It's good they are removing spam and banning spammers. Some were polluting the beta thread with unrelated stuff, while others were repeating their nonsense.
The Comodo's challenge.
- Thread starter Andy Ful
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Which is not the case in real world as we all have seen how miserably comodo antivirus failing in terms of the antivirus engine and signatures in various tests, also they don't have any proper web and url filtering protection and the firewall component too lacks the presence of a proper network intrusion detection/prevention module and the firewall component itself hasn't been updated for ages which is very very important thing and is present in almost all major security software vendors be it kaspersky or norton or eset or avast or avg that's that. And when someone highlights this critical points to them on there forum they blocks that user, this kind of behaviour looks extremely weird and strange itself from there end.
Guys,
This thread is not about several possible Comodo issues, but about tampering with antimalware drivers and protected services.
Please, we should not stray from the subject too much.
This thread is not about several possible Comodo issues, but about tampering with antimalware drivers and protected services.
Please, we should not stray from the subject too much.
okGuys,
This thread is not about several possible Comodo issues, but about tampering with antimalware drivers and protected services.
Please, we should not stray from the subject too much.
Bonjour,
Rien de nouveau sur la censure du forum comodo et ses pratiques forcément très "politiquement correctes", une histoire avec un ancien Admin "Shaoran" de mémoire, qui avait démontré avec très peu de lignes de code, la fermeture de comodo et l'infection, ça faisait longtemps, comodo version 4 Je pense, en tout cas... L'équipe de comodo a-t-elle vu ce test d'Andy Ful et envisage-t-elle de faire quelque chose ? Merci.
Rien de nouveau sur la censure du forum comodo et ses pratiques forcément très "politiquement correctes", une histoire avec un ancien Admin "Shaoran" de mémoire, qui avait démontré avec très peu de lignes de code, la fermeture de comodo et l'infection, ça faisait longtemps, comodo version 4 Je pense, en tout cas... L'équipe de comodo a-t-elle vu ce test d'Andy Ful et envisage-t-elle de faire quelque chose ? Merci.
Hello Andy.
Would You mind sharing the files so I can test it and maybe do it live on my channel? im curious as im always trying to find something that could bypass cis containment but i always fail on it. If You dont see any problems it would be kind of You to share it. Maybe in private msg if You prefer?
Hi @vitao,
I shared the attack method only with the AV vendors (Kaspersky, Microsoft, etc.).
I do not plan to share it further except if it will be seen in the wild.
I do not think that this method can become popular in attacks on home users. The gain of using it is related to Enterprises.
Last edited:
It worked on comodo set to restricted too ? Or just untrusted?Hi @vitao,
I shared the attack method only with the AV vendors (Kaspersky, Microsoft, etc.).
I do not plan to share it further except if it will be seen in the wild.
I do not think that this method can become popular in attacks on home users. The gain of using it is related to Enterprises.
Response of @ozer.metin (Comodo Staff- Chief Innovation and Technology Officer)
https://malwaretips.com/threads/the-comodos-challenge.129472/post-1078569
The response is related to one of many possible variants only. Slightly modified variants do not use anything that could be blocked by HIPS:
App Review - Comodo's challenge part 2.
This video is a continuation of the previous one. I used the default settings of Internet Security configuration + enabled HIPS + most restrictive Auto-Containment for all Unrecognized files. I also confirmed that the Comodo Firewall cannot be fixed and the stopped Comodo's service does not work...
malwaretips.com
It does not matter because nothing was contained. The attack uses only legitimate executables.
I'm not sure how it works but is there anything you can do like setting exploit guard to comodo core components (no idea how it works so unsure if any harding by exploit guard might help )
Or maybe some srp rule
Like is there anything someone can do without a vendor patch to deal with this bypass of the driver ?
And what vendors do you believe cam protect against this and maybe future variants are at least responsive enough to care about an advanced attack vector like shown here
You can use SRP to block shortcuts in UserSpace (like in H_C, WHHLight, or SWH). But, most AVs can be bypassed also without using shortcuts.
Anyway, it would be much harder to bypass Comodo without using a shortcut.
Is there any vendors that hardened the driver to be able to deal with this attack or does Microsoft need to create some SDK to allow further hardening to allow av software drivers to be protected against some of these advanced attacks
Although this is only a specific it would be interesting to know which vendors could deal with this attack
It wasn't blocked because cmd embedded code detection under Script Analysis is toggled off by default due to quite a few FPs. Thankfully, you can harden your system with @Andy Ful 's tools along side CIS/CF but that's overkill. CyberLock blocked the action which I bought this year. I'm on a CIS/CF hiatus waiting on Certificate issue to be resolved.
The driver cannot be hardened to avoid the attack. I cannot give more details.
Although I used CMD in one particular variant, the modified attack can bypass Comodo with all options related to embedded code detection.
App Review - Comodo's challenge part 2.
Comodo HIPS can be a strong protection, but such strong protection layers are hardly tolerated by the OS in Windows 11 , and sometimes even in Windows 10.
malwaretips.com
Ah, that's right. It was contingent on the LOLbin being in that list though it is quite an extensive one. I think the question is how such attack will get onto to the system in the first place and allowed to run. In the case of an unknown/untrusted file, CIS/CF would contain the parent and therefore child processes/actions. Your test did bypass pretty much all AVs from what I can remember. Anyway, thanks for the reminder. Security is all about layers and thankful I've gone down the CL route this year and H_C route for most of last year.Although I used CMD in one particular variant, the modified attack can bypass Comodo with all options related to embedded code detection.
App Review - Comodo's challenge part 2.
Comodo HIPS can be a strong protection, but such strong protection layers are hardly tolerated by the OS in Windows 11 , and sometimes even in Windows 10.
just make sure you keep doing the best to notify vendors as different targeted attacks both by non and state sponsored groups are increasing and having more secure components in anything that runs with kernel privilege and having lowest possible attack surface (zero trust model ) is super important and project zero has already shown how many av software components aren't built with zero trust model in place and im not sure how many even use hypervisor, memory integrity for the higher privileged components
but hell since Microsoft is going to fix crowdstrike like issues by giving a good sdk and devs will probably migrate to both more zero trust posture and in general follow trends like using languages like rust that forces less talented devs to write less buggy software and to declare code we should have a bright future
You may also like...
-
-
This ransomware bypass every antivirus and removes antivirus- Started by HydraDragonAntivirus
- Replies: 59
-
-
Why Don’t Major AV Vendors Use Auto-Containment Like Comodo?
- Started by NoveyBoy
- Replies: 23
-
Protect Yourself From the macOS Flaw that Bypasses Apple Privacy Controls- Started by lokamoka820
- Replies: 1