Author Topic: CIS v4 - Not Bulletproof  (Read 18944 times)

Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
CIS v4 - Not Bulletproof
« on: March 04, 2010, 06:20:41 AM »
As a test, I downloaded and ran a rogue to see just how effective CIS v4 really was. Everything was set to default.

Upon execution, I was greeted with two D+ alerts, and I chose Block for both. A sandbox alert then popped up saying the rogue was placed in a sandbox, for which I clicked OK. The rogue was running in front of me, but the sandbox led me to believe that my system was safe. But I was wrong.

I used Comodo to end the rogue's process, and while everything seemed fine, I wasn't convinced. To see if it touched the startup settings, I went to run an msconfig. Didn't work. I tried running another exe. It said it couldn't find a program to run the exe.

I restarted, hoping it would all be fixed on a restart. Nope. Nothing started on startup, and I couldn't even manually run Comodo. Now I have to reinstall Windows again. Joy. Luckily this is a fairly fresh install.

So, in conclusion: the new version of Comodo is far from bulletproof. Even with me, the user, clicking block on all the popups, the rogue was able to pass right through the sandbox.
« Last Edit: March 07, 2010, 06:18:04 AM by MisterMooth »

Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: CIS v4 - Not Bulletfroof
« Reply #1 on: March 04, 2010, 06:51:47 AM »
Just an update:

Turns out I won't have to reinstall Windows. I managed to run MalwareBytes by running it as administrator (the only way I could run .exe's) and it corrected the problem.

According the MalwareBytes, the only thing that was infected was this key:

HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile)
(Full data in log: HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.)

It was this key change that made it so I could not run any programs at all. My PC is fine now, but I have to question... Why was that key change not protected by Comodo? It was the *only* thing that got through the sandbox/D+, yet it managed to do a lot of damage (luckily, not permanent damage).

Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: CIS v4 - Not Bulletproof
« Reply #2 on: March 04, 2010, 08:21:46 AM »
Maybe a dev can explain to me how a sandboxed application was able to alter my registry and mess up my system.

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 877

Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: CIS v4 - Not Bulletproof
« Reply #4 on: March 04, 2010, 08:25:59 AM »

Offline dchernyakov

  • Comodo's Hero
  • *****
  • Posts: 286
Re: CIS v4 - Not Bulletproof
« Reply #5 on: March 04, 2010, 09:14:44 AM »
Could you please attach or give link to the rogue you are writing?

Offline bequick

  • Comodo's Hero
  • *****
  • Posts: 1117
    • GooGle
Re: CIS v4 - Not Bulletproof
« Reply #6 on: March 04, 2010, 09:17:53 AM »
Could you please attach or give link to the rogue you are writing?
Take this and show me how to stop it->
Code: [Select]
<url removed by moderator and sent to dchernyakov>  It completely disables CIS 4, if the sandbox is enabled!!!

p.s. I wrote a PM to the staff about that, but no answer, so...
« Last Edit: March 04, 2010, 10:45:38 AM by EricJH »


Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: CIS v4 - Not Bulletproof
« Reply #7 on: March 04, 2010, 09:22:51 AM »
I'm pretty sure it was this:

<url removed by moderator and sent to dchernyakov>

But I may be wrong. It's not like I'm going to test it to find out.
« Last Edit: March 04, 2010, 10:46:04 AM by EricJH »

Offline bequick

  • Comodo's Hero
  • *****
  • Posts: 1117
    • GooGle
Re: CIS v4 - Not Bulletproof
« Reply #8 on: March 04, 2010, 09:24:18 AM »
I'm pretty sure it was this:

<url removed by moderator and sent to dchernyakov>

But I may be wrong. It's not like I'm going to test it to find out.
Yes, it was this.Look at my post above.I have tested it and my PC went to the valley of the dead.
« Last Edit: March 04, 2010, 10:46:21 AM by EricJH »


Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: CIS v4 - Not Bulletproof
« Reply #9 on: March 04, 2010, 08:54:29 PM »
Well, at least we can prove the sandbox is fatally flawed.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 18687
Re: CIS v4 - Not Bulletproof
« Reply #10 on: March 04, 2010, 09:05:26 PM »
Well, at least we can prove the sandbox is fatally flawed.
How can we make it better then? Or is that something that does not interest you?

Offline Saxuality

  • Comodo's Hero
  • *****
  • Posts: 485
  • Saxy Mood ^_^
Re: CIS v4 - Not Bulletproof
« Reply #11 on: March 04, 2010, 09:06:28 PM »
How can we make it better then? Or is that something that does not interest you?

By fixing the problem.  ;D How we should know what's causing the problem?
Mac OS X Lion 10.7.3 - For Work
Windows 7 Ultimate SP1 64 bit/No Security Software - Only For Games

"Sax-a-Go-Go"

Security software makers should be thankful for malware writers and hackers for their multi billion dollar businesses. Ironic isn't it?

Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: CIS v4 - Not Bulletproof
« Reply #12 on: March 04, 2010, 09:08:09 PM »
How can we make it better then? Or is that something that does not interest you?

By fixing its flaws? I did post the rogue that was able to get through.

In its current state, the sandbox is flawed and far from safe. This is proof of that. I didn't say it couldn't be improved.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 18687
Re: CIS v4 - Not Bulletproof
« Reply #13 on: March 04, 2010, 09:18:45 PM »
By fixing the problem.  ;D How we should know what's causing the problem?
By fixing its flaws? I did post the rogue that was able to get through.

In its current state, the sandbox is flawed and far from safe. This is proof of that. I didn't say it couldn't be improved.
The two of you didn't submit it in the first place.....

Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: CIS v4 - Not Bulletproof
« Reply #14 on: March 04, 2010, 09:20:07 PM »
The two of you didn't submit it in the first place.....


Yes I did. I submitted the file in the program, then I posted it here when I was asked.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek