Author Topic: Comodo Driver Security Level Question  (Read 823 times)

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Comodo Driver Security Level Question
« on: February 01, 2021, 09:18:41 AM »
Just out of curiosity, why are the two CIS Drivers 'cmderd' and 'cmdGuard' File System level drivers, instead of Kernal?

Would there be any security advantage/disadvantage in upping it to kernal?

Thanks :P

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1007
Re: Comodo Driver Security Level Question
« Reply #1 on: February 01, 2021, 09:28:22 AM »
Aren't those two CIS Drivers protected by other CIS Kernal drivers to prevent tampering?
Can you stop or kill those two drivers on user level?

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Re: Comodo Driver Security Level Question
« Reply #2 on: February 01, 2021, 09:37:28 AM »
Aren't those two CIS Drivers protected by other CIS Kernal drivers to prevent tampering?
Can you stop or kill those two drivers on user level?

Would love to know.

A kernal level driver launches cis early when booted, however the ones above actually just load as File System.

Not exactly sure what cmdGuard driver does, but you would guess that this is the driver that protects the software. Maybe the early boot driver protects the 'cmdGuard' driver that protects the rest of it. I don't know. :D

Online futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5141
Re: Comodo Driver Security Level Question
« Reply #3 on: February 01, 2021, 10:52:46 AM »
They are in fact kernel-mode drivers, just a specific type of kernel drivers.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Re: Comodo Driver Security Level Question
« Reply #4 on: February 01, 2021, 12:58:48 PM »
They are in fact kernel-mode drivers, just a specific type of kernel drivers.

Very interesting.

So I'm guessing the cmd driverquery command is just reporting the wrong restriction level?

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1007
Re: Comodo Driver Security Level Question
« Reply #5 on: February 01, 2021, 03:11:45 PM »
Hmmm, wondering if a user could terminate or kill those processes/drivers with ProcessExplorer or ProcessHacker or alike.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Re: Comodo Driver Security Level Question
« Reply #6 on: February 01, 2021, 03:22:14 PM »
Nevermind I got confused.

I was thinking File System level was User-Mode level.

https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode

I learned something today. :D

Thanks futuretech!

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26536
Re: Comodo Driver Security Level Question
« Reply #7 on: February 01, 2021, 09:47:38 PM »
Hmmm, wondering if a user could terminate or kill those processes/drivers with ProcessExplorer or ProcessHacker or alike.
If you run the ProcessHacker driver in the kernel, by default the driver runs in user mode, PH is in the position to take down any driver running in kernel space. That's why with a HIPS it is of the utmost importance to know that the driver you allow to be installed in the kernel can be trusted.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1007
Re: Comodo Driver Security Level Question
« Reply #8 on: February 02, 2021, 09:17:44 AM »
If you run the ProcessHacker driver in the kernel, by default the driver runs in user mode, PH is in the position to take down any driver running in kernel space. That's why with a HIPS it is of the utmost importance to know that the driver you allow to be installed in the kernel can be trusted.

Thank you for the info.
Yes, I fully agree with you that you have to / must trust a kernel mode driver before ever using it.

I just checked PH driver-mode setting on my system, it seems to be kernel-mode by default on my end (using PH 2.39.124 portable if that makes any difference).

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26536
Re: Comodo Driver Security Level Question
« Reply #9 on: February 03, 2021, 03:12:26 PM »
I thought the kernel driver was not the default setting but I could have been wrong.

I remember a discussion that egemen had years ago with a member about Outpost Firewall. Outpost firewall would resurrect its kernel driver after it had crashed or was taken down. Egemen argued that the system would then still be considered compromised  because it is unknown what happened while the driver was down. The system could worst case be infected with malware. Egemen says once something runs in the kernel it runs with the same rights as CIS and capable of doing anything including unhooking other drivers.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Re: Comodo Driver Security Level Question
« Reply #10 on: February 03, 2021, 03:59:18 PM »
Does anyone know if Windows blue screens if a CIS kernal driver is halted?

Because for the above reasons, it seems like it probably should. And then actually undergo a pre-boot system integrity check.

Would be pretty nice.
« Last Edit: February 03, 2021, 04:02:46 PM by ReeceN »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26536
Re: Comodo Driver Security Level Question
« Reply #11 on: February 03, 2021, 10:12:12 PM »
I don't know. That's the only thing I know for sure.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek