Advice Request How does Comodo Firewall protect against malicious DLL files?

[CoherentCrayon]

Let's say you run Comodo Firewall with Cruelsister's settings (no HIPS for example). It will automatically sandbox malicious EXE files. But if you were to mod a game for instance, by replacing DLL files belonging to the game, would Comodo Firewall protect you if these DLL modifications were malicious?

To summarize,
will Comodo Firewall protect you against malicious DLL files which legit applications can use?

 

[Janl1992l]

im pretty sure comodo sandbox works for dll too, not only exes. so it will simply sandbox the dll if its a unknown one? im not sure about that either.

 

[CoherentCrayon]

im pretty sure comodo sandbox works for dll too, not only exes. so it will simply sandbox the dll if its a unknown one? im not sure about that either.

Not sure, because DLLs don't run by themselves, they are used by applications (EXEs)

 

[oldschool]

Check with @cruelsister, @ZeroDay, @Umbra, @Lockdown, @shmu26, @illumination or any other well experienced member who will probably have an answer for you. Or wait patiently for another reply. Also, what's the rest of your configuration?

 

[CoherentCrayon]

what's the rest of your configuration?

Currently I'm trying Kaspersky Internet Security (trial) but I'm thinking of switching to Windows Defender + Comodo Firewall to save money

 

[oldschool]

Currently I'm trying Kaspersky Internet Security (trial) but I'm thinking of switching to Windows Defender + Comodo Firewall to save money

You have good free options so no problem. If you use WD +CFW you can add @Andy Ful's ConfigureDefender which will enable you to harden WD that the regular interface doesn't access. Then you can use HIGH settings but make sure to turn OFF Controlled Folder Access in WD. Otherwise, CFA and CFW will conflict. (I learned that the hard way!) You could also try Kaspersky Free 2019 which doesn't give free users option to disable features. I don't think it has a firewall, but don't quote me on that, so you could still use CF. Or Avast free in Aggressive mode. Probably a few other great free options out there for us budget-conscious users. I use WD myself. Also, are you a safe user or a happy clicker? The brain should always be the first line of defense.

 

[CoherentCrayon]

You have good free options so no problem. If you use WD +CFW you can add @Andy Ful's ConfigureDefender which will enable you to harden WD that the regular interface doesn't access. Then you can use HIGH settings but make sure to turn OFF Controlled Folder Access in WD. Otherwise, CFA and CFW will conflict. (I learned that the hard way!) You could also try Kaspersky Free 2019 which doesn't give free users option to disable features. I don't think it has a firewall, but don't quote me on that, so you could still use CF. Or Avast free in Aggressive mode. Probably a few other great free options out there for us budget-conscious users. I use WD myself. Also, are you a safe user or a happy clicker? The brain should always be the first line of defense.

Thanks for the suggestions! I consider myself a safe user, I don't even remember when I last got infected, I think it was 5-10 years ago or something. But I download game mods pretty often, which might be a risk, especially with less known mods.

Also, what happened when you had Controlled Folder Access turned on while using CFW?

 

[509322]

Let's say you run Comodo Firewall with Cruelsister's settings (no HIPS for example). It will automatically sandbox malicious EXE files. But if you were to mod a game for instance, by replacing DLL files belonging to the game, would Comodo Firewall protect you if these DLL modifications were malicious?

To summarize,
will Comodo Firewall protect you against malicious DLL files which legit applications can use?

It's been years, but if I recall correctly, if the game is trusted then DLL loading is either not monitored or it depends upon how the unknown\untrusted DLL is loaded (and what it attempts to do). I recall unknown\untrusted DLLs from the System32 folder being auto-sandboxed after Windows Updates. Your best bet is to get a direct answer from COMODO engineering otherwise you are apt to get the wrong infos. I would ask for a reply from the Director of Engineering. That used to be Haibo Zhang, but I am not sure if he works for COMODO any longer.

 

[509322]

Currently I'm trying Kaspersky Internet Security (trial) but I'm thinking of switching to Windows Defender + Comodo Firewall to save money

Use what works best for you personally on your specific system. It you like it, then it is best to stick with it. The grass is not greener on the other side of the road. It is just a different kind of grass.

 

[oldschool]

Thanks, but I'm no expert . I just learn as much as I can here on the forum. I got a lot of flags from WD, which may have been from conflicts with other apps - I'M not sure. I later learned CFA not needed if you're using CFW.

 

[oldschool]

Use what works best for you personally on your specific system. It you like it, then it is best to stick with it. The grass is not greener on the other side of the road. It is just a different kind of grass.

. Very true.

 

[cruelsister]

Steel- CF will handle a malicious (or Unknown) dll file in the identical way it would handle an exe. Dll's (as you yourself noted) do not run themselves. Run a malicious exe (or Doc, or Script, or whatever) and anything that springs from this will be contained (Fruit of a poisonous tree). So in this case you are safe.

However your original post asks what would happen if you MANUALLY replace the original dll with a modified (and potentially malicious) dll, then run the main executable- this would be done typically with cracks (and no reason to be shy here as in my Poor student days I was forced to code stuff like this in order have enough cash to buy my Ramen noodles- and Wine). In this case, one of 3 things may happen:

1). the cracked dll came from a Wise and noble Hacker and everything will be fine
2). the cracked dll is actually ransomware in which case you are (insert word here that rhymes with ducked)
3), the cracked dll is some sort of info stealing malware in which case it will be blocked by the firewall (at my settings) and you will see the blocks in Network intrusions.

Essentially what you are doing by replacing an unknown dll into an existing safe application is like spraying the Fruit of a Healthy tree with poison and eating it- and whose fault would that be if you get screwed?

Hope this helped (but probably did not...)

 

[CoherentCrayon]

Steel- CF will handle a malicious (or Unknown) dll file in the identical way it would handle an exe. Dll's (as you yourself noted) do not run themselves. Run a malicious exe (or Doc, or Script, or whatever) and anything that springs from this will be contained (Fruit of a poisonous tree). So in this case you are safe.

However your original post asks what would happen if you MANUALLY replace the original dll with a modified (and potentially malicious) dll, then run the main executable- this would be done typically with cracks (and no reason to be shy here as in my Poor student days I was forced to code stuff like this in order have enough cash to buy my Ramen noodles- and Wine). In this case, one of 3 things may happen:

1). the cracked dll came from a Wise and noble Hacker and everything will be fine
2). the cracked dll is actually ransomware in which case you are (insert word here that rhymes with ducked)
3), the cracked dll is some sort of info stealing malware in which case it will be blocked by the firewall (at my settings) and you will see the blocks in Network intrusions.

Essentially what you are doing by replacing an unknown dll into an existing safe application is like spraying the Fruit of a Healthy tree with poison and eating it- and whose fault would that be if you get screwed?

Hope this helped (but probably did not...)

So, essentially, you're saying that Comodo does NOT protect you if a safe application uses a malicious DLL (e.g. if you replace a DLL belonging to a game with a malicious variant as in my example)?

Thanks for your answer!

 

[cruelsister]

What you ask is actually quite complicated, but I know that I can bypass anything by manual manipulation.

Please note that in the following response I MEAN YOU ABSOLUTELY NO DISRESPECT!!!!! (actually it is a VERY good scenario!).

If a user decides to replace a legit file with a malicious one, this is almost the same as stopping all protection, running malware, and then complaining that one was not protected. In your example, you are installing a legitimate application, agreeing with Comodo that it is safe, then modifying it. Once again, let me say that if the dll is something that acts maliciously by connecting out it will be stopped; but if it is something that will act immediately (like a ransomware dll) this will end in Tears.

 

[CoherentCrayon]

What you ask is actually quite complicated, but I know that I can bypass anything by manual manipulation.

Please note that in the following response I MEAN YOU ABSOLUTELY NO DISRESPECT!!!!! (actually it is a VERY good scenario!).

If a user decides to replace a legit file with a malicious one, this is almost the same as stopping all protection, running malware, and then complaining that one was not protected. In your example, you are installing a legitimate application, agreeing with Comodo that it is safe, then modifying it. Once again, let me say that if the dll is something that acts maliciously by connecting out it will be stopped; but if it is something that will act immediately (like a ransomware dll) this will end in Tears.

Alright. Thank you very much for taking your time to respond!

 

[CoherentCrayon]

What you ask is actually quite complicated, but I know that I can bypass anything by manual manipulation.

Please note that in the following response I MEAN YOU ABSOLUTELY NO DISRESPECT!!!!! (actually it is a VERY good scenario!).

If a user decides to replace a legit file with a malicious one, this is almost the same as stopping all protection, running malware, and then complaining that one was not protected. In your example, you are installing a legitimate application, agreeing with Comodo that it is safe, then modifying it. Once again, let me say that if the dll is something that acts maliciously by connecting out it will be stopped; but if it is something that will act immediately (like a ransomware dll) this will end in Tears.

Just one thing I thought about afterwards - you say that an (eventually) malicious DLL cannot connect out. Is it treated separately from the application using the DLL? For example, if Grand Theft Auto V is allowed to make outgoing connections, doesn't that mean that the DLLs GTA uses has the same internet privileges as GTA itself (the game executable) (being allowed to make outgoing connections), as GTA is the application using the DLL functions?

Also, how does Comodo Firewall decide which applications to allow or deny outgoing connections, as "Create rules for safe applications" are disabled in your settings? Does it deny outgoing connections for sandboxed applications, and allowing it for non-sandboxed?

 

[Deleted member 178]

Dlls don't connect out directly, they inject code to a known system process which connect out.

With proper settings, Comodo should isolate/block suspicious dlls.

 

[cruelsister]

An important point should be brought up here- when installing Comodo firewall, settings (even mine) assume that a system is totally clean- if this is the case, no issue.

However, if one installs CF on a system that potentially is already compromised it would be a very, very good thing to set the Firewall at Custom Mode so that anything that attempts to connect out will result in an alert.

And as Umbra correctly stated, although a dll will not connect out directly, most times one would see the indirect method as using run32dll.

 

[floalma]

@cruelsister
I've been out of this forum for a while and I come back.
I've just came across with your comment here.
You said the following: "Once again, let me say that if the dll is something that acts maliciously by connecting out it will be stopped; but if it is something that will act immediately (like a ransomware dll) this will end in Tears."
Does it mean that CFW can not give protection against Ransomwares ? I thought that CFW could.

 

[cruelsister]

Pardon for the delayed response! At one time CF would NOT protect against dll's dropped in a specific unconventional area. Although I had never seen a ransomware file exploit this, I (actually, my cat) did code a RAT that did. This flaw has been long since rectified (like over a year).