Hot Take Why Don’t Major AV Vendors Use Auto-Containment Like Comodo?

[NoveyBoy]

Hi everyone,

Since I first started using antivirus software, Comodo has always been my preferred choice because it doesn’t just rely on a signature-based database but also on auto-containment. In other words, if an application isn’t recognized, it gets isolated.

Has anyone actually managed to bypass cruelsister1’s configuration with any form of malware? I personally believe that 100% security is an illusion, but this setup:
Proactive Mode + Auto-Containment (Restricted) seems practically unbreakable to me.

On several forums I also see both supporters and critics of this configuration. What I don’t fully understand is: why don’t the major antivirus companies implement this type of approach, while it seems to be very popular among many users?

What do you all think about this?

 

[Trident]

Since I first started using antivirus software, Comodo has always been my preferred choice

Ok, so we realise now you have attachment to Comodo, so we know how to approach.

What I don’t fully understand is: why don’t the major antivirus companies implement this type of approach, while it seems to be very popular among many users?

Containment has been implemented in many different applications.
Microsoft Defender for Business has both sandbox and Attack Surface Reduction Rules which are also containment—just different sort of it. Similar approach can be seen in McAfee/Trellix ENS with DAC (Dynamic Application Containment) where containment is actually in the name as well. Just different implementation.

Default deny was recently implemented in Microsoft Defender again through ASR rules, it has also been implemented in Trend Micro, Webroot (if configured) and so on.

Kaspersky IDS is a form of very intelligent containment + HIPS that works with 0 overhead.

So your question why others don’t implement it— they do. They do it in a more efficient and user-friendly way, that requires no decisions to be made by users who are typically not cyber security experts.

Furthermore, a lot of behavioural analysis systems can “sandbox” programmes when they detect questionable behaviour. This is done through API call redirects/hookup, which is exactly how Comodo sandbox is engineered.

Has anyone actually managed to bypass cruelsister1’s configuration with any form of malware? I personally believe that 100% security is an illusion, but this setup:
Proactive Mode + Auto-Containment (Restricted) seems practically unbreakable to me.

Bypasses have been documented times and times again.
Comodo containment is vulnerable to sandbox escape, kernel level vulnerabilities, social engineering (where users will be lured to executing software outside of the sandbox, potentially through fake error messages and more). This is the “Problem Exists Between Keyboard and Chair) vulnerability.

Extreme and aggressive sandboxing policies also hurt the system performance.

When attacks are simulated in a realistic manner (as attackers operate and think), home-based solutions do the job well enough to not require aggressive sandboxing policies.

 

[NoveyBoy]

Ok, so we realise now you have attachment to Comodo, so we know how to approach.

Containment has been implemented in many different applications.
Microsoft Defender for Business has both sandbox and Attack Surface Reduction Rules which are also containment—just different sort of it. Similar approach can be seen in McAfee/Trellix ENS with DAC (Dynamic Application Containment) where containment is actually in the name as well. Just different implementation.

Default deny was recently implemented in Microsoft Defender again through ASR rules, it has also been implemented in Trend Micro, Webroot (if configured) and so on.

Kaspersky IDS is a form of very intelligent containment + HIPS that works with 0 overhead.

So your question why others don’t implement it— they do. They do it in a more efficient and user-friendly way, that requires no decisions to be made by users who are typically not cyber security experts.

Furthermore, a lot of behavioural analysis systems can “sandbox” programmes when they detect questionable behaviour. This is done through API call redirects/hookup, which is exactly how Comodo sandbox is engineered.

Bypasses have been documented times and times again.
Comodo containment is vulnerable to sandbox escape, kernel level vulnerabilities, social engineering (where users will be lured to executing software outside of the sandbox, potentially through fake error messages and more). This is the “Problem Exists Between Keyboard and Chair) vulnerability.

Extreme and aggressive sandboxing policies also hurt the system performance.

When attacks are simulated in a realistic manner (as attackers operate and think), home-based solutions do the job well enough to not require aggressive sandboxing policies.

Thanks for the detailed explanation, I really appreciate it. I do understand that many vendors implement their own versions of “containment,” but from my perspective they don’t seem to operate in the same way Comodo’s auto-containment does.

If solutions like Kaspersky, Defender or SentinelOne already had equally strong containment, then why do we still see them failing in independent real-world malware tests? To me, that suggests their approach is more about reducing the impact in a user-friendly way, but not about strict isolation like Comodo applies.

One of the things I like about Comodo’s method is exactly that it doesn’t require any action or decision from the user. Unknown files are simply contained automatically. I agree with you that bypasses are always possible — which is why I also said 100% safety doesn’t exist.

 

[Victor M]

You can try Xcitium, which is Comodo's business line. It is under active development, unlike Comodo's CIS. But I am not sure if the varous bypasses for Comodo demonstrated here on MT works on Xcitium. Maybe they do.

I use WDAC's default deny. You can use WDAC Wizard to configure it, thus skipping the MS way which requires the use of Powershell.

 

[NoveyBoy]

Yyou can try Xcitium, which is Comodo's business line. It is under active development, unlike Comodo's CIS. But I am not sure if the varous bypasses for Comodo demonstrated here in MT works on Xcitium. Probaby they do.

Thanks for your reply. I’m aware that Xcitium is the business line of Comodo. Which bypasses are currently active and have been demonstrated on this forum?

 

[piquiteco]

@Trident Off topic, but Kasperksy had Sandbox until the 2012 version. I liked it, and to be honest, I wish it were still there today, even though now we have VMs, Sandboxie, and the Windows Restricted Area feature. Still, I would prefer to have it in AVs today, just to open suspicious websites or test suspicious applications. That's just my opinion.

Spoiler: Kaspersky Internet Security 2012 Safe Run For Applications

 

[piquiteco]

This is the “Problem Exists Between Keyboard and Chair) vulnerability.

This, is the worst vulnerability there is.

 

[Zero Knowledge]

Too many prompts is basically the main cause. User's (except for us and probably including most of us) want a automated stress free experience.

People don't want to be bothered clicking allow every 5 seconds. WFC suffers from the same problem, great software (world class in fact) but after awhile you just get sick of the prompts.

 

[Andy Ful]

Has anyone actually managed to bypass cruelsister1’s configuration with any form of malware?

Yes and No.
It can be bypassed in a targeted attack, as most of the home or small business solutions. There are some threads about it on MT.
However, such attacks on home users are so rare that Proactive Mode + Auto-Containment (Restricted) can still provide similar or higher protection than popular AVs.

What I don’t fully understand is: why don’t the major antivirus companies implement this type of approach, ...

It is a kind of default deny solution. The unknown executables are denied by default from running directly in the system.
Most users have a problem with sandboxed applications and cannot correctly recognize which application actions work as usual. This is often a problem when the Restricted Autocontainment level is used without alerts (silent mode). Otherwise, users have to make many decisions on alerts.
So Proactive Mode + Auto-Containment (Restricted) is OK for Administrators or users who are supported by "Home Administrators", especially on computers with a closed set of installed applications.

 

[NoveyBoy]

Yes and No.
It can be bypassed in a targeted attack, as most of the home or small business solutions. There are some threads about it on MT.
However, such attacks on home users are so rare that Proactive Mode + Auto-Containment (Restricted) can still provide similar or higher protection than popular AVs.

I couldn’t find anything on MT regarding an actual bypass. What I did come across were people claiming in videos that they were using CruelSister’s config, but in reality they didn’t even have it active—just like in the video from @vitao

 

[Andy Ful]

@NoveyBoy,

On MT are many posts that explain two bypasses. Both still work with @cruelsister and even more restrictive settings. The bypass related to DLL hijacking can be prevented in Xcitium after applying a special setting (it was absent in Comodo). The second is related to weaponized WDAC. Both bypasses are well explained on MT, just do better searching.

Edit.
There is probably a more bypasses possible if Comodo still does not block some legitimate tools like TDSSKiller.
Your computer most probably will not be affected by any of them, except if you are a dissident, celebrity, or another interesting target of hackers' attacks.

 

[NoveyBoy]

NoveyBoy,

On MT are many posts that explain two bypasses. Both still work with @cruelsister settings. The bypass related to DLL hijacking can be prevented in Xcitium after applying a special setting (absent in Comodo). The second is related to weaponized WDAC. Both bypasses are well explained on MT, just do better searching.

Can you share the links?

 

[Game Of Thrones]

Ok, so we realise now you have attachment to Comodo, so we know how to approach.

Containment has been implemented in many different applications.
Microsoft Defender for Business has both sandbox and Attack Surface Reduction Rules which are also containment—just different sort of it. Similar approach can be seen in McAfee/Trellix ENS with DAC (Dynamic Application Containment) where containment is actually in the name as well. Just different implementation.
...

When attacks are simulated in a realistic manner (as attackers operate and think), home-based solutions do the job well enough to not require aggressive sandboxing policies.

That last sentence is spot on and really answers the topic's question. Many people think they're constantly at risk of viruses, hacker attacks, etc., but that's not true. A simple antimalware or even the default security of an operating system is enough for most people. Some individuals go overboard with extreme security programs and settings, which sometimes seems like OCD or excessive negativity. It's not about ignoring security; it's just that some people take it so far that it complicates their lives without actually improving security. Systems like Comodo's containment are an example of overkill—not meant for ordinary users, and they just make things unnecessarily complicated.

 

[Andy Ful]

Can you share the links?

I do not have them. You can find them by using the search button on MT. Here is one of them for a good start:

App Review - Comodo's killer.

Post updated. I created this video as a supplement to the discussion in another thread: https://malwaretips.com/threads/comodo-firewall-bypassing-a-bypass.133411/ The original bypass and Comodo's killer do not work if Core isolation is properly configured on Windows. Also, both methods will...

malwaretips.com

Please read the whole thread.

 

[Victor M]

DLL hijacking can be prevented in Xcitium after applying a special setting (it was absent in Comodo).

@Andy Ful What is that setting please ?

 

[Andy Ful]

@Andy Ful What is that setting please ?

https://malwaretips.com/threads/com...fection-and-lost-of-files.133608/post-1119493

 

[Victor M]

@Andy Ful Is the Autoblock unknown dll enabled by default ?

 

[nickstar1]

as everyone said they have simply done it way better than comodo.

 

[Victor M]

The second is related to weaponized WDAC.

What do mean weaponized wdac, I have not seen you use this term when I searched MT for it ? I can't think of a way to weapnize it.

 

[ForgottenSeer 114717]

For consumers virtualization is one of the best solutions despite its security "holes." It is the closest that anything has come to being a reliable fix for people and their behaviors within the "users want to use stuff" paradigm. It is the easiest, softest way for the average consumer to deal with issues (rollback to a known clean state or delete the virtual container) - IF they have the knowledge. Because of this fact, there's not much interest in virtual sandboxing (containment) from vendors making consumer offerings, mostly because the capability was always the domain of security software geeks.

Like HIPS and software firewalls, containment will eventually only be found in the fossil code record.

There's still a bunch of enterprise/government solutions for browser/endpoint isolation. Some use virtualization, but others use alternate methods. There's a long list of products out there but assessing the effectiveness is difficult unless one is willing to foot the bill to pentest robustly per TTP - let's say $3,000 for a robust test of each TTP. That's 500,000 Euros for coverage of all 227 techniques - IF - the security product covers all of them.

I could never have imagined that BufferZone would still be a functional company after all these years. I've heard Bromium is still out there too.