App Review The Comodo's challenge.

[Andy Ful]

Content source

https://youtu.be/2aQS22ZuR8c

Can Comodo's Auto-Containment be bypassed?

 

[Andy Ful]

I made this video to show what most MT already know. If the attacker can get high privileges, then the protection via kernel drivers can be compromised. I intentionally chose Comodo Antivirus with Auto-Containment, because it is a very strong protection. The method used in the video is documented, but I did not see it in the wild. It does not rely on using vulnerable drivers or abusing PPL.

 

[wat0114]

Hi @Andy Ful

not that it's crucial because the damage was already done, but would clicking on the Comodo "Fix It!" alert have aslo restarted the Comodo stopped service, or no?

 

[Pico]

Would it have made any difference if HIPS was enabled?
Would an HIPS alert be generated in this attack to alert the user that some application is tampering with the service?

 

[Trident]

Kernel drivers are not the de facto decisively superior way to provide protection; anyone that says they are probably has an agenda and cannot be taken seriously.

They are not superior, they are necessary to allow the self-protection to observe kernel-level system calls, as well as suspicious memory manipulations and patching that can allow anything, from unhooking user-mode processes, thus tampering with behavioural blocking, to completely terminating security services.

That being said, Comodo kernel mode self-protection drivers are not receiving the necessary maintenance they need for the application to provide a safe, secure and reliable service. Others may have this flaw but they will fix it quickly, Comodo won’t. God knows how other services are designed, do they use the necessary wrappers and memory integrity settings to keep operation “sanitary” and so on and so on. You wanna use hobby projects — these are your hobby projects. Always trust professionals.

 

[Fel Grossi]

Cruelsister's config, sandbox is set to "Restricted" not "Untrusted". But I don't know if it would make any difference.

Thanks!

 

[Decopi]

After Comodo abandoned its software for almost four years, during the past year by making big announcements, the beta version was started... and almost a year later, it's still in beta.

In real life, this beta is just a facelift, mere cosmetics for the graphical interface, all the old bugs, well known, often reported, and dangerous, all these bugs are still there in the latest beta version, totally unfixed since 2017.

Not to forget that Comodo' antivirus, cloud features and similar, never worked, always were very low quality products. Just the containment feature was useful in the past, but unfortunately is full of dangerous bugs since 2017.
Worse, under the "free product argument", Comodo's immoral staff and fanatics insist that trashware can be offered to the average-Joe user.

 

[rashmi]

Cruelsister's config, sandbox is set to "Restricted" not "Untrusted". But I don't know if it would make any difference.

Untrusted is the maximum restriction and allows very limited access rights compared to Restricted.

@Andy Ful

1. From memory, some versions of Comodo had issues in VirtualBox. I don't know about the current stable and beta builds.
2. It seems you tested on Windows 11. It would have been better to test the latest beta build, which fully supports Windows 11.
3. I don't remember if Comodo notifies, but the configuration change to Proactive requires a system restart for proper functioning. I hope you restarted the system.

 

[ErzCrz]

@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I'm guessing most people would have clicked Fix to rectify the Comodo issue but useful to know that it's possible to disable the service and that Comodo doesn't pick this up with it's behaviour features. Hmm.

 

[wat0114]

@Andy Ful

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

The demo video looks to be that of a user thinking they are manually installing a legitimate program/app, and they have administrative rights to elevate the malicious file I_am_nice_and_clean.dat (LOL). In this case the auto-containment is bypassed innocently by the user. Maybe there's more to the malicious chain reaction than just the dat file(??), but that was all we can see.

Btw, I'm guessing big box anti-malware products could be bypassed in similar fashion with a customized bypass manually elevated by the user, or am I wrong in this assumption?

 

[Practical Response]

@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I'm guessing most people would have clicked Fix to rectify the Comodo issue but useful to know that it's possible to disable the service and that Comodo doesn't pick this up with it's behaviour features. Hmm.

This POC is no different than Cruelsis examples as she modifies them to bypass other products claiming them to be subpar.

 

[Andy Ful]

Hi @Andy Ful

not that it's crucial because the damage was already done, but would clicking on the Comodo "Fix It!" alert have aslo restarted the Comodo stopped service, or no?

No.

 

[Andy Ful]

Would it have made any difference if HIPS was enabled?

Yes, if HIPS is not configured to allow cmd[.]exe.

Would an HIPS alert be generated in this attack to alert the user that some application is tampering with the service?

No application is tampering with the service. The attack is fileless after Windows restart.

 

[Andy Ful]

Cruelsister's config, sandbox is set to "Restricted" not "Untrusted". But I don't know if it would make any difference.

Thanks!

Untrusted is the most restrictive setting.

 

[Andy Ful]

1. From memory, some versions of Comodo had issues in VirtualBox. I don't know about the current stable and beta builds.
2. It seems you tested on Windows 11. It would have been better to test the latest beta build, which fully supports Windows 11.
3. I don't remember if Comodo notifies, but the configuration change to Proactive requires a system restart for proper functioning. I hope you restarted the system.

1. The attack works also on the real system.
2. The attack works on Windows 10+.
3. Yes. Furthermore, you can see 2 system restarts on the video.

 

[Andy Ful]

@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

I used a shortcut to avoid Comodo's scripting protection.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I did not see this attack vector in the wild. It is probably not dangerous at home, especially for Comodo.
Comodo is still one of the strongest protections, especially in the tested settings. This attack vector does not change my opinion.

 

[Andy Ful]

Btw, I'm guessing big box anti-malware products could be bypassed in similar fashion with a customized bypass manually elevated by the user, or am I wrong in this assumption?

I think so. But as with many such attacks, this attack vector can be stopped via behavior-based detections after the first successful campaign.

 

[Nikola Milanovic]

I think so. But as with many such attacks, this attack vector can be stopped via behavior-based detections after the first successful campaign.

Xcitium is the best AV

 

[Andy Ful]

The demo video looks to be that of a user thinking they are manually installing a legitimate program/app, and they have administrative rights to elevate the malicious file I_am_nice_and_clean.dat (LOL). In this case the auto-containment is bypassed innocently by the user. Maybe there's more to the malicious chain reaction than just the dat file(??), but that was all we can see.

It was not my intention to show a real attack in the video. It is also improbable that the in-te-wild attack would look like in the video.
Of course, the attacker could use social engineering methods to convince & instruct the user, similarly to the attacks via documents with macros.
But it is more probable that this attack vector could be a part of a multistage attack in the Enterprises.

 

[Pico]

Yes, if HIPS is not configured to allow cmd[.]exe.



No application is tampering with the service. The attack is fileless after Windows restart.

Was the service stopped prior the reboot by the fileless attack (a pending service stop operation) or stopped by the fileless attack after the reboot? How would the fileless attack survive the reboot?