Author Topic: bypass CIS v6.2 fully virtualized  (Read 11558 times)

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
bypass CIS v6.2 fully virtualized
« on: June 19, 2013, 09:54:22 PM »
1. I ran the malware.

http://camas.comodo.com/cgi-bin/submit?file=c711b000360129c9417a61a7a1af765c56dd37df1c58492b827c19563e2674f3

http://valkyrie.comodo.com/Result.html?sha1=2b9e91baa9e2c63c3c1042b25b38d61d087e42c9&&query=1&&filename=1b9a02ec0636fde0a3b3cb70ac9d5eb5.exe

https://www.virustotal.com/en/file/c711b000360129c9417a61a7a1af765c56dd37df1c58492b827c19563e2674f3/analysis/1371692982/

2. It was sandboxed as fully-virtualized.

3. I reset the sandbox.

4. I checked the autorun entry.

Please view the attached image.

5. The malware successfully create autorun entries outside the sandbox.

6.environment:
Win XP Pro SP3 32bit


[attachment deleted by admin]

Offline Jaspion

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 287
    • Jaspion's Forum
Re: bypass CIS v6.2 fully virtualized
« Reply #1 on: June 20, 2013, 04:22:25 AM »
Hi, thanks for the report. Does this happen too with Win 7, have you tried? Same for http://forums.comodo.com/news-announcements-feedback-cis/bypass-cis-v62-partially-limited-limited-and-hips-t95939.0.html
Jaspion Scripts for MyDefrag
The most powerful HDD defragmenter and optimizer is now even better and easier to use.
Visit our forum: http://jaspion.boards.net

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: bypass CIS v6.2 fully virtualized
« Reply #2 on: June 20, 2013, 04:39:13 AM »
Hi, thanks for the report. Does this happen too with Win 7, have you tried? Same for http://forums.comodo.com/news-announcements-feedback-cis/bypass-cis-v62-partially-limited-limited-and-hips-t95939.0.html

That issue is for 32bit system only.

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1634
  • GOD cure me epilepsy and atrophy - Sou brasileiro!
Re: bypass CIS v6.2 fully virtualized
« Reply #3 on: June 20, 2013, 09:36:12 AM »
That issue is for 32bit system only.

could send me sample?
would like to test on windows 7 because use and wanted to see how the CIS 6.2 behaves.

========================================================
the issue of screenlogger reported by jaspion also  not fixed.
http://forums.comodo.com/news-announcements-feedback-cis/screen-capture-protection-t94921.60.html
« Last Edit: June 20, 2013, 09:40:34 AM by liosant »

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: bypass CIS v6.2 fully virtualized
« Reply #4 on: June 20, 2013, 10:25:03 AM »
This case and a few other cases reported before rely on the same technique. We fixed it but haven't issued the update yet.

Offline RealNature

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1277
  • Nothing without God
Re: bypass CIS v6.2 fully virtualized
« Reply #5 on: June 20, 2013, 10:31:24 AM »
We fixed it but haven't issued the update yet.
And when would that be? Soon or later on?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: bypass CIS v6.2 fully virtualized
« Reply #6 on: June 20, 2013, 10:32:12 AM »
This case and a few other cases reported before rely on the same technique. We fixed it but haven't issued the update yet.
When can we expect said update to go live? You don't have to be super specific but maybe say days, weeks, months?

Edit: Damn it, too late, I really must re-enable that warning about new posts  88)
I support privacy and freedom online - eff.org

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: bypass CIS v6.2 fully virtualized
« Reply #7 on: June 20, 2013, 10:56:04 AM »
The fix is very specific and hence we need to get it tested more. We should be able to include it with the next release.


Weeks is what we are talking about.

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: bypass CIS v6.2 fully virtualized
« Reply #8 on: June 20, 2013, 11:05:38 AM »
The fix is very specific and hence we need to get it tested more. We should be able to include it with the next release.


Weeks is what we are talking about.
Alright, looking forward to the update.
I support privacy and freedom online - eff.org

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: bypass CIS v6.2 fully virtualized
« Reply #9 on: June 20, 2013, 11:28:59 AM »
In the mean time, you can simply add LocalSecurityAuthority.Debug to your protected COM interfaces to address this issue.

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: bypass CIS v6.2 fully virtualized
« Reply #10 on: June 20, 2013, 11:48:50 AM »
In the mean time, you can simply add LocalSecurityAuthority.Debug to your protected COM interfaces to address this issue.
Thank you for the tip! =) I wonder, is there any similar malware/technique that you know of that can bypass CIS' full virtualization on 64-bit systems?
I support privacy and freedom online - eff.org

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: bypass CIS v6.2 fully virtualized
« Reply #11 on: July 12, 2013, 10:56:35 PM »
[at]a256886572008, is this fixed with CIS version 6.2.285401.2860?


Offline spywar

  • Malware Research Group
  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 9560
Re: bypass CIS v6.2 fully virtualized
« Reply #13 on: July 13, 2013, 08:28:00 AM »
[at]a256886572008, is this fixed with CIS version 6.2.285401.2860?
They have not released the fixes yet. Egemen said in few weeks on another topic, days ago.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek