The Comodo's challenge.
- Thread starter Andy Ful
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
First off, I LOVE the presentation style of the video! Easy to view, easy to understand.
The need to run the file as Admin is really trivial as it is no great inconvenience to code into a file an Admin bypass. The main question that I have is if the Script Analysis function of Comodo was enabled. Having it enabled (checked) is essential and was demonstrated in a video I did ~6 months ago ("The Importance Of Comodo's Script Analysis").
If it was indeed enabled then this would be problematic.
The need to run the file as Admin is really trivial as it is no great inconvenience to code into a file an Admin bypass. The main question that I have is if the Script Analysis function of Comodo was enabled. Having it enabled (checked) is essential and was demonstrated in a video I did ~6 months ago ("The Importance Of Comodo's Script Analysis").
If it was indeed enabled then this would be problematic.
Does this fileless attack need a script? Could it be executed as plain zero-day code instead?
Thanks, Mistress.
Yes, it was enabled. The attack vector does not use scripts. I used a shortcut with CmdLines, and this could bypass Comodo's script analysis.
Of course, I tried scripts, but they were contained by Comodo. Also, the attack was blocked when I used PowerShell instead of CMD.
Comodo has a clever method to block PowerShell CmdLines. The CmdLine is converted to .PS1 script. The script is analyzed by Comodo and contained.
It is problematic.
Yes, it could.
But no worry. I will keep the secret to myself, except if a Comodo staff will be interested.
I was interested in putting it on VMware win10, but for unclear reasons before I downloaded it, xcitium sales people started calling me to the point of annoyance. I backed away.
I'm no expert, but I wonder if the attack is like those that users posted in the past where the developers replied something like "Comodo allowed the user started...). I don't remember the developer's words or response, but it was like the @ErzCrz response in post #9: " if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own"
Someone posted about this on the Comodo forums. Let's see what the developers say.
Again, I'm no expert, so this may sound stupid. I wonder if script analysis would have blocked the attack like PowerShell if, like PowerShell, "Embedded Code Detection" was enabled for CMD under Script Analysis - Runtime Detection.
Last edited:
F
ForgottenSeer 107474
I have used Comodo Antivirus Cloud in the past with all these settings enabled (blocking cmd etc) and never ran into an issue. Comodo Cloud AV also had the containment / virtualization module of CIS
If the "Embedded Code Detection" is enabled for cmd[.]exe the CmdLine is converted to the .BAT file, the Comodo Containment alert is shown, and the attack can be stopped by the user. This scenario is similar to the PowerShell case, except that for PowerShell the "Embedded Code Detection" is enabled by default.
The "Embeded Code Detection" is just the CmdLine Whitelisting.
Anyway, the attack still works if another LOLBin is used. Even if you enable "Embedded Code Detection" for all LOLBins listed on the Script Analysis window, there are some not-listed LOLBins that still work in the attack.
Last edited:
I suppose there's the option of adding all the .exe's under Win/System32 folder so they're all covered though I don't know what impact that would have. How many of them would be able to execute such a code really?
Response of @ozer.metin (Comodo Staff- Chief Innovation and Technology Officer)
forums.comodo.com
Comodo Bypass by CMD file
App Review - The Comodo’s challenge. | MalwareTips Forums In this conversation, a user manages to stop Comodo services using a CMD shortcut. as he describes in conversation. He said he is willing to help Comodo if they want to fix the problem.
forums.comodo.com
As I mentioned in my post #28, "if the attack is like those that users posted in the past where the developers replied something like (Comodo allowed the user started...)"Response of @ozer.metin (Comodo Staff- Chief Innovation and Technology Officer)
Comodo Bypass by CMD file
App Review - The Comodo’s challenge. | MalwareTips Forums In this conversation, a user manages to stop Comodo services using a CMD shortcut. as he describes in conversation. He said he is willing to help Comodo if they want to fix the problem.
There were similar posts on old forums where users reported they could disable Comodo, and the developers' reply was the same as @ozer.metin.
It makes me happy to see a video of Comodo being bypassed by a developer
And yes, unfortunately, Comodo is clearly not infallible (no AV is anyway).
Just that it's pretty easy to bypass the Sandbox. I did it once a while ago by stealing the digital signature of a well-known program.
I don't know if it's been corrected now...
So when I see comments like "Comodo is the best antivirus" already there is NO such thing because NO antivirus will protect 100%.
And yes, unfortunately, Comodo is clearly not infallible (no AV is anyway).
Just that it's pretty easy to bypass the Sandbox. I did it once a while ago by stealing the digital signature of a well-known program.
I don't know if it's been corrected now...
So when I see comments like "Comodo is the best antivirus" already there is NO such thing because NO antivirus will protect 100%.
Not many, but you do not know which should be blocked. Furthermore, some external LOLBins can do the same.
Yes, no AV is infallible, but to be fair, this was not a bypass of Comodo, as responded by the team. They clearly mentioned how Comodo treats the command execution.It makes me happy to see a video of Comodo being bypassed by a developer
And yes, unfortunately, Comodo is clearly not infallible (no AV is anyway).
Just that it's pretty easy to bypass the Sandbox. I did it once a while ago by stealing the digital signature of a well-known program.
I don't know if it's been corrected now...
So when I see comments like "Comodo is the best antivirus" already there is NO such thing because NO antivirus will protect 100%.
Yours is not a bypass of the sandbox. For that, the malicious activities should break out of the sandbox. Yours is more of a feature abuse, which would also be true for any AVs automatically allowing digitally signed programs. In other terms, it's like saying, "I bypassed an AV with a virus not present in its database." If you meant Comodo alerted for your signed program, you chose (run in containment), and the program generated files on the real system - then it's a sandbox bypass.
What do we learn from Comodo's response?
When HIPS was enabled with Proactive config then this attack would have failed?
When HIPS was enabled with Proactive config then this attack would have failed?
Yes, as I mentioned in my second post, when the HIPS module is enabled this particular attack can be blocked. I am not sure if HIPS can block all LOLBins (internal and external) that can be used instead of CMD. I disabled HIPS not to make the attack easier, but because it is a pretty popular practice when the Auto-Containment is set to Untrusted. As we can see, there can be some cons of that.
The attack does not use Registry for that.
The method from my video can be used as a part of lateral movement, by dropping and executing the shortcut (.LNK file) and the .DAT file. Unknown application is not required. The full attack can be more complex and can depend on the particular Comodo settings. It will be successful in some settings and will fail in others.
Anyway, the Comodo Staff- Chief is right. The purpose of the video was not to show a real attack, but to show that kernel drivers can be disabled from UserLand without using vulnerable drivers. I chose Comodo as an example. A similar method can work for other AVs and generally for security applications that use kernel drivers.
Edit.
Home users should not worry. I do not think that home users will be the targets.
Last edited:
Yes, this is what the team meant. Also, the team meant Comodo would prevent such an attack from an unknown program even if HIPS was in the disabled state.
You may also like...
-
-
This ransomware bypass every antivirus and removes antivirus- Started by HydraDragonAntivirus
- Replies: 59
-
-
Why Don’t Major AV Vendors Use Auto-Containment Like Comodo?
- Started by NoveyBoy
- Replies: 23
-
Protect Yourself From the macOS Flaw that Bypasses Apple Privacy Controls- Started by lokamoka820
- Replies: 1