Xcitium Endpoint Security was obliterated by an exploit!

Bot

Bot

AI-powered Bot
Apr 21, 2016
4,384
Thanks for sharing the video. It's concerning to see Xcitium Client Security v13 being exploited. This definitely calls for immediate attention from the developers. Looking forward to the proper subtitles for better understanding.
 
  • Like
Reactions: [correlate]
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Verified
Well-known
Apr 9, 2018
214
Hello Vitao,

Interesting...

Let me ask you about some cases:

1. To the best of my knowledge, Xcitium is using the new 2023 security policy - "Windows Security Profile 8.1". I ask because I didn't notice that you showed the configuration of the agent OR I missed something. It was previously a 2016 configuration, so very old and not adapted to the new versions of Xcitium Endpoint agent. In this configuration HIPS is enabled by default, so please let me know what about of that:

Zrzut ekranu 2024-10-31 o 13.41.03.png


2. In our test we always use "BLOCK REQUESTS" for HIPS rules configuration because the setting is recommended by Vendor. I do not know why the default configuration have "allow request". Perhaps this is something that requires contact with technical support.

I wonder about the effectiveness of the exploit when HIPS will be changed to Block all Requests....

Zrzut ekranu 2024-10-31 o 13.53.04.png


3. As for EDR feature and logging in the admin dashboard: I know from experience that it takes 20-60 minutes for logs and technical information to jump here, so you have to wait with the VM as enabled to see anything new in the dash. In particular, browse the EDR Search Query tab to find interesting Indicators of Compromise:

Zrzut ekranu 2024-10-31 o 14.02.28.png



4. EDITED - added:
You didn't show the vector of malware delivering - based on my experience, delivering malware to the VM by "drag and drop" falsifies the results because the protocol is not real, so the file is losing metadata on Mark-of-the-Web as well. Without this mark you can bypass Microsoft Smart Screen alert like this:

microsoft-defender-smartscreen-komunikat-768x438.jpg


You can check the MOTW by the command:

dir file.extension /R

example:

dir file.exe /R

Alternate-Data-Streams-768x438.jpg


Which it doesn't exclude your good work...

But I wanted to ask about these details only.
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: [correlate], Jonny Quest, Vitali Ortzi and 5 others
vitao

vitao

Level 2
Thread author
Mar 12, 2024
64
Adrian Ścibor said:
Hello Vitao,

Interesting...

Let me ask you about some cases:

1. To the best of my knowledge, Xcitium is using the new 2023 security policy - "Windows Security Profile 8.1". I ask because I didn't notice that you showed the configuration of the agent OR I missed something. It was previously a 2016 configuration, so very old and not adapted to the new versions of Xcitium Endpoint agent. In this configuration HIPS is enabled by default, so please let me know what about of that:

View attachment 286057

2. In our test we always use "BLOCK REQUESTS" for HIPS rules configuration because the setting is recommended by Vendor. I do not know why the default configuration have "allow request". Perhaps this is something that requires contact with technical support.

I wonder about the effectiveness of the exploit when HIPS will be changed to Block all Requests....

View attachment 286058

3. As for EDR feature and logging in the admin dashboard: I know from experience that it takes 20-60 minutes for logs and technical information to jump here, so you have to wait with the VM as enabled to see anything new in the dash. In particular, browse the EDR Search Query tab to find interesting Indicators of Compromise:

View attachment 286059


4. EDITED - added:
You didn't show the vector of malware delivering - based on my experience, delivering malware to the VM by "drag and drop" falsifies the results because the protocol is not real, so the file is losing metadata on Mark-of-the-Web as well. Without this mark you can bypass Microsoft Smart Screen alert like this:

View attachment 286060

You can check the MOTW by the command:

dir file.extension /R

example:

dir file.exe /R

View attachment 286061

Which it doesn't exclude your good work...

But I wanted to ask about these details only.
Click to expand...
helllo my friend.

1. have no idea. just installed and let it with its default configurations for the test;

2. the recomended settings will always be applied when installing the software so if they recomend anything diff from what you see on my video, its their mistake as they dont have any kind of place to show their recommendations. but who knows... :) about hips, well, if marked to block, then hips will block as the exploit is not for hips, its for containment.

3. for my experience it takes seconds to propagate informations regardless what was going on at the vm used on this tests. in the video some parts had to be accelerated but even with that, when i come to the logging part it was not "rushed". one important note, when cis/xcitium is not able of classifying some file, no matter how long you wait, it will not be classified in xcitium/cis nor xcitium edr dashboard.

4. sorry. as english is not my primary language... if i understand correctly you are talking about how i bring the malwares to the vm for the tests? if so, in this video i didnt show this part so the video could be not so big but i explained that these samples were downloaded in the same day as the video recording. in fact, all my videos testing avs uses samples downloaded from the internet (downloaded from the vms). the drag n drop vm feature is always off as this could expose my host machine to the malwares.

about microsoft smart screen, its not disabled but i tend to disable everything related to defender and security center for these tests. the goal is not to have any microsoft technologies interfering on the tests.

hope i answered you my friend.

i dont remember if this video has subtitles. if not, please let me know and ill provide it. i know that the video showing this same poc downloading and running an ransomware has multiple subs already.

btw., the poc will work with xcitium as xcitium client security is just the same cis with a little tweaking to make it work with the dashboard for the edr part of xcitium, so, any malware/payload/kit/poc/etc that can evade cis sandbox will do the same with xcitium. in fact, if you watch closely youll realize that the real differences between cis and xcitium are the rulesets and not the modules itself... :)

any more informations must be asked for the dev of this poc as he is the guy with the best knowledge to answer technical questions regardless his poc :) for things related to the tests, please, bring it to me and if necessary i can do another test too.

EDIT.: oh! maybe i mix everything here... i recently posted a new video testing xcitium against 100 malwares... :p the link is this one:

sorry if i mixed the answers provided here with the results from both videos :p

ps.: regardless the poc on the vm, i did drag n drop for the poc, then disabled the drag n drop feature and did the testings. for the video with 100 malwares it was different. all downloaded from inside the vm.
 
  • Like
Reactions: Sunshine-boy, [correlate] and Adrian Ścibor
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Verified
Well-known
Apr 9, 2018
214
vitao said:
helllo my friend.

1. have no idea. just installed and let it with its default configurations for the test;
Click to expand...

Understood. Well, worth checking for yourself.

vitao said:
2. the recomended settings will always be applied when installing the software so if they recomend anything diff from what you see on my video, its their mistake as they dont have any kind of place to show their recommendations. but who knows... :) about hips, well, if marked to block, then hips will block as the exploit is not for hips, its for containment.
Click to expand...
The configuration...

The configuration is extremely important. It can be turned out that product X Y Z must have disabled function X and Y to exploit may work. I'm commenting in general.

vitao said:
3. for my experience it takes seconds to propagate informations regardless what was going on at the vm used on this tests. in the video some parts had to be accelerated but even with that, when i come to the logging part it was not "rushed". one important note, when cis/xcitium is not able of classifying some file, no matter how long you wait, it will not be classified in xcitium/cis nor xcitium edr dashboard.

4. sorry. as english is not my primary language... if i understand correctly you are talking about how i bring the malwares to the vm for the tests? if so, in this video i didnt show this part so the video could be not so big but i explained that these samples were downloaded in the same day as the video recording. in fact, all my videos testing avs uses samples downloaded from the internet (downloaded from the vms). the drag n drop vm feature is always off as this could expose my host machine to the malwares.
Click to expand...
ad4. Yes, I had in mind how the malware is downloaded/delivered into the Windows machine - by the browser? Local downloading from shared space? SFTP protocol? Other protocol? Just how the malware files included in Windows.

vitao said:
about microsoft smart screen, its not disabled but i tend to disable everything related to defender and security center for these tests. the goal is not to have any microsoft technologies interfering on the tests.
Click to expand...
I really understand. However in real environment in business or in school, in home, Microsoft technologies are enabled by default or even hardened, even if technical staff use another security solution than Microsoft Defender.

BUT...

If exploit is really effective in real life, please consider contact with Xcitium support, Comodo their official forum (forum.xcitium.com). I don't know if they provide a bug bounty program, but you can check by own or just ask them.
 
  • Like
Reactions: [correlate] and Jonny Quest
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,395
Adrian Ścibor said:
Hello Vitao,

Interesting...

Let me ask you about some cases:

1. To the best of my knowledge, Xcitium is using the new 2023 security policy - "Windows Security Profile 8.1". I ask because I didn't notice that you showed the configuration of the agent OR I missed something. It was previously a 2016 configuration, so very old and not adapted to the new versions of Xcitium Endpoint agent. In this configuration HIPS is enabled by default, so please let me know what about of that:

View attachment 286057

2. In our test we always use "BLOCK REQUESTS" for HIPS rules configuration because the setting is recommended by Vendor. I do not know why the default configuration have "allow request". Perhaps this is something that requires contact with technical support.

I wonder about the effectiveness of the exploit when HIPS will be changed to Block all Requests....

View attachment 286058

3. As for EDR feature and logging in the admin dashboard: I know from experience that it takes 20-60 minutes for logs and technical information to jump here, so you have to wait with the VM as enabled to see anything new in the dash. In particular, browse the EDR Search Query tab to find interesting Indicators of Compromise:

View attachment 286059


4. EDITED - added:
You didn't show the vector of malware delivering - based on my experience, delivering malware to the VM by "drag and drop" falsifies the results because the protocol is not real, so the file is losing metadata on Mark-of-the-Web as well. Without this mark you can bypass Microsoft Smart Screen alert like this:

View attachment 286060

You can check the MOTW by the command:

dir file.extension /R

example:

dir file.exe /R

View attachment 286061

Which it doesn't exclude your good work...

But I wanted to ask about these details only.
Click to expand...
Would be awesome if you can add
vitao said:
helllo my friend.

1. have no idea. just installed and let it with its default configurations for the test;

2. the recomended settings will always be applied when installing the software so if they recomend anything diff from what you see on my video, its their mistake as they dont have any kind of place to show their recommendations. but who knows... :) about hips, well, if marked to block, then hips will block as the exploit is not for hips, its for containment.

3. for my experience it takes seconds to propagate informations regardless what was going on at the vm used on this tests. in the video some parts had to be accelerated but even with that, when i come to the logging part it was not "rushed". one important note, when cis/xcitium is not able of classifying some file, no matter how long you wait, it will not be classified in xcitium/cis nor xcitium edr dashboard.

4. sorry. as english is not my primary language... if i understand correctly you are talking about how i bring the malwares to the vm for the tests? if so, in this video i didnt show this part so the video could be not so big but i explained that these samples were downloaded in the same day as the video recording. in fact, all my videos testing avs uses samples downloaded from the internet (downloaded from the vms). the drag n drop vm feature is always off as this could expose my host machine to the malwares.

about microsoft smart screen, its not disabled but i tend to disable everything related to defender and security center for these tests. the goal is not to have any microsoft technologies interfering on the tests.

hope i answered you my friend.

i dont remember if this video has subtitles. if not, please let me know and ill provide it. i know that the video showing this same poc downloading and running an ransomware has multiple subs already.

btw., the poc will work with xcitium as xcitium client security is just the same cis with a little tweaking to make it work with the dashboard for the edr part of xcitium, so, any malware/payload/kit/poc/etc that can evade cis sandbox will do the same with xcitium. in fact, if you watch closely youll realize that the real differences between cis and xcitium are the rulesets and not the modules itself... :)

any more informations must be asked for the dev of this poc as he is the guy with the best knowledge to answer technical questions regardless his poc :) for things related to the tests, please, bring it to me and if necessary i can do another test too.

EDIT.: oh! maybe i mix everything here... i recently posted a new video testing xcitium against 100 malwares... :p the link is this one:

sorry if i mixed the answers provided here with the results from both videos :p

ps.: regardless the poc on the vm, i did drag n drop for the poc, then disabled the drag n drop feature and did the testings. for the video with 100 malwares it was different. all downloaded from inside the vm.
Click to expand...

He reported the bug and he was banned from the fourm for sharing that there is a vulnerability as they seem to not care about fixing their own product even with a severe vulnerability
 
  • Like
Reactions: [correlate]
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Verified
Well-known
Apr 9, 2018
214
Vitali Ortzi said:
Would be awesome if you can add

He reported the bug and he was banned from the fourm for sharing that there is a vulnerability as they seem to not care about fixing their own product even with a severe vulnerability
Click to expand...
Oh, really???

Could you let me know some details on this matter at private msg? I will try to contact with somebody from the producer and ask them about the potential vulnerability.
 
  • Applause
  • Like
  • +Reputation
Reactions: [correlate], Jonny Quest and Vitali Ortzi
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,395
Adrian Ścibor said:
Oh, really???

Could you let me know some details on this matter at private msg? I will try to contact with somebody from the producer and ask them about the potential vulnerability.
Click to expand...
Serious Discussion - Comodo Internet Security 2025 was obliterated by an exploit! (here is the message about him being banned in comodo fourm)

vitao said:
helllo my friend.

1. have no idea. just installed and let it with its default configurations for the test;

2. the recomended settings will always be applied when installing the software so if they recomend anything diff from what you see on my video, its their mistake as they dont have any kind of place to show their recommendations. but who knows... :) about hips, well, if marked to block, then hips will block as the exploit is not for hips, its for containment.

3. for my experience it takes seconds to propagate informations regardless what was going on at the vm used on this tests. in the video some parts had to be accelerated but even with that, when i come to the logging part it was not "rushed". one important note, when cis/xcitium is not able of classifying some file, no matter how long you wait, it will not be classified in xcitium/cis nor xcitium edr dashboard.

4. sorry. as english is not my primary language... if i understand correctly you are talking about how i bring the malwares to the vm for the tests? if so, in this video i didnt show this part so the video could be not so big but i explained that these samples were downloaded in the same day as the video recording. in fact, all my videos testing avs uses samples downloaded from the internet (downloaded from the vms). the drag n drop vm feature is always off as this could expose my host machine to the malwares.

about microsoft smart screen, its not disabled but i tend to disable everything related to defender and security center for these tests. the goal is not to have any microsoft technologies interfering on the tests.

hope i answered you my friend.

i dont remember if this video has subtitles. if not, please let me know and ill provide it. i know that the video showing this same poc downloading and running an ransomware has multiple subs already.

btw., the poc will work with xcitium as xcitium client security is just the same cis with a little tweaking to make it work with the dashboard for the edr part of xcitium, so, any malware/payload/kit/poc/etc that can evade cis sandbox will do the same with xcitium. in fact, if you watch closely youll realize that the real differences between cis and xcitium are the rulesets and not the modules itself... :)

any more informations must be asked for the dev of this poc as he is the guy with the best knowledge to answer technical questions regardless his poc :) for things related to the tests, please, bring it to me and if necessary i can do another test too.

EDIT.: oh! maybe i mix everything here... i recently posted a new video testing xcitium against 100 malwares... :p the link is this one:

sorry if i mixed the answers provided here with the results from both videos :p

ps.: regardless the poc on the vm, i did drag n drop for the poc, then disabled the drag n drop feature and did the testings. for the video with 100 malwares it was different. all downloaded from inside the vm.
Click to expand...

Vitao please dm Adrian scibor when you're online pushing on the vendor to patch a containment bypass could save both hoke and enterprise users from getting exploited and Adrian should have contact with representatives who have a higher authority in xcitium then the fourm mods
 
  • Like
  • Thanks
Reactions: [correlate], oldschool, Adrian Ścibor and 1 other person
vitao

vitao

Level 2
Thread author
Mar 12, 2024
64
hello guys. being really busy these days.

i can not provide the poc files as im not the dev behind it and i promised the guy ill not share it. but even if i was allowed to do so, i dont think there is any point as comodo/xcitium seems to really dont care.

they banned me for reasons i dont know and i really dont care much, but the exploit is here and it tends to stay here for a looooong time as some are developing it further...

i guess its a matter of when we will start seeing things related to it messing around in fileless and some other ways. in fact its already happening but no one can talk about it as cis and xcitium are perfect :p

they banned me and deleted all the topics related to the exploit in cis forum and xcitium forum too, so...

or maybe its something personal and they are indeed working on some fix? who knows... what i know is that they took 2 months to solve the certificate issue just to prove they have no clue as there is one invalid cert inside cis as of now...

lets move on...?
 
  • Like
  • Hundred Points
Reactions: Sunshine-boy, [correlate] and roger_m
bazang

bazang

Level 7
Jul 3, 2024
306
vitao said:
but even if i was allowed to do so, i dont think there is any point as comodo/xcitium seems to really dont care.
Click to expand...
No. It is a software with very low revenue. If users want to pay for the bug fixes, then Comodo will fix it.

Comodo has no obligation to fix its software. That is not how software works. It is sold "As Is." And if a software publisher does not want to fix bugs and problems, then they do not have to.

Microsoft has not fixed hundreds and hundreds of POC and other security problems over the decades. Man of those problems still remain.
 
vitao

vitao

Level 2
Thread author
Mar 12, 2024
64
bazang said:
No. It is a software with very low revenue. If users want to pay for the bug fixes, then Comodo will fix it.

Comodo has no obligation to fix its software. That is not how software works. It is sold "As Is." And if a software publisher does not want to fix bugs and problems, then they do not have to.

Microsoft has not fixed hundreds and hundreds of POC and other security problems over the decades. Man of those problems still remain.
Click to expand...
all this to defend one company? o_O
 
  • Like
Reactions: roger_m and zidong
bazang

bazang

Level 7
Jul 3, 2024
306
vitao said:
all this to defend one company? o_O
Click to expand...
There is no need to defend Comodo.

It owns the product. It can do whatever it wants or does not want to do with the product. Don't like it? Then don't use it.

A software with little to no revenue is never going to be any better than it is right now.
 
vitao

vitao

Level 2
Thread author
Mar 12, 2024
64
bazang said:
There is no need to defend Comodo.

It owns the product. It can do whatever it wants or does not want to do with the product. Don't like it? Then don't use it.

A software with little to no revenue is never going to be any better than it is right now.
Click to expand...
that i agree with you my friend.
 

Similar threads

vitao
    • Like
    • Applause
    • +Reputation
Comodo Internet Security Exploit has been updated and is now even more complicated + Explanations by the dev
Replies
13
Views
558
Comodo
Andy Ful
Andy Ful
vitao
    • Like
    • +Reputation
    • Wow
Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!
Replies
68
Views
3,455
Comodo
bazang
bazang
Adrian Ścibor
    • Like
    • +Reputation
    • Hundred Points
AVLab.pl Cyber Transparency Audit Q2 2024 - "Transparency First. Then Trust"
Replies
6
Views
506
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top