App Review The Comodo's challenge.

[ErzCrz]

Although I used CMD in one particular variant, the modified attack can bypass Comodo with all options related to embedded code detection.

App Review - Comodo's challenge part 2.

Comodo HIPS can be a strong protection, but such strong protection layers are hardly tolerated by the OS in Windows 11 , and sometimes even in Windows 10.

malwaretips.com

Ah, that's right. It was contingent on the LOLbin being in that list though it is quite an extensive one. I think the question is how such attack will get onto to the system in the first place and allowed to run. In the case of an unknown/untrusted file, CIS/CF would contain the parent and therefore child processes/actions. Your test did bypass pretty much all AVs from what I can remember. Anyway, thanks for the reminder. Security is all about layers and thankful I've gone down the CL route this year and H_C route for most of last year.

 

[Vitali Ortzi]

The driver cannot be hardened to avoid the attack. I cannot give more details.

just make sure you keep doing the best to notify vendors as different targeted attacks both by non and state sponsored groups are increasing and having more secure components in anything that runs with kernel privilege and having lowest possible attack surface (zero trust model ) is super important and project zero has already shown how many av software components aren't built with zero trust model in place and im not sure how many even use hypervisor, memory integrity for the higher privileged components

but hell since Microsoft is going to fix crowdstrike like issues by giving a good sdk and devs will probably migrate to both more zero trust posture and in general follow trends like using languages like rust that forces less talented devs to write less buggy software and to declare code we should have a bright future

 

[rashmi]

It wasn't blocked because cmd embedded code detection under Script Analysis is toggled off by default due to quite a few FPs. Thankfully, you can harden your system with @Andy Ful 's tools along side CIS/CF but that's overkill. CyberLock blocked the action which I bought this year. I'm on a CIS/CF hiatus waiting on Certificate issue to be resolved.

Why do you classify Comodo Script Analysis cmd blocking as false positives and consider @Andy Ful's tools and CyberLock cmd blocking as protective measures? Do @Andy Ful's tools and CyberLock solely target suspicious ones, whereas Comodo Script Analysis blocks all?

 

[rashmi]

The response is related to one of many possible variants only. Slightly modified variants do not use anything that could be blocked by HIPS:

App Review - Comodo's challenge part 2.

This video is a continuation of the previous one. I used the default settings of Internet Security configuration + enabled HIPS + most restrictive Auto-Containment for all Unrecognized files. I also confirmed that the Comodo Firewall cannot be fixed and the stopped Comodo's service does not work...

malwaretips.com

I'm aware of all the comments you've made in this thread. Comodo staff mentioned that if an unknown application launches CMD, CIS will restrict it, but not when the user starts it. We also talked about this, and you thoroughly explained the POC, which successfully bypassed all tested security software. You emphasized that there is no need for users, particularly home users, to worry about this kind of attack. The thread contains all the information. For those who are interested, I recommend checking out your posts in this thread.

 

[ErzCrz]

Why do you classify Comodo Script Analysis cmd blocking as false positives and consider @Andy Ful's tools and CyberLock cmd blocking as protective measures? Do @Andy Ful's tools and CyberLock solely target suspicious ones, whereas Comodo Script Analysis blocks all?

From memory, still waking up this morning, a lot of programs use cmd scripts and when it was enabled in CIS/CF it blocked a lot of those falsely but as @Andy Ful already reminded me, it was also the case for any of the other hundreds of LOLbins using the same type of an attack. Andy's tools protect system services and block the likes of cmd with administrative privileges from accessing those. In the case of CyberLock, it's a behaviour detection. The point is that a file needs to be downloaded/installed and allowed to run that script whether it be legitamate or not and I can't recall an example of this attack being used so it is rare. Right, I have to get to work.

 

[Andy Ful]

I did not test much of the details of Comodo's script analysis. In the last test (no video), I checked everything possible in the "Script analysis" section and did not disable HIPS. As Comodo's staff mentioned the cmd[.]exe was blocked. I had to modify the attack to bypass Comodo successfully. So, the attack could be probably stopped only by using HIPS in paranoid settings. Anyway, it does not matter because most people do not use such paranoid settings. If the attack were performed in the wild, almost all machines could be affected.

 

[Behold Eck]

I did not test much of the details of Comodo's script analysis. In the last test (no video), I checked everything possible in the "Script analysis" section and did not disable HIPS. As Comodo's staff mentioned the cmd[.]exe was blocked. I had to modify the attack to bypass Comodo successfully. So, the attack could be probably stopped only by using HIPS in paranoid settings. Anyway, it does not matter because most people do not use such paranoid settings. If the attack were performed in the wild, almost all machines could be affected.

Could such a test/retest possibly be done to confirm that "safe mode" hips setting allows the bypass as opposed to the "paranoid" one ?.

Putting it out there to not just Andy but the other more knowledgeable good folk here at MT.

Regards Eck

 

[Andy Ful]

Could such a test/retest possibly be done to confirm that "safe mode" hips setting allows the bypass as opposed to the "paranoid" one ?.

Putting it out there to not just Andy but the other more knowledgeable good folk here at MT.

Regards Eck

The test was done by me:

App Review - Comodo's challenge part 2.

Comodo HIPS can be a strong protection, but such strong protection layers are hardly tolerated by the OS in Windows 11 , and sometimes even in Windows 10.

malwaretips.com

I do not plan to test soon if Comodo and other AVs improved with fighting my POCs. Maybe next year.
No one can retest, because I did not share the samples.

 

[Behold Eck]

The test was done by me:

App Review - Comodo's challenge part 2.

Comodo HIPS can be a strong protection, but such strong protection layers are hardly tolerated by the OS in Windows 11 , and sometimes even in Windows 10.

malwaretips.com

I do not plan to test soon if Comodo and other AVs improved with fighting my POCs. Maybe next year.
No one can retest, because I did not share the samples.

Ah, sorry I missed part 2 of the test, cheers

Regards Eck

 

[RoboMan]

Nice test Andy, thanks.

Before the hord comes and claims Comodo is "useless", must we say that this is a special file designed to bypass Comodo and only Comodo. The chances that you're gonna encounter such file in the wild are very low. Unless you're being specifically targeted and they know you use Comodo, it's unlikely the product will fail you like it did in this test. A similar test was published here long ago about Kaspersky. Products can be bypassed. All of them, probably, if enough time and resources are allocated. But I believe cybercriminals who do this for money will most likeky target widely-used antivirus, such as Microsoft Defender.

 

[Andy Ful]

Nice test Andy, thanks.

Before the hord comes and claims Comodo is "useless", must we say that this is a special file designed to bypass Comodo and only Comodo.

The method is general and was designed for any security application, especially for AVs. I tested a dozen or so products. None of the tested products could stop all attack variants on usable settings. Some products did it in paranoid settings. For some tests, I made videos available on MT:
App Review - The Comodo's challenge.
App Review - Comodo's challenge part 2.
App Review - Eset's challenge.
App Review - Microsoft Defender's challenge.
App Review - Bitdefender's challenge.
App Review - The Emsisoft Enterprise Security challenge.
App Review - The Zone Alarm challenge.

Anyway, as I mentioned a few times, the presented attack vector can be dangerous in Enterprises. I do not expect it to be popular against home users.

 

[RoboMan]

The method is general and was designed for any security application, especially for AVs. I tested a dozen or so products. None of the tested products could stop all attack variants on usable settings. Some products did it in paranoid settings. For some tests, I made videos available on MT:
App Review - The Comodo's challenge.
App Review - Comodo's challenge part 2.
App Review - Eset's challenge.
App Review - Microsoft Defender's challenge.
App Review - Bitdefender's challenge.
App Review - The Emsisoft Enterprise Security challenge.
App Review - The Zone Alarm challenge.

Anyway, as I mentioned a few times, the presented attack vector can be dangerous in Enterprises. I do not expect it to be popular against home users.

Does the same file apply to all products? Or did you have to slightly modify the file (preserving the method) to make it work for each product?

 

[Andy Ful]

Does the same file apply to all products? Or did you have to slightly modify the file (preserving the method) to make it work for each product?

In my tests, the samples were modified for each product (the same method). However, it is possible to create one sample that should work for several AVs.

 

[rashmi]

From memory, still waking up this morning, a lot of programs use cmd scripts and when it was enabled in CIS/CF it blocked a lot of those falsely but as @Andy Ful already reminded me, it was also the case for any of the other hundreds of LOLbins using the same type of an attack. Andy's tools protect system services and block the likes of cmd with administrative privileges from accessing those. In the case of CyberLock, it's a behaviour detection. The point is that a file needs to be downloaded/installed and allowed to run that script whether it be legitamate or not and I can't recall an example of this attack being used so it is rare. Right, I have to get to work.

CyberLock allows or blocks vulnerable processes based on analysis or events, while @Andy Ful's tools have hardened rules for selected vulnerable processes. Am I correct? I'm trying to understand how a hardened rule is less prone to false positives than script analysis. Am I missing something?

 

[ErzCrz]

CyberLock allows or blocks vulnerable processes based on analysis or events, while @Andy Ful's tools have hardened rules for selected vulnerable processes. Am I correct? I'm trying to understand how a hardened rule is less prone to false positives than script analysis. Am I missing something?

They're both default deny approaches though @Andy Ful 's tool uses built-in OS policies and maybe more secure as it doesn't require third party program to run and uses SRP but both block it effectively.

 

[cruelsister]

have hardened rules for selected vulnerable processes

A rule that specifically targets command line switches from certain Kaspersky products would be pleasant.

 

[Andy Ful]

A rule that specifically targets command line switches from certain Kaspersky products would be pleasant.

This could prevent, for example, exploits based on TDSSKiller. However, it could not help against the Comodo challenge.
I think that Comodo should implement blocking vulnerable drivers (like Avast, or ASR rule in Microsoft). The exploits via vulnerable drivers (like in the case of TDSSKiller) are mainly blocked by Core isolation or vulnerable drivers policy. The problem is when those security features are disabled as it is often the case on Windows 10.

 

[EASTER]

My layered approach also uses the abandoned NoVirus ThankYou Driver Radar Pro AND ERP. Absolutely in tandem forms an impregnable shield should anything try to attack my system. 100% success rate to date using abandoned programs. Windows is NOT that good but with Security. Third Party programs even old one's DO SECURE WINDOWS.

 

[Andy Ful]

My layered approach also uses the abandoned NoVirus ThankYou Driver Radar Pro AND ERP. Absolutely in tandem forms an impregnable shield should anything try to attack my system. 100% success rate to date using abandoned programs. Windows is NOT that good but with Security. Third Party programs even old one's DO SECURE WINDOWS.

I am afraid that it cannot help against such threats as Comodo challenge. Your protection can be easily destroyed by the combination of exploit + ERP/AV Challenge. But this would require a targeted attack, because normally the attacker would not bother to add the code for ERP. Please remember that ERP can block only EXE files. Nowadays, the attacks can be done without EXE files.

 

[cruelsister]

Nowadays, the attacks can be done without EXE files.

An excellent point that is missed by far too many Anti-Malware application developers. But as long as this failing isn't really highlighted in the Pro AV testing it tends to be ignored.