Comodo Internet Security v11.0.0.6606 - Released

[cuser]

updated to 11.x (sorta since after cis 11 installer had uninstalled cis 10 and comp had rebooted installation didn't continue as it was supposed to (might have on admin-account but not on non-admin account) so had to make quite fresh installation (and still hate that stupid lycia theme)) and so far has worked w/o problems.

[Citizen K]

not exclusively for servers as You can see in these articles:

* https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
* https://threatpost.com/xbash-malware-packs-double-punch-destroys-data-and-mines-for-crypto-coins/137543/
* https://gbhackers.com/xbash-malware/

So, how is CIS against this new kind of malware?

If possible, please, share some samples so I can test on my real machine to solve this question for everyone. Take in mind that this is something "almost" new and will probably be updated and rebranded and forked into all-pc-target-place.. so, if its a malware CIS should block it, right?

And he we have my curiosity and fear about CIS blocking it or not:

"On Windows, the malware will execute a JavaSCript or VBScript downloader. The downloader in turn calls on  a coinminer to be executed onto the system: “Depending on Xbash’s version, this new startup item will download a malicious HTML or a Scriptlet file from Xbash’s C2 server, and to execute the JavaScript or VBScript code in the file via “mshta” or via “regsvr32″. These scripts will then invoke PowerShell to download a malicious PE executable or PE DLL file,” researchers said."

The original article states

Unit 42 researchers have found ba new malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.

Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).

It looks like it first sets foot on share on a Linux and Windows Server environments and from there it may spread locally. We don't how it spreads locally unless somebody has an example of malware that gets spread by Xbash. It all depends on what malware gets spread by a compromised server. 

From the same article:

If it believes it’s found a Windows server, Xbash will exploit the Redis vulnerability to create a Windows startup item (as shown in Figure 6), instead of a Linux cronjob. Depending on Xbash’s version, this new startup item will download a malicious HTML or a Scriptlet file from Xbash’s C2 server, and to execute the JavaScript or VBScript code in the file via “mshta” or via “regsvr32”. These scripts will then invoke PowerShell to download a malicious PE executable or PE DLL file from the same C2 server for execution as shown in Figure 8.

Further indications xBash is targeting server environments in the article on gbhackers:

Xbash author using the new unknown technique to scan the vulnerable servers in the enterprise Intranet.

I am not convinced xBash is made to spread on non Server environments. Once it has a foot on shore on a server it may be capable of spreading to normal Windows environments but such malware has not been seen in the wild as far as I know. Without a malware in the wild that gets spread from a compromised server it is impossible to speculate whether CIS is capable of catching it or not.

[iamme99]

So any updates on when v11 is going to be safe to update to and use?  Or do we just wait for v12?

[aldist]

Firewall only. With a certain configuration, the context menu in the system tray is reduced.

By changing the settings, you can not return to the normal context menu. Activation an earlier saved configuration eliminates this bug.
Similarly, with v11.0.0.6710.
Can I determine which settings break the context menu?
Ha-ha! I broke the whole head! 

I saw that the cmdagent.exe loaded the CPU >60%. The problem was solved by the DHCP rule for svchost.exe:
enable UDP out
source IP: any
source port: 68
destination IP: any
destination port: 67

Perhaps this rule helps to reduce CPU usage only if you have a dynamic IP.

[vitim]

The original article states
It looks like it first sets foot on share on a Linux and Windows Server environments and from there it may spread locally. We don't how it spreads locally unless somebody has an example of malware that gets spread by Xbash. It all depends on what malware gets spread by a compromised server. 

From the same article:

Further indications xBash is targeting server environments in the article on gbhackers:
I am not convinced xBash is made to spread on non Server environments. Once it has a foot on shore on a server it may be capable of spreading to normal Windows environments but such malware has not been seen in the wild as far as I know. Without a malware in the wild that gets spread from a compromised server it is impossible to speculate whether CIS is capable of catching it or not.

Understuud..

In that case, doesnt matter if it targets servers. Its still a malware, atleast unknow files, should be blocked and/or prompted by CIS, right?

[Citizen K]

CIS does not run on Windows Server environments. That makes the question whether CIS could block xBash a theoretical one.

Of course unknown files should be blocked or the user should be prompted by CIS but we won't be meeting xBash on our computers. It tries to get in by trying to exploit security holes in software that is specific for servers.

[vitim]

CIS does not run on Windows Server environments. That makes the question whether CIS could block xBash a theoretical one.

Of course unknown files should be blocked or the user should be prompted by CIS but we won't be meeting xBash on our computers. It tries to get in by trying to exploit security holes in software that is specific for servers.

Ok. Ill study it more.. This still doesnt convince me as a cis user..

[ubuysa]

Ok. Ill study it more.. This still doesnt convince me as a cis user..

This is the key phrase from EricJH's post above...

If it believes it’s found a Windows server, Xbash will exploit the Redis vulnerability....

REDIS is the SQL REmote Dictionary Server and it's found only on Windows Server systems.

[Viper94]

Hi All,
We are pleased to announce release of Comodo Internet Security v11.0.0.6606.

...

This is mainly a bug fix release and here is the change list:
New:
...

3.
This build is HVCI compliant, this is a feature which is going to be enabled by default in Windows 10 RS5, due in Fall-2018.

4.
When updates to older versions released, updates will be done in two steps, after you have updated, you will see another alert for 2nd update. Any update further on top of this won't require two updates. We have to go through this one time for technical reasons to be ready for next hot-fix release, which will be fully RS5 compliant.

...

-umesh

As the changelog shows v11 will bring complete compatibility for Windows 10 RS5 update. I read in some magazines windows 10 RS5 will already be released in couple of days / weeks.
So my question is, will CIS v10 work properly on RS5? Or should we update manually from v10 to v11 before RS5 release in order to get no problems when RS5 is coming out (especially while upgrade process)?

[devilbat]

Ok. Ill study it more.. This still doesnt convince me as a cis user..

Enable "Code Detection" for regsvr32.exe or mshta.exe and CIS should be able to block the Payload.

https://help.comodo.com/topic-72-1-766-11485-Miscellaneous-Settings.html#heuristic_analysis

[vitim]

Enable "Code Detection" for regsvr32.exe or mshta.exe and CIS should be able to block the Payload.

https://help.comodo.com/topic-72-1-766-11485-Miscellaneous-Settings.html#heuristic_analysis

im trying to grab the malware so I can test it on my main machine. with default configs on cis. other than that, if cis fails to block it then itll be goodbye from me.

[liosant]

im trying to grab the malware so I can test it on my main machine. with default configs on cis. other than that, if cis fails to block it then itll be goodbye from me.

Cis fail if application is safe  and used for malwares, but only if application is containment and folder in "do not virtualize" https://help.comodo.com/topic-72-1-766-9168-Sandbox-Configuration.html

or instalation corrupt

[Citizen K]

im trying to grab the malware so I can test it on my main machine. with default configs on cis. other than that, if cis fails to block it then itll be goodbye from me.

If it could bypass CIS Comodo and us are always interested to know why.

[devilbat]

im trying to grab the malware so I can test it on my main machine. with default configs on cis. other than that, if cis fails to block it then itll be goodbye from me.

You are free to use whatever you want but IMO if CIS can prevent the malware with just a simple setting change (Toggle on/off) there is no reason for leaving it. Also do note that all other security products in the market fail against some form of malware or another... With CIS you can prevent them all and if there is some alleged Bypass, you can prevent it simply by changing some settings.

[Citizen K]

Please keep in mind that xBash is a server malware. It is not made to work on a desktop computer.