App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
I made this video to show what most MT already know. If the attacker can get high privileges, then the protection via kernel drivers can be compromised. I intentionally chose Comodo Antivirus with Auto-Containment, because it is a very strong protection. The method used in the video is documented, but I did not see it in the wild. It does not rely on using vulnerable drivers or abusing PPL.
 
  • Like
  • +Reputation
  • Applause
Reactions: kylprq, rashmi, FALLEN and 12 others
laython said:
Kernel drivers are not the de facto decisively superior way to provide protection; anyone that says they are probably has an agenda and cannot be taken seriously.
Click to expand...
They are not superior, they are necessary to allow the self-protection to observe kernel-level system calls, as well as suspicious memory manipulations and patching that can allow anything, from unhooking user-mode processes, thus tampering with behavioural blocking, to completely terminating security services.

That being said, Comodo kernel mode self-protection drivers are not receiving the necessary maintenance they need for the application to provide a safe, secure and reliable service. Others may have this flaw but they will fix it quickly, Comodo won’t. God knows how other services are designed, do they use the necessary wrappers and memory integrity settings to keep operation “sanitary” and so on and so on. You wanna use hobby projects — these are your hobby projects. Always trust professionals.
 
Last edited:
  • Like
  • +Reputation
  • Hundred Points
Reactions: cryogent, Sunshine-boy, oldschool and 8 others
Fel Grossi said:
Cruelsister's config, sandbox is set to "Restricted" not "Untrusted". But I don't know if it would make any difference.
Click to expand...
Untrusted is the maximum restriction and allows very limited access rights compared to Restricted.

@Andy Ful

1. From memory, some versions of Comodo had issues in VirtualBox. I don't know about the current stable and beta builds.
2. It seems you tested on Windows 11. It would have been better to test the latest beta build, which fully supports Windows 11.
3. I don't remember if Comodo notifies, but the configuration change to Proactive requires a system restart for proper functioning. I hope you restarted the system.
 
  • Like
  • +Reputation
Reactions: kylprq, cryogent, Andy Ful and 2 others
@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I'm guessing most people would have clicked Fix to rectify the Comodo issue but useful to know that it's possible to disable the service and that Comodo doesn't pick this up with it's behaviour features. Hmm.
 
  • Like
Reactions: kylprq, cryogent, Andy Ful and 1 other person
ErzCrz said:
@Andy Ful

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?
Click to expand...

The demo video looks to be that of a user thinking they are manually installing a legitimate program/app, and they have administrative rights to elevate the malicious file I_am_nice_and_clean.dat (LOL). In this case the auto-containment is bypassed innocently by the user. Maybe there's more to the malicious chain reaction than just the dat file(??), but that was all we can see.

Btw, I'm guessing big box anti-malware products could be bypassed in similar fashion with a customized bypass manually elevated by the user, or am I wrong in this assumption?
 
  • Like
Reactions: cryogent and Andy Ful
ErzCrz said:
@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.

My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?

I'm guessing most people would have clicked Fix to rectify the Comodo issue but useful to know that it's possible to disable the service and that Comodo doesn't pick this up with it's behaviour features. Hmm.
Click to expand...
This POC is no different than Cruelsis examples as she modifies them to bypass other products claiming them to be subpar.
 
  • Like
Reactions: Trident
Pico said:
Would it have made any difference if HIPS was enabled?
Click to expand...

Yes, if HIPS is not configured to allow cmd[.]exe.

Pico said:
Would an HIPS alert be generated in this attack to alert the user that some application is tampering with the service?
Click to expand...

No application is tampering with the service. The attack is fileless after Windows restart.
 
  • Like
  • Thanks
Reactions: cryogent, Sunshine-boy and Trident
rashmi said:
1. From memory, some versions of Comodo had issues in VirtualBox. I don't know about the current stable and beta builds.
2. It seems you tested on Windows 11. It would have been better to test the latest beta build, which fully supports Windows 11.
3. I don't remember if Comodo notifies, but the configuration change to Proactive requires a system restart for proper functioning. I hope you restarted the system.
Click to expand...
  1. The attack works also on the real system.
  2. The attack works on Windows 10+.
  3. Yes. Furthermore, you can see 2 system restarts on the video.
 
  • +Reputation
  • Like
Reactions: rashmi, Sunshine-boy, simmerskool and 1 other person
ErzCrz said:
@Andy Ful Nice test of Comodo. It's impressive seeing that the Containment can be disabled by a cmd file.
Click to expand...

I used a shortcut to avoid Comodo's scripting protection.

ErzCrz said:
My thoughts on watching this are that if a unknown file executed a cmd or svchost or any other program that could execute the code to disable the virtualization that both the unknown file an any process or file launched by that unknown file would be Contained. Sure, a user can run that cmd line they create on their own but do we have an example of malware or unknown file executing that code and successfully disabling containment?
Click to expand...

I did not see this attack vector in the wild. It is probably not dangerous at home, especially for Comodo.
Comodo is still one of the strongest protections, especially in the tested settings. This attack vector does not change my opinion.
 
  • Like
  • +Reputation
Reactions: cryogent, simmerskool, Trident and 1 other person
wat0114 said:
Btw, I'm guessing big box anti-malware products could be bypassed in similar fashion with a customized bypass manually elevated by the user, or am I wrong in this assumption?
Click to expand...

I think so. But as with many such attacks, this attack vector can be stopped via behavior-based detections after the first successful campaign.:)
 
  • Like
  • +Reputation
Reactions: wat0114, cryogent, simmerskool and 1 other person
wat0114 said:
The demo video looks to be that of a user thinking they are manually installing a legitimate program/app, and they have administrative rights to elevate the malicious file I_am_nice_and_clean.dat (LOL). In this case the auto-containment is bypassed innocently by the user. Maybe there's more to the malicious chain reaction than just the dat file(??), but that was all we can see.
Click to expand...

It was not my intention to show a real attack in the video. It is also improbable that the in-te-wild attack would look like in the video.
Of course, the attacker could use social engineering methods to convince & instruct the user, similarly to the attacks via documents with macros.
But it is more probable that this attack vector could be a part of a multistage attack in the Enterprises.
 
  • Like
  • +Reputation
Reactions: wat0114, cryogent, simmerskool and 2 others
Andy Ful said:
Yes, if HIPS is not configured to allow cmd[.]exe.



No application is tampering with the service. The attack is fileless after Windows restart.
Click to expand...
Was the service stopped prior the reboot by the fileless attack (a pending service stop operation) or stopped by the fileless attack after the reboot? How would the fileless attack survive the reboot?
 
  • Like
Reactions: simmerskool, Trident, Moonhorse and 1 other person
Pico said:
Was the service stopped prior the reboot by the fileless attack (a pending service stop operation) or stopped by the fileless attack after the reboot? How would the fileless attack survive the reboot?
Click to expand...

If you watch the video carefully, I show that the service is not stopped before the Windows restart.
There are many fileless persistence methods. The most known is hiding the malicious code in the Registry (not used in the video).
 
  • Like
  • +Reputation
Reactions: vtqhtr413, wat0114, cryogent and 3 others

You may also like...