App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
Now it was Melih who responded. I hope they get in touch to analyze the POC and, if possible, correct this weakness.

forums.comodo.com

Comodo Bypass by CMD file

@ozer.metin App Review - Comodo’s challenge part 2. | MalwareTips Forums The user tested again with HIPS enabled, and the result was the same. Deactivation of Comodo services.
forums.comodo.com forums.comodo.com
Nothing is 100%, there is always a fine line of burdening users. Usability vs Security is a constant battle. We have always been trying to make sure we provide the best security for the usability. We can add many theoritical scenerios that are not a current threat in the wild that might negatively affect usability. However we are always looking for new ways to improve the security without affecting the user experience. We very much appreciate the good work Andy has done and we welcome and encourage more of these kind of POCs so that we can all improve as a community!
Click to expand...
 
  • Like
  • Applause
Reactions: roger_m, Sandbox Breaker - DFIR, brambedkar59 and 5 others
Andy Ful said:
Guys, your critique of Comodo does not help in this thread.
Any AV can be criticized, but people who use Comodo do not complain much.:)
Click to expand...
Andy, I think what everyone here is failing to say, is Thank you.

At some point maybe the users in the forum will get past the peeing matches over products and realize that users like yourself that submit things as such, are not meaning to condemn products but help them find issues they did not realize existed. Whether or not these are in the wild now or could be at some later time when discovered by those that would use such a knowledge in a malicious way. These types of test and your openness and lack of damning products clearly states you are only doing this to help others and as such should be greatly appreciated by all, as it benefits all.
 
  • Like
  • Applause
  • Hundred Points
Reactions: roger_m, Trident, Sandbox Breaker - DFIR and 12 others
In the Comodo forum, I suggested that someone on the team contact @Andy Ful . However, Melih responded redundantly, I didn't understand very well.
Maybe someone has already contacted Andy, or they are waiting for him to get in touch, or as he highlighted that the chance of seeing in the wild is close to 0, he doesn't see the need for correction.
I tried to help where I could.

I thank Andy and all colleagues on this forum for always bringing content that enriches our knowledge.
 
  • Like
  • Applause
Reactions: roger_m, Trident, brambedkar59 and 7 others
vitao said:
guys, im really sorry to be lost here but i was reading the entire post and i need to ask: is this something to really worry as a user?
Click to expand...

I do not think so.
There are many other possibilities that can be more dangerous to you. There is no need to worry when you read something on MT. It is just the information to think over.
 
Last edited:
  • Like
  • +Reputation
Reactions: vitao, roger_m, Trident and 5 others
tachion said:
Hello Andy can you repeat the ttest with the option checked: Detect embedded code at cmd ?

Heuristic analysis of the code alone may not yield anything

It's been a long time since I've been here :)
Click to expand...

Cześć. :)

Welcome back.
I can do it without making video. Which concrete setup should be tested?
 
  • Like
  • Applause
Reactions: Trident, vtqhtr413 and simmerskool
I'm talking about the same test with hips checked as it was in the second video and the embedded code option checked

I wonder how it would turn out :)

Zrzut ekranu 2024-03-13 200433.png
 
  • Like
Reactions: Sandbox Breaker - DFIR, vtqhtr413 and Andy Ful
tachion said:
I'm talking about the same test with hips checked as it was in the second video and the embedded code option checked

I wonder how it would turn out :)

View attachment 282162
Click to expand...

These settings for cmd[.]exe + the settings used in the first video, can block the particular variant of the attack that utilizes cmd[.]exe.
They will not block some other variants, that do not use CMD.
 
  • Like
  • +Reputation
Reactions: Trident, Sandbox Breaker - DFIR, simmerskool and 3 others
Could this attack be blocked effectively by adding certain HIPS rules like (user) apps deny access to certain files or system resources. I'm wondering if one or more HIPS rules could defend this attack and if so which rules to add.
 
  • Like
Reactions: Andy Ful
Pico said:
Could this attack be blocked effectively by adding certain HIPS rules like (user) apps deny access to certain files or system resources. I'm wondering if one or more HIPS rules could defend this attack and if so which rules to add.
Click to expand...

Yes. But you would have to know the details of the attack.
 
  • Like
  • +Reputation
Reactions: simmerskool, vtqhtr413 and Trident
Andy Ful said:
Yes. But you would have to know the details of the attack.
Click to expand...
I wonder what the result of the test would be if you sent Containment to "Do Note Show Elevated Alerts" to Block with that ticked so it blocks any untrusted program rather than running in Containment. Something I used to use in my setup awhile back.
 
  • Like
  • Thanks
Reactions: kylprq, simmerskool, vtqhtr413 and 2 others
ErzCrz said:
I wonder what the result of the test would be if you sent Containment to "Do Note Show Elevated Alerts" to Block with that ticked so it blocks any untrusted program rather than running in Containment. Something I used to use in my setup awhile back.
Click to expand...
Selecting do not show elevation alerts just runs the unrecognized file with the chosen option for the setting. Comodo trusts or allows the attack file because the user is starting it, not an unknown program. Containment settings don't matter because containment doesn't come into effect in this case.
 
  • Like
  • Thanks
Reactions: simmerskool, Andy Ful and ErzCrz

You may also like...