Wikileak documents show Governments couldn't penetrate Comodo Internet Security

Status
Not open for further replies.
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
It refers to "Physical Memory".
I've suggested in the past how vulnerable are alerts of security products which obviously belong to the GUI module. In version 8 of CIS, it's very clear that self-defense makes use of HIPS (but it's not HIPS alone responsible ; being independent of listed protected objects to the end-user) to deny situations where user-action is denied (also known as GUI manipulation). Upon execution of a sample that attempts to manipulate the GUI, self-defense will take action & make use of HIPS to silently discard the action.

That's why I'm saying it's incorrect in my view. CIS is rather more complex.
 
vivid

vivid

Level 5
Verified
Dec 8, 2014
206
It's a bit logic if we think of restrictions (that are independent of public protected objects) applied to the fully virtualized applications (by default ; cannot be altered by the end-user). I'd call it a behavior blocker.
 
Last edited:
H

hjlbx

@vivid

The point is this... when Gamma International tested CIS against FinFisher products, it was HIPS that detected the Skype buffer tampering and generated the alerts. CIS HIPS does not differentiate between Public and Hidden objects - if it detects a Hidden object it treats it the same as a Public object.

At this point the specifics as to what, and how, CIS alerted are irrelevant.

All that matters is that CIS alerted during the FinSpy and FinUSB (only a few times) infections...
 
  • Like
Reactions: Solarquest and darko999
D

Deleted member 2913

hjlbx,

I dont think HIPS generates alerts on default settings i.e HIPS disabled.
Atleast I never saw in any CIS default settings test.
 
H

hjlbx

yesnoo said:
hjlbx,

I dont think HIPS generates alerts on default settings i.e HIPS disabled.
Atleast I never saw in any CIS default settings test.
Click to expand...

Like I said, as far as I can remember reading somewhere, even with HIPS disabled it really isn't completely disabled = it will generate alerts for specific system violations. That is my understanding... I cannot remember where I read it - and it isn't in the manual. Perhaps @Umbra can remember.

In the Gamma International tests, it was the HIPS component that generated the alerts as far as my understanding - whether they used the Internet Security or Proactive Security configuration. The test documents do not state which CIS configuration that they used. So it could have been either default (Internet Security) or Proactive.

In CIS, alerts are generated by the Defense+ (sandbox and HIPS), AV and firewall. We all know it wasn't the AV that alerted. It could have been the sandbox (You have to understand, I am inferring from what I read on various sites that Comodo did not detect the presence of FinSpy in a straight-forward way... so it wouldn't have been auto-sandboxed), but since FinSpy is purported to utilize a Skype buffer overflow attack - one can only conclude that it was HIPS that alerted... since it is HIPS that monitors and alerts to buffer overflow attacks.

Whether it was a Physical Memory or Shellcode Injection - both of these are monitored and alerted to by the HIPS module (both described in the User's Manual regarding HIPS configuration).

If it was a heuristics detection and alert - that is controlled by the AV module. Do you really think Comodo's AV module alerted to the presence of FinSpy\FinUSB - even at maximum heuristics ? I doubt it - highly - and would be flabbergasted if it did.

If it was an auto-sandbox detection, then I am completely wrong - and beat... In that case, I'm just wrong - so apologies in that case.

Who knows, maybe in the end I am completely wrong, but at least my logic makes sense based upon the infos I have been able to obtain. I'm not here to be insistent that my view is absolutely correct. Perhaps we're all right, and at the same time, wrong... :confused:

With no official statement from Comodo as to how CIS protected the systems against FinSpy... all of the debate in this thread is mere speculation. All Comodo states is "CIS protected the system against FinSpy." Which in and off itself, is only partially true if one looks at all the revealed documents... o_O

https://blog.comodo.com/comodo_news/comodo-antivirus-conquers-weapons-grade-grade-surveillance/

Also, does it really matter which module alerted to the presence of FinSpy and FinUSB ?

To me, all that really matters, is that CIS detected and notified the user regarding FinSpy\FinUSB...
 
Last edited by a moderator:
D

Deleted member 2913

If it was HIPS alert then could be they used Proactive config.

You said FinSpy uses buffer overflow attack.
I think defaut settings (HIPS disabled) also protects from buffer overflow attack. And buffer overflow protection alert was different than HIPS alert...atleast in the earlier CIS versions. Dont know in the later versions BO protection alert is the same as earlier or now HIPS alert is shown for BO as never saw BO alert in later versions?
For earlier CIS versions there was a BO sample to test if BO protection is working or not. Running the sample use to give red colour rectangle alert in the middle of the screen with details & options block/allow, etc...
 
H

hjlbx

Buffer Overflow protection is monitored by HIPS and alerts are generated by HIPS module. That is per Comodo's user's manual...

Who knows... I think it is a pointless to continue on with this debate.
 
H

hjlbx

yesnoo said:
I got the BO alert screenshot. But no upload option in this thread?
Dont know how BO alert is shown now?

How to upload the screenshot here now?

Check reply 188 by Whoop-dee-doo for BO alert screenshot
https://forums.comodo.com/beta-corn...bug-reports-t60635.0.html;msg429356#msg429356
Click to expand...

You have to upload the picture to a hosting server - at TinyPic.com for example - then insert the image link here in the thread. Use the image icon (Mountains with Sun) in toolbar at top of reply window.

You have the image from the old User's Manual ?
 
D

Deleted member 2913

I gave the link to the screenshot in the last post.
Its CIS 5 thread.
 
D

Deleted member 2913

hjlbx said:
Here is link to old version of buffer overflow alert: http://www.abload.de/image.php?img=spotifyerrorg6zz1.png

OK, so at the top of the alert it indicates it is a Defense+ alert.

Defense+ module is comprised of two sub-modules - sandbox and HIPS.

I would be extremely surprised if CIS sandbox generated the alert...
Click to expand...
I think that version didn't had autosandbox.
And I dont think you will get autosandbox alert for BO attack. Either HIPS (even though HIPS disabled by default) or specific BO alert like the screenshot.
 
Rolo

Rolo

Level 18
Verified
Jun 14, 2015
857
I think it's a very useful and educational discussion, @hjlbx

Why don't you try FinFisher against various configs and see what it does? You could even YouTuber it! (assuming CIS doesn't obliterate the video recording software)

@yesnoo I use http://postimage.org/
 
D

Deleted member 178

hjlbx said:
Yes, it did. Buffer Overflow is monitored by HIPS - Physical Memory; HIPS generates all Protected Object alerts.

In CIS, HIPS is always active - even if disabled (just turns off specific alerts for Unrecognized files) - it continuously monitors Trusted applications and protected objects against policy violations (= malicious behaviors) and potentially malicious modifications. Even when disabled, HIPS will generate an alert if a major policy violation or modification is attempted - either by\to a Trusted app or protected objects.

So even at default CIS configuration = Internet Security with HIPS "disabled" - CIS will still generate HIPS alerts when certain file\object violations occur.

CIS designed this way to protect against safe file\protected object modifications (hijacks).
Click to expand...


hjlbx said:
Like I said, as far as I can remember reading somewhere, even with HIPS disabled it really isn't completely disabled = it will generate alerts for specific system violations. That is my understanding... I cannot remember where I read it - and it isn't in the manual. Perhaps @Umbra can remember.
Click to expand...

you are right , there is my article explaining the BB/HIPS interaction in CIS

http://malwaretips.com/threads/cis-v6-v7-bb-hips.11819/
 
Last edited by a moderator:
  • Like
Reactions: Solarquest
H

hjlbx

Umbra said:
you are right , there is my article explaining the BB/HIPS interaction in CIS

http://malwaretips.com/threads/cis-v6-v7-bb-hips.11819/
Click to expand...

@Umbra

Here is thread from Comodo forum that makes mention that (paraphrase) "Developers state HIPS is never completely turned off if disabled...and BB (sandbox) is enabled...": https://forums.comodo.com/addedreje...ior-blocker-t90787.0.html;msg654553#msg654553

There is dependency between HIPS and Sandbox (used to be called Behavior Blocker); if Sandbox is enabled, then HIPS is never completely turned off even when user sets it to "Disabled."

To completely disable HIPS, Sandbox must be disabled as well.

Unless Comodo changed everything...

Thanks @Umbra. I couldn't remember...
 
  • Like
Reactions: Solarquest, darko999 and Deleted member 178
D

Deleted member 178

i don't recall where i got my infos , but at that time (when v6 was released) , i spent hours to find the sources.
 
H

hjlbx

Rolo said:
To combat polymorphic viruses, they made polymorphic settings! o_O
Click to expand...

@Rolo

Hah, hah, hee, hoo... that is funny.

Umbra said:
i don't recall where i got my infos , but at that time (when v6 was released) , i spent hours to find the sources.
Click to expand...

Finding anything on that damn forum takes hours. What a mess... but I guess I've had similar experiences on other AV forums.
 
  • Like
Reactions: Andytay70
H

hjlbx

Rolo said:
Why don't you try FinFisher against various configs and see what it does? You could even YouTuber it! (assuming CIS doesn't obliterate the video recording software)
Click to expand...

I already tested it on my W8.1 system using a sample provided here at MT Malware Hub: http://malwaretips.com/threads/finfisher-2015-06-02.46623/

In default config (Internet Security) CIS generates sandbox alert.

Using Proactive Security it generates both sandbox and HIPS alerts.

It does not generate a Buffer Overflow alert.

There are a myriad of potential problems to my testing - two of which come to mind immediately:

1. malware sample could be a different variant - and not behave identically as the tested version - FinSpy v. 4.51; and
2. no Skype installed on my system.

Unfortunately without more details, I do not know if I am replicating the exact Gamma International test conditions.

In any case, CIS does detect and generate alerts during sample installation - and that is all that really matters in terms of security - not the specific type of alert.
 
Last edited by a moderator:
  • Like
Reactions: Solarquest, porkpiehat and darko999
Tony Cole

Tony Cole

Level 27
Thread author
Verified
May 11, 2014
1,639
We need to contact Snowden, he can give us the answers we need. I want to know what security software he trusts and uses.

Do you all think Melih would admit Comodo had been attacked/hacked by Duqu 2.0, or tried to sweep it under the carpet?
 
  • Like
Reactions: Andytay70
Status
Not open for further replies.

Similar threads

Fel Grossi
    • Like
    • +Reputation
  • Sticky
New Update Comodo Internet Security 2024 v12.3.1.8104 beta (Oct 2023)
Replies
16
Views
697
Comodo
ErzCrz
ErzCrz
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review COMODO Internet Security 2024 BETA
Replies
57
Views
9,709
Video Reviews - Security and Privacy
Victor M
Victor M
Brownie2019
    • Like
On Sale! AVG Internet Security 1Dev./ 1Yr. / $ 6.40
Replies
1
Views
352
Discounts and Deals
Dave Russo
Dave Russo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top