Okay, I don’t want to raise too many red flags just yet, but there’s this application that’s been bypassing my HIPS rules, and I haven’t been able to get it to trigger any HIPS popup alerts for disk access access no matter what I tried. I’m not sure, but it seems like a security bypass to me.
This application runs as a service on my computer. I’ve setup CIS6 HIPS to safe mode, all monitoring options are enabled, trusted files are disabled, cloud lookup is disabled, trusted vendors are disabled apart from Microsoft and Comodo, the sandbox is disabled, etc. Basically I set it up to show alerts for pretty much anything. I even changed the HIPS to paranoid mode, cleared out all existing application rules for FNPLicensingService64.exe, and tried to enable sandbox with various settings. In all cases except one this application was able to gain raw disk access and wrote to a single sector on my HDD at 0x3C, which is the bootloader space. The only thing that worked is when the sandbox was set to fully virtualize the executable. Don’t get me wrong, the app did trigger some popups for registry access, namely some CLSID entries, but no disk access warnings.
Normally I would not have noticed a thing, but I use another Linux OS on the same PC that hashes the first 2048 sectors of each disk, and stores the values for later comparison. I noticed at one point that the hashes of my windows disk mismatched, so I compared the current disk sectors with a backup and found out this modification. It would seem that there was some random data written to this sector. Then I booted back to windows and it took me a while before I finally caught the culprit with Process Monitor (see attached image).
Is there a way to make CIS6/HIPS display warnings for raw disk access like this ( \Device\Harddisk** )?
Possibly block all write access to the first 2048 sectors of the HDD (except for whitelisted applications i.e. a hex editor)?
Did you try rebooting after making changes to your configuration, or try stopping and restarting the service or otherwise I think it will continue to run with the old session permissions.
I did not try rebooting with the paranoid configuration because that can easily make the computer unbootable (see last post here: https://forums.comodo.com/defense-sandbox-help-cis/hips-not-detecting-vlc-installer-t100982.0.html;msg732155#msg732155). I didn’t restart the service, but I tried to kill it via Process Explorer. It exited, but the thing is that when activated by a third party program (i.e. SolidWorks 2013) the service came back up and restarted itself on its own several times in a row. Each time it was able to read the disk without triggering any alerts.
Disable the list of whitelist and check in clouds. Then check in trusted files and delete the executable FNPLicensingService64.exe and save the settings and then see what happens.
Sorry about the long delay, I’ve almost forgotten about this topic. Anyway, I’ve recently had my Windows 7 become unusable, so I had to format and reinstall everything. I’ve decided to upgrade my CIS to version 7.0, and I’ve now solved this “leak”. I activated the proactive security, but I am unsure whether it had any effect on it. The solution was to add a new group called “Physical Drives” to the protected objects in HIPS, and adding these two entries to that group:
\Device\Harddisk*\DR*
\Device\HarddiskVolume*
I’m not completely sure, if the following two entries cover the whole disk access, but the HIPS now properly asks me to allow or deny access to physical partitions and/or raw disk access. I’ve blocked the raw disk access, and my boot sectors are no longer modified. Of course it took me some trial and error to come up with the solution, and I made/restored a lot of disk backups in the process, but I managed to solve it in the end.
COMODO: Would you consider adding the “Physical Drives” group to the HIPS protected objects by default?
While I agree Comodo should take steps to resolve this issue, asking them to do something outside of the Wishlist area or Bug area rarely amounts to anything, if you believe this is a bug then please create a bug report for it, if you believe it is a wish then please create a wish for it.
Btw, under Protected Objects, do you add the entries under Protected Files/Folder or other?
Yes, thank you for the suggestion. I have a large wishlist that I am going to post soon. Right now I am still in the process of finetuning the CIS7, and I’m adding new wishes to the list. A lot of the wishes are still from my previous posts that comodo didn’t fix yet.
I think I added it under protected files/folders (sorry, I’m on linux right now). There was this problem/bug where you are not able to add file paths like \Device.… because whenever you try to add a file, a file browser dialog will open, and it refuses to accept entries such as “\Device\Harddisk*\DR*”. I had to add some random DLL file to the list, accept it and then edit the file path manually (a textbox pops up that allows you to modify the path manually.