file is not an executable/application. In my tests I used Edge.

If I download an ISO with an unsupported program in Comodo, will Comodo still contain the files of the ISO?

These rules should work in the same way as:
Action - Run Virtually, File Group - All Applications, File Origin - Removable Media
Action - Run Virtually, File Group - All Applications, File Origin - Internet
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)

Yes, the rules are the same. In short, the rules are overly restrictive and prevent apps from updating automatically.

Modify default rule: Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File age: 1 day (or 1 hour)

Just as with your POC, Comodo will not block unrecognized files in a container with their original creation date, will it?

 

[bazang]

If I download an ISO with an unsupported program in Comodo, will Comodo still contain the files of the ISO?

Yes, the rules are the same. In short, the rules are overly restrictive and prevent apps from updating automatically.

Just as with your POC, Comodo will not block unrecognized files in a container with their original creation date, will it?

Amazing how much effort is required to figure out what the software does, can or cannot do, right?

Then based upon what you discover, you have to get someone at Comodo to explain if it is expected, intended, a feature or a bug.

Same with Windows and Linux OS themselves.

This is why it is not worth it. The effort required is excessive. Just configure a system and then block all mobile code that has not been whitelisted. The breakages are rare and minimal. They all can be fixed with trivial effort. Far, far less effort than having to study an OS or any security software for days, weeks, and months to figure it out.

 

[rashmi]

In short, I think the default/proactive security is sufficient and better for home users. Comodo's usability has improved significantly and is much more user-friendly now. For improved protection, one may disable cloud lookup and limit the list of trusted vendors.

 

[Andy Ful]

I had to remove my previous post and repost it again. The previous rules worked weirdly.

If I download an ISO with an unsupported program in Comodo, will Comodo still contain the files of the ISO?

I discovered that the "File origin >> Removable Media" works for flash drives but not for virtual drives (mounted ISO, IMG, etc). So, I could contain the "All Applications" files only via the 7-Zip trick when the "Run virtually" rule is added for the 7-Zip application and 7-Zip is set as the default application to open disk images (ISO, IMG, etc.) and archives (*.zip, *.7z, *.rar, etc).

The working containment rules that can contain most of my POCs, most malware, and most DLL hijacking attacks are like in my updated post:
https://malwaretips.com/threads/comodos-killer.133558/post-1114716


Auto-containment "Run virtually" rules:

Rule 1 (protect against executables on the flash drives).

Rule2. (protect against executables in disk images and archives).

Rule 3 (edited the default "Run virtually" rule with 1-day limit in the Proactive configuration)

 

[ErzCrz]

I need to re-read through this topic. I'm not using CF/CIS as I have CyberLock installed and running both is overkill. CF does have the option in Device Protection settings to block devices but it's blacklist. I think unchecking "Trust files installed by trusted installers" would go some way in adding protection but that's the thing with Comodo.

You can tweak it to your hearts content and I used to including the below HIPS tweaks and trimmed vendor listings etc.

Protected all drives with HIPS under protected files adding ?:\* will cause HIPS to protect all files on all volumes and drives
Protected registry keys added *\Software\* and *\System\*
Under protected COM interfaces, added *\RPC Control\ntsvcs to monitor access to the service control manager
LocalSecurityAuthority.* to control process token privileges
And added {*} and *.* to cover many COM interfaces by CLSID and ProgID.

But there comes a point of balancing security and usability. Comodo is meant to work best in Proactive mode with it's defaults and CruelSister improved that by setting the restriction level to Restricted or Untrusted but even then these POCs find their way through. Hard_Configurator, WHHL SWH which will block many of these all run with CIS/CF without issue but again, overkill.

You have to find a balance and probably the addition tweaks above advised by @Andy Ful will strengthen CIS/CF security but how many of the normal users will go to that extent. I hope for further CIS/CF improvements by Comodo this year but we'll just have to wait and see

 

[Andy Ful]

I think unchecking "Trust files installed by trusted installers" would go some way in adding protection but that's the thing with Comodo.

It does not for DLL hijacking and other methods of abusing Trusted files mentioned in this thread.

You have to find a balance and probably the addition tweaks above advised by @Andy Ful will strengthen CIS/CF security but how many of the normal users will go to that extent. I hope for further CIS/CF improvements by Comodo this year but we'll just have to wait and see

Typical (common) users should not use the Proactive setup (it is for more experienced users). The alternative can be the Internet Security setup.
The setup from my previous post is as follows:
Proactive setup with 1-day limit + Virtualize disk images and archives + Virtualize execution from USB drives.
It is in the testing phase. So far it works well with UniGetUI.

 

[rashmi]

I discovered that the "File origin >> Removable Media" works for flash drives but not for virtual drives (mounted ISO, IMG, etc). So, I could contain the "All Applications" files only via the 7-Zip trick when the "Run virtually" rule is added for the 7-Zip application and 7-Zip is set as the default application to open disk images (ISO, IMG, etc.) and archives (*.zip, *.7z, *.rar, etc).

You can also add 7zFM in File Groups - File Archivers.

 

[vitao]

sorry guys. im late for the party.

ill bring some testings and findings in a few days... comodo internet security is a monster when we consider options and personalization on the protection end. its so massive that even comodo doesnt know how to explain even a bit part of it all... its sick

 

[rashmi]

Just FYI, my Comodo Firewall crashed; everything's fine except the test containment policies I'd set up vanished.

 

[Andy Ful]

You can also add 7zFM in File Groups - File Archivers.

The 7zFM is already included there via the rule *\7z*.exe . However, I want to fully virtualize only one archiver application set as the default archiver to open archives and disk images.
I do not know, maybe it is possible to fully virtualize all archives included in the File Archiver group and set one of them as the default archiver. Then, the Windows built-in archiver will be the only possibility to pack/open archives and disk images without containment.

 

[Andy Ful]

Just FYI, my Comodo Firewall crashed; everything's fine except the test containment policies I'd set up vanished.

Did you export the test Comodo settings?

 

[Andy Ful]

sorry guys. im late for the party.

ill bring some testings and findings in a few days... comodo internet security is a monster when we consider options and personalization on the protection end. its so massive that even comodo doesnt know how to explain even a bit part of it all... its sick

Yes, it has so many possible options that one cannot predict how the applied settings work. Some settings can override others, so it is necessary to test each setup thoroughly.
The best example is applying the time limit and problems with the file creation dates.