Why Usermode Hooking Sucks – Bypassing Comodo Internet Security

[Guest]

[egemen]

Hi Guys,

The discussion of user space hooks is not new. Actually, the leak tests of www.matousec.com, always bypass user space hooks while doing intended operations. Hence almost everyone fails in Windows x64 in their tests( Except CIS ofcourse).

In the article, i dont see any bypass. The author just unhooked user space hooks which are used for various purposes however failed to demonstrate what sort of security leak is caused by this. What is bypassed i.e. what security leak did this unhooking cause? Did it allow the attacker to change a protected file? Protected key? etc. As i explained above, there are MANY counter defenses implemented in D+ which copes with these user space hooking issues.

The most significant of them is enhanced mode for example. The author intentionally or unknowingly, didn't mention Enhanced protection mode which is automatic when one switches to paranoid mode.  They could not mention perhabs othrwise there would be nothing left to discuss.

Architecturally, user space hooks in CIS are used for compatibility and not for security as much as possible. As of today, CIS even in 64 bit operating systems offers full kernel based protection.

[EricJH]

Thank your for stepping in and explaining this in more detail.

As of today, CIS even in 64 bit operating systems offers full kernel based protection.

What does this mean for the 64 bit platform? Does it mean kernel hooking is used even though prevented by design? Or are there other techniques being used?

[egemen]

Thank your for stepping in and explaining this in more detail.
What does this mean for the 64 bit platform? Does it mean kernel hooking is used even though prevented by design? Or are there other techniques being used?

It means its almost as good as 32 bit OSs. However i do not want to disclose further details about this.

[gjf]

egemen, thanks for explanation.
Could you please comment video also? How is it possible that blocked on every action, sandboxed application was able to monitor mouse and keyboard events, to log them and even write down them into the file? Why the obvious keylogger activity wasn't blocked?

[egemen]

egemen, thanks for explanation.
Could you please comment video also? How is it possible that blocked on every action, sandboxed application was able to monitor mouse and keyboard events, to log them and even write down them into the file? Why the obvious keylogger activity wasn't blocked?

Keylogging is possible within the sandbox. It is by design. It has nothing to do with bypass. You see CIS rigt now doesnt block non-infectious actions of sandboxed applications in order to improve the compatibility. Infectious actions are the ones that can change the computer permanently and let  malware persist after a restart.

[gjf]

egemen, ok, thank you once again. Now it is clear.

[morphiusz]

Keylogging is possible within the sandbox. It is by design. It has nothing to do with bypass. You see CIS rigt now doesnt block non-infectious actions of sandboxed applications in order to improve the compatibility. Infectious actions are the ones that can change the computer permanently and let  malware persist after a restart.

Version 6 is going to change this somehow? As far as I understand compatibility issues I think that keylogging allowed by default is not the best. While in previous versions firewall came into play (blocking keylogger's attempts to send gained data) now it's (let's be honest) disabled by the default

[egemen]

Version 6 is going to change this somehow? As far as I understand compatibility issues I think that keylogging allowed by default is not the best. While in previous versions firewall came into play (blocking keylogger's attempts to send gained data) now it's (let's be honest) disabled by the default

yes. We will not let sandboxed applications to keylog in CIS 6. But CIS 6 is different from CIS 5. So lets not compare them with CIS 5 as reference. They operate differently.

[morphiusz]

Sound like a superior release of CIS is coming. Thanks Egemen for making essential improvements and not putting 'the security' away from your work plan.

[Tags:]