Author Topic: A New Way of Exploiting Antivirus Scanners (comodo was among the tested)  (Read 4143 times)

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
So first off, why am I posting this to comodo firewall instead of the antivirus or CIS section? Because I use comodo firewall and the question I have is related to comodo firewall

So awhile ago someone else posted this article to rack911labs https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software/#1582913022163-15564610-57a3

Apparently there's a way to exploit an antivirus program by taking advantage of a brief moment between the detection of malware and the quarantining of the malware.

I configure CFW to block all unknown files and all known malware rather than sandboxing it.

So, now that the context for my question has been laid out. Would malware like that of what is described in that article be able to run on a system protected by comodo with the settings changed that way on proactive security, where all of the options for "do not show popup alerts" have been set to "block"?
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 86


I configure CFW to block all unknown files and all known malware rather than sandboxing it.

So, now that the context for my question has been laid out. Would malware like that of what is described in that article be able to run on a system protected by comodo with the settings changed that way on proactive security, where all of the options for "do not show popup alerts" have been set to "block"?
I understand that you have changed the Containment configuration but is is enabled, right?

You are not mentioned if you have changed the exceptions folders.

Anyway, in case that you have enable Containment and disable Containment Exceptions folders, then this should be work without problems...

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
You mean the "do not virtualize access to: _____" rules? yes the only folder that programs running in the container can access is my downloads folder.

Firefox and chrome are set to be auto-sandboxed whenever anything launches them.

I browse using firefox developer edition and sometimes firefox nightly. All of the folders with my personal files in them as well as the folders with the user profiles of FF dev and FF nightly are denied to all programs running in comodo's container.
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 535

I configure CFW to block all unknown files and all known malware rather than sandboxing it.

Would malware like that of what is described in that article be able to run on a system protected by comodo with the settings changed that way on proactive security, where all of the options for "do not show popup alerts" have been set to "block"?

In this way I configured too. No quarantaine but blocking.

But one folder is an exeption and I didn't have any problems by now.

Offline mmalheiros

  • Comodo's Hero
  • *****
  • Posts: 315
Firefox and chrome are set to be auto-sandboxed whenever anything launches them.

Do note that when setting Firefox or Chrome to be Auto-Contained, any Unknown coming from the Web or executed through the browser will run inside the Sandbox, instead of being blocked according to your Auto-Containment policy for Unknowns. You can find more details about this in this wish.

The only way to bypass Comodo at Blocked setting is having a file digitally signed by a Trusted Vendor or Trusted by Cloud Lookup. You can disable the Cloud and use a Customized Vendor List, as well as enable Embedded Code Detection for everything under Script Analysis list, for coverage against Fileless Malware.
« Last Edit: April 23, 2020, 05:21:25 PM by mmalheiros »

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
I run CFW along side voodooshield. Voodoo has great fileless malware protection. Also, I'm well aware of how the container works.

The option for privilege escalation is set to automatically run inside the container, but between the two things I use to protect against malware CFW as a stand-alone and Voodoo as a supplement, I don't think anything can get through.

Especially since voodoo checks everything on virus total. Not even pups will get through.
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 86
I run CFW along side voodooshield. Voodoo has great fileless malware protection.

are you running CFW with HIPS enable or disable? if you runnung HIPS enable, haven't you compatibility problems with Voodooshield? because both are doing the same thing (checking) at the same time when a unknown app start...


Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
are you running CFW with HIPS enable or disable? if you runnung HIPS enable, haven't you compatibility problems with Voodooshield? because both are doing the same thing (checking) at the same time when a unknown app start...

HIPS on comodo is enabled and set to auto-block all requests, no issues discovered in all the time I've been doing it this way.
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 535
HIPS ....... Voodooshield? because both are doing the same thing (checking) at the same time when a unknown app start...

I also think that the Voodoo Shield as an additional protective shield does not increase protection. Both work with whitelists, and with cis I can also seal off my PC (although I am not affected [yet], here is a discussion about bypassing the comodo firewall):

ex post #86

https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-2020-v12227036-released-t125668.75.html
« Last Edit: April 24, 2020, 11:49:48 PM by prodex »

Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 86
HIPS on comodo is enabled and set to auto-block all requests, no issues discovered in all the time I've been doing it this way.

But doing in this way CIS probably block 99,9% all unknown app... Do you see anytime Voodooshield do something? I don't think so...

But if for you is working, I guess that is ok..

 

Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 86
I also think that the Voodoo Shield as an additional protective shield does not increase protection. Both work with whitelists, and with cis I can also seal off my PC (although I am not affected [yet], here is a discussion about bypassing the comodo firewall):

ex post #86

https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-2020-v12227036-released-t125668.75.html
Which discussion are you talking about? is about the issue that one user said that he has about the loopback zone?

I  don't see any other about bypassing the comodo firewall...

Offline mmalheiros

  • Comodo's Hero
  • *****
  • Posts: 315
About the Rack11labs finding, Comodo Firewall users with Disabled Cloud Lookup are unaffected, since NO detections will occur, as the problem lies when the security solution detects a file and is moving it to Quarantine. Unless they use a third-party AV alongside Comodo Firewall.

What I find strange is, only Avast and Avira are enlisted in their home/consumer product version, all others are enlisted as Endpoint/corporate product version only. Seems Comodo Internet Security/CAV users are unaffected or only the Enterprise edition of Comodo is affected? ...

Offline kyl

  • Comodo Loves me
  • ****
  • Posts: 186
I dont think your voodooo thing needed with auto containment blocked and cloud lookup disabled

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
I dont think your voodooo thing needed with auto containment blocked and cloud lookup disabled

Comodo allows most PUPs and adware, because they're never detected as malicious by the analysis they do.

Am I paranoid for using voodoo and CFW together? Yes. Does it negatively impact the performance of my PC? No and they don't conflict either, they use different databases and go about whitelisting applications in totally different ways.

Thankyou for that tip by the way, I shall disable cloud lookup and check every blocked file through hitmanpro and virustotal before I allow anything from now on.
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

Offline mmalheiros

  • Comodo's Hero
  • *****
  • Posts: 315
Comodo allows most PUPs and adware, because they're never detected as malicious by the analysis they do.
...
Thankyou for that tip by the way, I shall disable cloud lookup and check every blocked file through hitmanpro and virustotal before I allow anything from now on.

For PUP protection, as well as Protection from 'Whitelisted Malware', besides disabling Cloud Lookup you can follow this guide of Cruelsister on how to customize the Vendor List. By deleting unneeded Vendors from the List as suggested you will notice less system resources consumption from Comodo.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek