App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,217
Although I used CMD in one particular variant, the modified attack can bypass Comodo with all options related to embedded code detection.
Ah, that's right. It was contingent on the LOLbin being in that list though it is quite an extensive one. I think the question is how such attack will get onto to the system in the first place and allowed to run. In the case of an unknown/untrusted file, CIS/CF would contain the parent and therefore child processes/actions. Your test did bypass pretty much all AVs from what I can remember. Anyway, thanks for the reminder. Security is all about layers and thankful I've gone down the CL route this year and H_C route for most of last year.
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,554
The driver cannot be hardened to avoid the attack. I cannot give more details.
just make sure you keep doing the best to notify vendors as different targeted attacks both by non and state sponsored groups are increasing and having more secure components in anything that runs with kernel privilege and having lowest possible attack surface (zero trust model ) is super important and project zero has already shown how many av software components aren't built with zero trust model in place and im not sure how many even use hypervisor, memory integrity for the higher privileged components

but hell since Microsoft is going to fix crowdstrike like issues by giving a good sdk and devs will probably migrate to both more zero trust posture and in general follow trends like using languages like rust that forces less talented devs to write less buggy software and to declare code we should have a bright future
 

rashmi

Level 12
Jan 15, 2024
562
It wasn't blocked because cmd embedded code detection under Script Analysis is toggled off by default due to quite a few FPs. Thankfully, you can harden your system with @Andy Ful 's tools along side CIS/CF but that's overkill. CyberLock blocked the action which I bought this year. I'm on a CIS/CF hiatus waiting on Certificate issue to be resolved.
Why do you classify Comodo Script Analysis cmd blocking as false positives and consider @Andy Ful's tools and CyberLock cmd blocking as protective measures? Do @Andy Ful's tools and CyberLock solely target suspicious ones, whereas Comodo Script Analysis blocks all?
 

rashmi

Level 12
Jan 15, 2024
562
The response is related to one of many possible variants only. Slightly modified variants do not use anything that could be blocked by HIPS:
I'm aware of all the comments you've made in this thread. Comodo staff mentioned that if an unknown application launches CMD, CIS will restrict it, but not when the user starts it. We also talked about this, and you thoroughly explained the POC, which successfully bypassed all tested security software. You emphasized that there is no need for users, particularly home users, to worry about this kind of attack. The thread contains all the information. For those who are interested, I recommend checking out your posts in this thread.
 
  • Like
Reactions: Sorrento

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,217
Why do you classify Comodo Script Analysis cmd blocking as false positives and consider @Andy Ful's tools and CyberLock cmd blocking as protective measures? Do @Andy Ful's tools and CyberLock solely target suspicious ones, whereas Comodo Script Analysis blocks all?
From memory, still waking up this morning, a lot of programs use cmd scripts and when it was enabled in CIS/CF it blocked a lot of those falsely but as @Andy Ful already reminded me, it was also the case for any of the other hundreds of LOLbins using the same type of an attack. Andy's tools protect system services and block the likes of cmd with administrative privileges from accessing those. In the case of CyberLock, it's a behaviour detection. The point is that a file needs to be downloaded/installed and allowed to run that script whether it be legitamate or not and I can't recall an example of this attack being used so it is rare. Right, I have to get to work.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
I did not test much of the details of Comodo's script analysis. In the last test (no video), I checked everything possible in the "Script analysis" section and did not disable HIPS. As Comodo's staff mentioned the cmd[.]exe was blocked. I had to modify the attack to bypass Comodo successfully. So, the attack could be probably stopped only by using HIPS in paranoid settings. Anyway, it does not matter because most people do not use such paranoid settings. If the attack were performed in the wild, almost all machines could be affected.
 

Behold Eck

Level 18
Verified
Top Poster
Well-known
Jun 22, 2014
870
I did not test much of the details of Comodo's script analysis. In the last test (no video), I checked everything possible in the "Script analysis" section and did not disable HIPS. As Comodo's staff mentioned the cmd[.]exe was blocked. I had to modify the attack to bypass Comodo successfully. So, the attack could be probably stopped only by using HIPS in paranoid settings. Anyway, it does not matter because most people do not use such paranoid settings. If the attack were performed in the wild, almost all machines could be affected.
Could such a test/retest possibly be done to confirm that "safe mode" hips setting allows the bypass as opposed to the "paranoid" one ?.

Putting it out there to not just Andy but the other more knowledgeable good folk here at MT.

Regards Eck:)
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
Could such a test/retest possibly be done to confirm that "safe mode" hips setting allows the bypass as opposed to the "paranoid" one ?.

Putting it out there to not just Andy but the other more knowledgeable good folk here at MT.

Regards Eck:)

The test was done by me:

I do not plan to test soon if Comodo and other AVs improved with fighting my POCs. Maybe next year.
No one can retest, because I did not share the samples. (y)
 

Behold Eck

Level 18
Verified
Top Poster
Well-known
Jun 22, 2014
870
The test was done by me:

I do not plan to test soon if Comodo and other AVs improved with fighting my POCs. Maybe next year.
No one can retest, because I did not share the samples. (y)
Ah, sorry I missed part 2 of the test, cheers (y)

Regards Eck:)
 

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,487
Nice test Andy, thanks.

Before the hord comes and claims Comodo is "useless", must we say that this is a special file designed to bypass Comodo and only Comodo. The chances that you're gonna encounter such file in the wild are very low. Unless you're being specifically targeted and they know you use Comodo, it's unlikely the product will fail you like it did in this test. A similar test was published here long ago about Kaspersky. Products can be bypassed. All of them, probably, if enough time and resources are allocated. But I believe cybercriminals who do this for money will most likeky target widely-used antivirus, such as Microsoft Defender.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
Nice test Andy, thanks.

Before the hord comes and claims Comodo is "useless", must we say that this is a special file designed to bypass Comodo and only Comodo.

The method is general and was designed for any security application, especially for AVs. I tested a dozen or so products. None of the tested products could stop all attack variants on usable settings. Some products did it in paranoid settings. For some tests, I made videos available on MT:
App Review - The Comodo's challenge.
App Review - Comodo's challenge part 2.
App Review - Eset's challenge.
App Review - Microsoft Defender's challenge.
App Review - Bitdefender's challenge.
App Review - The Emsisoft Enterprise Security challenge.
App Review - The Zone Alarm challenge.

Anyway, as I mentioned a few times, the presented attack vector can be dangerous in Enterprises. I do not expect it to be popular against home users.
 
Last edited:

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,487
The method is general and was designed for any security application, especially for AVs. I tested a dozen or so products. None of the tested products could stop all attack variants on usable settings. Some products did it in paranoid settings. For some tests, I made videos available on MT:
App Review - The Comodo's challenge.
App Review - Comodo's challenge part 2.
App Review - Eset's challenge.
App Review - Microsoft Defender's challenge.
App Review - Bitdefender's challenge.
App Review - The Emsisoft Enterprise Security challenge.
App Review - The Zone Alarm challenge.

Anyway, as I mentioned a few times, the presented attack vector can be dangerous in Enterprises. I do not expect it to be popular against home users.
Does the same file apply to all products? Or did you have to slightly modify the file (preserving the method) to make it work for each product?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
Does the same file apply to all products? Or did you have to slightly modify the file (preserving the method) to make it work for each product?

In my tests, the samples were modified for each product (the same method). However, it is possible to create one sample that should work for several AVs.
 

rashmi

Level 12
Jan 15, 2024
562
From memory, still waking up this morning, a lot of programs use cmd scripts and when it was enabled in CIS/CF it blocked a lot of those falsely but as @Andy Ful already reminded me, it was also the case for any of the other hundreds of LOLbins using the same type of an attack. Andy's tools protect system services and block the likes of cmd with administrative privileges from accessing those. In the case of CyberLock, it's a behaviour detection. The point is that a file needs to be downloaded/installed and allowed to run that script whether it be legitamate or not and I can't recall an example of this attack being used so it is rare. Right, I have to get to work.
CyberLock allows or blocks vulnerable processes based on analysis or events, while @Andy Ful's tools have hardened rules for selected vulnerable processes. Am I correct? I'm trying to understand how a hardened rule is less prone to false positives than script analysis. Am I missing something?
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,217
CyberLock allows or blocks vulnerable processes based on analysis or events, while @Andy Ful's tools have hardened rules for selected vulnerable processes. Am I correct? I'm trying to understand how a hardened rule is less prone to false positives than script analysis. Am I missing something?
They're both default deny approaches though @Andy Ful 's tool uses built-in OS policies and maybe more secure as it doesn't require third party program to run and uses SRP but both block it effectively.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
A rule that specifically targets command line switches from certain Kaspersky products would be pleasant.

This could prevent, for example, exploits based on TDSSKiller. However, it could not help against the Comodo challenge.
I think that Comodo should implement blocking vulnerable drivers (like Avast, or ASR rule in Microsoft). The exploits via vulnerable drivers (like in the case of TDSSKiller) are mainly blocked by Core isolation or vulnerable drivers policy. The problem is when those security features are disabled as it is often the case on Windows 10.
 
Last edited:

EASTER

Level 4
Verified
Well-known
May 9, 2017
159
My layered approach also uses the abandoned NoVirus ThankYou Driver Radar Pro AND ERP. Absolutely in tandem forms an impregnable shield should anything try to attack my system. 100% success rate to date using abandoned programs. Windows is NOT that good but with Security. Third Party programs even old one's DO SECURE WINDOWS.
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
My layered approach also uses the abandoned NoVirus ThankYou Driver Radar Pro AND ERP. Absolutely in tandem forms an impregnable shield should anything try to attack my system. 100% success rate to date using abandoned programs. Windows is NOT that good but with Security. Third Party programs even old one's DO SECURE WINDOWS.
I am afraid that it cannot help against such threats as Comodo challenge. Your protection can be easily destroyed by the combination of exploit + ERP/AV Challenge. But this would require a targeted attack, because normally the attacker would not bother to add the code for ERP. Please remember that ERP can block only EXE files. Nowadays, the attacks can be done without EXE files.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top