App Review The Comodo's challenge.

[Andy Ful]

Guys, your critique of Comodo does not help in this thread.
Any AV can be criticized, but people who use Comodo do not complain much.

 

[rashmi]

No means No. Containment does not work.

Can you PM me the attack files?

 

[Victor M]

I use Xcitium OpenEDR. Plus I use WDAC. The WDAC layer is for banning the things I never use like certain LoL.bins. And, I block cmd and powerhshell until I need to use those 2. And I turned on HIPS. Security common sense, you turn off, disable, block things you don't use.

 

[Sandbox Breaker]

We use Xcitium. But we layer also. Least privilege and so on. All lol bins blocked.

 

[Andy Ful]

Can you PM me the attack files?

Are you Comodo staff?

 

[Fel Grossi]

Now it was Melih who responded. I hope they get in touch to analyze the POC and, if possible, correct this weakness.

Comodo Bypass by CMD file

@ozer.metin App Review - Comodo’s challenge part 2. | MalwareTips Forums The user tested again with HIPS enabled, and the result was the same. Deactivation of Comodo services.

forums.comodo.com

Nothing is 100%, there is always a fine line of burdening users. Usability vs Security is a constant battle. We have always been trying to make sure we provide the best security for the usability. We can add many theoritical scenerios that are not a current threat in the wild that might negatively affect usability. However we are always looking for new ways to improve the security without affecting the user experience. We very much appreciate the good work Andy has done and we welcome and encourage more of these kind of POCs so that we can all improve as a community!

 

[ForgottenSeer 109138]

Guys, your critique of Comodo does not help in this thread.
Any AV can be criticized, but people who use Comodo do not complain much.

Andy, I think what everyone here is failing to say, is Thank you.

At some point maybe the users in the forum will get past the peeing matches over products and realize that users like yourself that submit things as such, are not meaning to condemn products but help them find issues they did not realize existed. Whether or not these are in the wild now or could be at some later time when discovered by those that would use such a knowledge in a malicious way. These types of test and your openness and lack of damning products clearly states you are only doing this to help others and as such should be greatly appreciated by all, as it benefits all.

 

[vitao]

guys, im really sorry to be lost here but i was reading the entire post and i need to ask: is this something to really worry as a user?

 

[Fel Grossi]

In the Comodo forum, I suggested that someone on the team contact @Andy Ful . However, Melih responded redundantly, I didn't understand very well.
Maybe someone has already contacted Andy, or they are waiting for him to get in touch, or as he highlighted that the chance of seeing in the wild is close to 0, he doesn't see the need for correction.
I tried to help where I could.

I thank Andy and all colleagues on this forum for always bringing content that enriches our knowledge.

 

[Andy Ful]

Thank you guys.
The note posted by Melih is kind and respectful.
For now no one contacted with me but I if so, I will share all details of the attack method.

 

[Andy Ful]

guys, im really sorry to be lost here but i was reading the entire post and i need to ask: is this something to really worry as a user?

I do not think so.
There are many other possibilities that can be more dangerous to you. There is no need to worry when you read something on MT. It is just the information to think over.

 

[rashmi]

Are you Comodo staff?

I take Amendment 5

I can test the current beta and proactive HIPS if you could send the samples.

 

[tachion]

Hello Andy can you repeat the ttest with the option checked: Detect embedded code at cmd ?

Heuristic analysis of the code alone may not yield anything

It's been a long time since I've been here

 

[Andy Ful]

I take Amendment 5

I can test the current beta and proactive HIPS if you could send the samples.

Before publishing the video, I decided to share the samples only with AV vendors.

 

[Andy Ful]

Hello Andy can you repeat the ttest with the option checked: Detect embedded code at cmd ?

Heuristic analysis of the code alone may not yield anything

It's been a long time since I've been here

Cześć.

Welcome back.
I can do it without making video. Which concrete setup should be tested?

 

[tachion]

I'm talking about the same test with hips checked as it was in the second video and the embedded code option checked

I wonder how it would turn out

 

[Andy Ful]

I'm talking about the same test with hips checked as it was in the second video and the embedded code option checked

I wonder how it would turn out

View attachment 282162

These settings for cmd[.]exe + the settings used in the first video, can block the particular variant of the attack that utilizes cmd[.]exe.
They will not block some other variants, that do not use CMD.

 

[Sunshine-boy]

As explained, he used a script with LOLBins that cut Comodo's services.

You can never wake a person who pretends to be asleep.

 

[Pico]

Could this attack be blocked effectively by adding certain HIPS rules like (user) apps deny access to certain files or system resources. I'm wondering if one or more HIPS rules could defend this attack and if so which rules to add.

 

[Sandbox Breaker]

You can never wake a person who pretends to be asleep.

No matter how many time you wash the coal, it's always dirty.