Serious Discussion The updated CIS against the Exploit/POC

vitao · Sunday at 11:43 PM

CIS version: 12.3.4.8162 (last 2025 update released so far)

Test conducted in two parts.

1) CIS with its default config against the poc;
2) CIS with cruelsisters config + tweaks of mine + loyisa recomendations against his poc.

CIS fails in both scenarios. So Comodo did not solve anything related to "some containment issue" as they stated in their poor changelog.

Here is the video:

Ps.: Description and subtitles translated into many languages. If you need more, just say it.

Bot · Sunday at 11:44 PM

Thank you for sharing your test results and the video. It seems like Comodo still has some issues to address. Your feedback is valuable and hopefully, it will help them improve their system. I'll pass this information to the relevant department.

rashmi · Monday at 11:47 AM

Both Comodo defaults and custom settings tests show two files in the unrecognized files section, but nothing in the blocked applications section. Normally, files unknown to Comodo appear in both sections. If files appear in unrecognized files but not in blocked applications, it means that either Comodo already has the files as trusted in the file list or the user has ignored the files in settings. What are the Comodo "lookup" and "logs" verdicts for those two files in the unrecognized list?

Did you restart the system after applying proactive configuration? However, I don't think the PoC is running in the containment, so the test doesn't apply to the released containment fixes.

Andy Ful · Monday at 12:35 PM

vitao said:
CIS fails in both scenarios. So Comodo did not solve anything related to "some containment issue" as they stated in their poor changelog.

Your conclusion is invalid because your video has nothing to do with "some containment issue" solved by Comodo. To see that "some containment" issue was solved, you should run the @Loyisa exploit from the first video.
The Comodo staff did not announce that they solved all of Comodo's issues. The "some containment issue" was related to escape from inside the sandbox. In the current video, nothing escaped from inside the sandbox because nothing was sandboxed. The attack vector presented in the current video is another kind and should not be messed with sandbox escape.

Except for the above, it is a nice video.

You are also right that Comodo could improve protection by auto-containing Unrecognized DLLs loaded by Trusted EXE files (like in Windows Smart App Control). However, this would require many additional resources. The bigger vendors like Microsoft, Avast, etc. did not do it too.

vitao · Monday at 3:10 PM

Andy Ful said:
Your conclusion is invalid because your video has nothing to do with "some containment issue" solved by Comodo. To see that "some containment" issue was solved, you should run the @Loyisa exploit from the first video.
The Comodo staff did not announce that they solved all of Comodo's issues. The "some containment issue" was related to escape from inside the sandbox. In the current video, nothing escaped from inside the sandbox because nothing was sandboxed. The attack vector presented in the current video is another kind and should not be messed with sandbox escape.

Except for the above, it is a nice video.
You are also right that Comodo could improve protection by auto-containing Unrecognized DLLs loaded by Trusted EXE files (like in Windows Smart App Control). However, this would require many additional resources. The bigger vendors like Microsoft, Avast, etc. did not do it too.

its the same poc but with changes on the dll and the exe. cis containment did not contain it, nor detect anything. if its the same poc, same problem. so, they didnt solve anything. in fact, the new edition has some regressions, but its not my subject of testing so, i dont care.

edit.: for what loyisa explained its the same technic but with changes in the dll and the exe so there is no need for downloading anything and there is no need for the files to be in some specific place. lets wait for the guy to talk a little more about it.

vitao · Monday at 3:16 PM

from official comodo forum, in the official topic, from member of comodo team. not me saying nonsense.

Andy Ful · Monday at 3:35 PM

vitao said:
its the same poc but with changes on the dll and the exe.

It is not at the initial phase. The first POC used Unrecognized EXE (ComodoPocV2.exe) as the initial executable which was contained and next escaped from the sandbox:
https://malwaretips.com/threads/com...obliterated-by-an-exploit.133341/post-1105469

The current POC used benign Trusted EXE as the initial executable which was not contained at all. Look at your video. Is there any sign of POC's containment?

But OK. I already explained this a few times without any success. Maybe @Loyisa can explain it better.

vitao · Monday at 3:43 PM

Andy Ful said:
It is not at the initial phase. The first POC used Unrecognized EXE (ComodoPocV2.exe) as the initial executable which was contained and next escaped from the sandbox:
https://malwaretips.com/threads/com...obliterated-by-an-exploit.133341/post-1105469

The current POC used benign Trusted EXE as the initial executable which was not contained at all. Look at your video. Is there any sign of POC's containment?

But OK. I already explained this a few times without any success. Maybe @Loyisa can explain it better.

no. i understand that. its just nothing new as its the same problem. its a flaw. get it?

Search

Serious Discussion The updated CIS against the Exploit/POC

vitao

Level 3

Bot

AI-powered Bot

rashmi

Level 12

Andy Ful

From Hard_Configurator Tools

vitao

Level 3

vitao

Level 3

Andy Ful

From Hard_Configurator Tools

vitao

Level 3

Similar threads