App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
I made this video to show what most MT already know. If the attacker can get high privileges, then the protection via kernel drivers can be compromised. I intentionally chose Comodo Antivirus with Auto-Containment, because it is a very strong protection. The method used in the video is documented, but I did not see it in the wild. It does not rely on using vulnerable drivers or abusing PPL.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Kernel drivers are not the de facto decisively superior way to provide protection; anyone that says they are probably has an agenda and cannot be taken seriously.
They are not superior, they are necessary to allow the self-protection to observe kernel-level system calls, as well as suspicious memory manipulations and patching that can allow anything, from unhooking user-mode processes, thus tampering with behavioural blocking, to completely terminating security services.

That being said, Comodo kernel mode self-protection drivers are not receiving the necessary maintenance they need for the application to provide a safe, secure and reliable service. Others may have this flaw but they will fix it quickly, Comodo won’t. God knows how other services are designed, do they use the necessary wrappers and memory integrity settings to keep operation “sanitary” and so on and so on. You wanna use hobby projects — these are your hobby projects. Always trust professionals.
 
Last edited:

Decopi

Level 8
Verified
Oct 29, 2017
361
After Comodo abandoned its software for almost four years, during the past year by making big announcements, the beta version was started... and almost a year later, it's still in beta.

In real life, this beta is just a facelift, mere cosmetics for the graphical interface, all the old bugs, well known, often reported, and dangerous, all these bugs are still there in the latest beta version, totally unfixed since 2017.

Not to forget that Comodo' antivirus, cloud features and similar, never worked, always were very low quality products. Just the containment feature was useful in the past, but unfortunately is full of dangerous bugs since 2017.
Worse, under the "free product argument", Comodo's immoral staff and fanatics insist that trashware can be offered to the average-Joe user.
 

rashmi

Level 12
Jan 15, 2024
562
Cruelsister's config, sandbox is set to "Restricted" not "Untrusted". But I don't know if it would make any difference.
Untrusted is the maximum restriction and allows very limited access rights compared to Restricted.

@Andy Ful

1. From memory, some versions of Comodo had issues in VirtualBox. I don't know about the current stable and beta builds.
2. It seems you tested on Windows 11. It would have been better to test the latest beta build, which fully supports Windows 11.
3. I don't remember if Comodo notifies, but the configuration change to Proactive requires a system restart for proper functioning. I hope you restarted the system.
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,208
@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I'm guessing most people would have clicked Fix to rectify the Comodo issue but useful to know that it's possible to disable the service and that Comodo doesn't pick this up with it's behaviour features. Hmm.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
@Andy Ful

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

The demo video looks to be that of a user thinking they are manually installing a legitimate program/app, and they have administrative rights to elevate the malicious file I_am_nice_and_clean.dat (LOL). In this case the auto-containment is bypassed innocently by the user. Maybe there's more to the malicious chain reaction than just the dat file(??), but that was all we can see.

Btw, I'm guessing big box anti-malware products could be bypassed in similar fashion with a customized bypass manually elevated by the user, or am I wrong in this assumption?
 
F

ForgottenSeer 109138

@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I'm guessing most people would have clicked Fix to rectify the Comodo issue but useful to know that it's possible to disable the service and that Comodo doesn't pick this up with it's behaviour features. Hmm.
This POC is no different than Cruelsis examples as she modifies them to bypass other products claiming them to be subpar.
 
  • Like
Reactions: Trident

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
Would it have made any difference if HIPS was enabled?

Yes, if HIPS is not configured to allow cmd[.]exe.

Would an HIPS alert be generated in this attack to alert the user that some application is tampering with the service?

No application is tampering with the service. The attack is fileless after Windows restart.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
1. From memory, some versions of Comodo had issues in VirtualBox. I don't know about the current stable and beta builds.
2. It seems you tested on Windows 11. It would have been better to test the latest beta build, which fully supports Windows 11.
3. I don't remember if Comodo notifies, but the configuration change to Proactive requires a system restart for proper functioning. I hope you restarted the system.
  1. The attack works also on the real system.
  2. The attack works on Windows 10+.
  3. Yes. Furthermore, you can see 2 system restarts on the video.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

I used a shortcut to avoid Comodo's scripting protection.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I did not see this attack vector in the wild. It is probably not dangerous at home, especially for Comodo.
Comodo is still one of the strongest protections, especially in the tested settings. This attack vector does not change my opinion.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
Btw, I'm guessing big box anti-malware products could be bypassed in similar fashion with a customized bypass manually elevated by the user, or am I wrong in this assumption?

I think so. But as with many such attacks, this attack vector can be stopped via behavior-based detections after the first successful campaign.:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
The demo video looks to be that of a user thinking they are manually installing a legitimate program/app, and they have administrative rights to elevate the malicious file I_am_nice_and_clean.dat (LOL). In this case the auto-containment is bypassed innocently by the user. Maybe there's more to the malicious chain reaction than just the dat file(??), but that was all we can see.

It was not my intention to show a real attack in the video. It is also improbable that the in-te-wild attack would look like in the video.
Of course, the attacker could use social engineering methods to convince & instruct the user, similarly to the attacks via documents with macros.
But it is more probable that this attack vector could be a part of a multistage attack in the Enterprises.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top