Wikileak documents show Governments couldn't penetrate Comodo Internet Security

[vivid]

It refers to "Physical Memory".
I've suggested in the past how vulnerable are alerts of security products which obviously belong to the GUI module. In version 8 of CIS, it's very clear that self-defense makes use of HIPS (but it's not HIPS alone responsible ; being independent of listed protected objects to the end-user) to deny situations where user-action is denied (also known as GUI manipulation). Upon execution of a sample that attempts to manipulate the GUI, self-defense will take action & make use of HIPS to silently discard the action.

That's why I'm saying it's incorrect in my view. CIS is rather more complex.

 

[vivid]

It's a bit logic if we think of restrictions (that are independent of public protected objects) applied to the fully virtualized applications (by default ; cannot be altered by the end-user). I'd call it a behavior blocker.

 

[hjlbx]

@vivid

The point is this... when Gamma International tested CIS against FinFisher products, it was HIPS that detected the Skype buffer tampering and generated the alerts. CIS HIPS does not differentiate between Public and Hidden objects - if it detects a Hidden object it treats it the same as a Public object.

At this point the specifics as to what, and how, CIS alerted are irrelevant.

All that matters is that CIS alerted during the FinSpy and FinUSB (only a few times) infections...

 

[Deleted member 2913]

hjlbx,

I dont think HIPS generates alerts on default settings i.e HIPS disabled.
Atleast I never saw in any CIS default settings test.

 

[hjlbx]

hjlbx,

I dont think HIPS generates alerts on default settings i.e HIPS disabled.
Atleast I never saw in any CIS default settings test.

Like I said, as far as I can remember reading somewhere, even with HIPS disabled it really isn't completely disabled = it will generate alerts for specific system violations. That is my understanding... I cannot remember where I read it - and it isn't in the manual. Perhaps @Umbra can remember.

In the Gamma International tests, it was the HIPS component that generated the alerts as far as my understanding - whether they used the Internet Security or Proactive Security configuration. The test documents do not state which CIS configuration that they used. So it could have been either default (Internet Security) or Proactive.

In CIS, alerts are generated by the Defense+ (sandbox and HIPS), AV and firewall. We all know it wasn't the AV that alerted. It could have been the sandbox (You have to understand, I am inferring from what I read on various sites that Comodo did not detect the presence of FinSpy in a straight-forward way... so it wouldn't have been auto-sandboxed), but since FinSpy is purported to utilize a Skype buffer overflow attack - one can only conclude that it was HIPS that alerted... since it is HIPS that monitors and alerts to buffer overflow attacks.

Whether it was a Physical Memory or Shellcode Injection - both of these are monitored and alerted to by the HIPS module (both described in the User's Manual regarding HIPS configuration).

If it was a heuristics detection and alert - that is controlled by the AV module. Do you really think Comodo's AV module alerted to the presence of FinSpy\FinUSB - even at maximum heuristics ? I doubt it - highly - and would be flabbergasted if it did.

If it was an auto-sandbox detection, then I am completely wrong - and beat... In that case, I'm just wrong - so apologies in that case.

Who knows, maybe in the end I am completely wrong, but at least my logic makes sense based upon the infos I have been able to obtain. I'm not here to be insistent that my view is absolutely correct. Perhaps we're all right, and at the same time, wrong...

With no official statement from Comodo as to how CIS protected the systems against FinSpy... all of the debate in this thread is mere speculation. All Comodo states is "CIS protected the system against FinSpy." Which in and off itself, is only partially true if one looks at all the revealed documents...

https://blog.comodo.com/comodo_news/comodo-antivirus-conquers-weapons-grade-grade-surveillance/

Also, does it really matter which module alerted to the presence of FinSpy and FinUSB ?

To me, all that really matters, is that CIS detected and notified the user regarding FinSpy\FinUSB...

 

[Deleted member 2913]

If it was HIPS alert then could be they used Proactive config.

You said FinSpy uses buffer overflow attack.
I think defaut settings (HIPS disabled) also protects from buffer overflow attack. And buffer overflow protection alert was different than HIPS alert...atleast in the earlier CIS versions. Dont know in the later versions BO protection alert is the same as earlier or now HIPS alert is shown for BO as never saw BO alert in later versions?
For earlier CIS versions there was a BO sample to test if BO protection is working or not. Running the sample use to give red colour rectangle alert in the middle of the screen with details & options block/allow, etc...

 

[hjlbx]

Buffer Overflow protection is monitored by HIPS and alerts are generated by HIPS module. That is per Comodo's user's manual...

Who knows... I think it is a pointless to continue on with this debate.

 

[Deleted member 2913]

I got the BO alert screenshot. But no upload option in this thread?
Dont know how BO alert is shown now?

How to upload the screenshot here now?

Check reply 188 by Whoop-dee-doo for BO alert screenshot
https://forums.comodo.com/beta-corn...bug-reports-t60635.0.html;msg429356#msg429356

 

[hjlbx]

I got the BO alert screenshot. But no upload option in this thread?
Dont know how BO alert is shown now?

How to upload the screenshot here now?

Check reply 188 by Whoop-dee-doo for BO alert screenshot
https://forums.comodo.com/beta-corn...bug-reports-t60635.0.html;msg429356#msg429356

You have to upload the picture to a hosting server - at TinyPic.com for example - then insert the image link here in the thread. Use the image icon (Mountains with Sun) in toolbar at top of reply window.

You have the image from the old User's Manual ?

 

[Deleted member 2913]

I gave the link to the screenshot in the last post.
Its CIS 5 thread.

 

[hjlbx]

I gave the link to the screenshot in the last post.
Its CIS 5 thread.

Here is link to old version of buffer overflow alert: http://www.abload.de/image.php?img=spotifyerrorg6zz1.png

OK, so at the top of the alert it indicates it is a Defense+ alert.

Defense+ module is comprised of two sub-modules - sandbox and HIPS.

I would be extremely surprised if CIS sandbox generated the alert...

 

[Deleted member 2913]

Here is link to old version of buffer overflow alert: http://www.abload.de/image.php?img=spotifyerrorg6zz1.png

OK, so at the top of the alert it indicates it is a Defense+ alert.

Defense+ module is comprised of two sub-modules - sandbox and HIPS.

I would be extremely surprised if CIS sandbox generated the alert...

I think that version didn't had autosandbox.
And I dont think you will get autosandbox alert for BO attack. Either HIPS (even though HIPS disabled by default) or specific BO alert like the screenshot.

 

[Rolo]

I think it's a very useful and educational discussion, @hjlbx

Why don't you try FinFisher against various configs and see what it does? You could even YouTuber it! (assuming CIS doesn't obliterate the video recording software)

@yesnoo I use http://postimage.org/

 

[Deleted member 178]

Yes, it did. Buffer Overflow is monitored by HIPS - Physical Memory; HIPS generates all Protected Object alerts.

In CIS, HIPS is always active - even if disabled (just turns off specific alerts for Unrecognized files) - it continuously monitors Trusted applications and protected objects against policy violations (= malicious behaviors) and potentially malicious modifications. Even when disabled, HIPS will generate an alert if a major policy violation or modification is attempted - either by\to a Trusted app or protected objects.

So even at default CIS configuration = Internet Security with HIPS "disabled" - CIS will still generate HIPS alerts when certain file\object violations occur.

CIS designed this way to protect against safe file\protected object modifications (hijacks).

Like I said, as far as I can remember reading somewhere, even with HIPS disabled it really isn't completely disabled = it will generate alerts for specific system violations. That is my understanding... I cannot remember where I read it - and it isn't in the manual. Perhaps @Umbra can remember.

you are right , there is my article explaining the BB/HIPS interaction in CIS

http://malwaretips.com/threads/cis-v6-v7-bb-hips.11819/

 

[hjlbx]

you are right , there is my article explaining the BB/HIPS interaction in CIS

http://malwaretips.com/threads/cis-v6-v7-bb-hips.11819/

@Umbra

Here is thread from Comodo forum that makes mention that (paraphrase) "Developers state HIPS is never completely turned off if disabled...and BB (sandbox) is enabled...": https://forums.comodo.com/addedreje...ior-blocker-t90787.0.html;msg654553#msg654553

There is dependency between HIPS and Sandbox (used to be called Behavior Blocker); if Sandbox is enabled, then HIPS is never completely turned off even when user sets it to "Disabled."

To completely disable HIPS, Sandbox must be disabled as well.

Unless Comodo changed everything...

Thanks @Umbra. I couldn't remember...

 

[Deleted member 178]

i don't recall where i got my infos , but at that time (when v6 was released) , i spent hours to find the sources.

 

[Rolo]

Unless Comodo changed everything...

To combat polymorphic viruses, they made polymorphic settings!

 

[hjlbx]

To combat polymorphic viruses, they made polymorphic settings!

@Rolo

Hah, hah, hee, hoo... that is funny.

i don't recall where i got my infos , but at that time (when v6 was released) , i spent hours to find the sources.

Finding anything on that damn forum takes hours. What a mess... but I guess I've had similar experiences on other AV forums.

 

[hjlbx]

Why don't you try FinFisher against various configs and see what it does? You could even YouTuber it! (assuming CIS doesn't obliterate the video recording software)

I already tested it on my W8.1 system using a sample provided here at MT Malware Hub: http://malwaretips.com/threads/finfisher-2015-06-02.46623/

In default config (Internet Security) CIS generates sandbox alert.

Using Proactive Security it generates both sandbox and HIPS alerts.

It does not generate a Buffer Overflow alert.

There are a myriad of potential problems to my testing - two of which come to mind immediately:

1. malware sample could be a different variant - and not behave identically as the tested version - FinSpy v. 4.51; and
2. no Skype installed on my system.

Unfortunately without more details, I do not know if I am replicating the exact Gamma International test conditions.

In any case, CIS does detect and generate alerts during sample installation - and that is all that really matters in terms of security - not the specific type of alert.

 

[Tony Cole]

We need to contact Snowden, he can give us the answers we need. I want to know what security software he trusts and uses.

Do you all think Melih would admit Comodo had been attacked/hacked by Duqu 2.0, or tried to sweep it under the carpet?