A New Way of Exploiting Antivirus Scanners (comodo was among the tested)

So first off, why am I posting this to comodo firewall instead of the antivirus or CIS section? Because I use comodo firewall and the question I have is related to comodo firewall

So awhile ago someone else posted this article to rack911labs https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software/#1582913022163-15564610-57a3

Apparently there’s a way to exploit an antivirus program by taking advantage of a brief moment between the detection of malware and the quarantining of the malware.

I configure CFW to block all unknown files and all known malware rather than sandboxing it.

So, now that the context for my question has been laid out. Would malware like that of what is described in that article be able to run on a system protected by comodo with the settings changed that way on proactive security, where all of the options for “do not show popup alerts” have been set to “block”?

I understand that you have changed the Containment configuration but is is enabled, right?

You are not mentioned if you have changed the exceptions folders.

Anyway, in case that you have enable Containment and disable Containment Exceptions folders, then this should be work without problems…

You mean the “do not virtualize access to: _____” rules? yes the only folder that programs running in the container can access is my downloads folder.

Firefox and chrome are set to be auto-sandboxed whenever anything launches them.

I browse using firefox developer edition and sometimes firefox nightly. All of the folders with my personal files in them as well as the folders with the user profiles of FF dev and FF nightly are denied to all programs running in comodo’s container.

In this way I configured too. No quarantaine but blocking.

But one folder is an exeption and I didn’t have any problems by now.

Do note that when setting Firefox or Chrome to be Auto-Contained, any Unknown coming from the Web or executed through the browser will run inside the Sandbox, instead of being blocked according to your Auto-Containment policy for Unknowns. You can find more details about this in this wish.

The only way to bypass Comodo at Blocked setting is having a file digitally signed by a Trusted Vendor or Trusted by Cloud Lookup. You can disable the Cloud and use a Customized Vendor List, as well as enable Embedded Code Detection for everything under Script Analysis list, for coverage against Fileless Malware.

I run CFW along side voodooshield. Voodoo has great fileless malware protection. Also, I’m well aware of how the container works.

The option for privilege escalation is set to automatically run inside the container, but between the two things I use to protect against malware CFW as a stand-alone and Voodoo as a supplement, I don’t think anything can get through.

Especially since voodoo checks everything on virus total. Not even pups will get through.

are you running CFW with HIPS enable or disable? if you runnung HIPS enable, haven’t you compatibility problems with Voodooshield? because both are doing the same thing (checking) at the same time when a unknown app start…

HIPS on comodo is enabled and set to auto-block all requests, no issues discovered in all the time I’ve been doing it this way.

I also think that the Voodoo Shield as an additional protective shield does not increase protection. Both work with whitelists, and with cis I can also seal off my PC (although I am not affected [yet], here is a discussion about bypassing the comodo firewall):

ex post #86


But doing in this way CIS probably block 99,9% all unknown app… Do you see anytime Voodooshield do something? I don’t think so…

But if for you is working, I guess that is ok…

Which discussion are you talking about? is about the issue that one user said that he has about the loopback zone?

I don’t see any other about bypassing the comodo firewall…

About the Rack11labs finding, Comodo Firewall users with Disabled Cloud Lookup are unaffected, since NO detections will occur, as the problem lies when the security solution detects a file and is moving it to Quarantine. Unless they use a third-party AV alongside Comodo Firewall.

What I find strange is, only Avast and Avira are enlisted in their home/consumer product version, all others are enlisted as Endpoint/corporate product version only. Seems Comodo Internet Security/CAV users are unaffected or only the Enterprise edition of Comodo is affected? …

I dont think your voodooo thing needed with auto containment blocked and cloud lookup disabled

Comodo allows most PUPs and adware, because they’re never detected as malicious by the analysis they do.

Am I paranoid for using voodoo and CFW together? Yes. Does it negatively impact the performance of my PC? No and they don’t conflict either, they use different databases and go about whitelisting applications in totally different ways.

Thankyou for that tip by the way, I shall disable cloud lookup and check every blocked file through hitmanpro and virustotal before I allow anything from now on.

For PUP protection, as well as Protection from ‘Whitelisted Malware’, besides disabling Cloud Lookup you can follow this guide of Cruelsister on how to customize the Vendor List. By deleting unneeded Vendors from the List as suggested you will notice less system resources consumption from Comodo.

Comodo actually doesn’t use too many resources. It’s very light and it does its job very quickly when it catches something.

(Edit!) So really the only thing that’s ever been wrong with comodo is the way they (the people that make the database) go about whitelisting applications. If a digital signature exists in the cloud and malware has that same signature in that moment, the malware or pup gets allowed.

That needs to change right now. It’s like if police would allow a criminal to walk out of a prison just because they’re wearing a name tag that says they’re a warden. It’s dumb if that’s all it takes and even though comodo is for advanced users only, you can’t expect a user to make changes like that. To turn off the cloud lookup and to go through the locally stored list of vendors like that.

Comodo needs to whitelist things based on an exact match of an SHA256 hash AND a digital signature, or lack there of if the application doesn’t have one.

Right now, all it takes for an application to be allowed by comodo is the right nametag at the right time.

(edit end)

How are the chances of this happening (more than 10%)? Of course, hackers are ingenious people. But don’t you have such or similar danger anyway. But don’t you have such or similar danger always.
Hitman Pro checks in the cloud, eset does it. What about Blacklists? In this sense you are safer with voodoshield + cis, using different whitelists?

EDIT: I forget this:

Comodo needs to whitelist things based on an exact match of an SHA256 hash AND a digital signature, or lack there of if the application doesn't have one.

Voodooshield also checks against it’s own M.L.A.I. and virustotal. I guess I really don’t have to worry. Testers on youtube use the defaults of comodo’s settings and I’ve never seen an honest test of comodo where it failed.

The one test I saw where the tester said it failed, they didn’t even test the protection comodo offers. They counted the fact that they were able to download malware at all as a fail, without attempting to run the malware.
Another thing occurred to me just awhile ago. Yes, lots of antivirus programs check things in a cloud database. My issue is that comodo sometimes adds things to the whitelist without checking too deeply into the software vendor in question. And when a bad vendor gets added to the installation’s list of trusted vendors…as far as I’m aware…the user has to start a lookup of the vendors in the list to get rid of any of the bad ones in there.
(Edit1 End)

Comodo already cheks the hash of files against the Cloud to verify if they are Trusted, Unknown or Malicious. As for Digital Signatures, digitally signed Malware will most often carry a stolen certificate from a shady and relatively unknown company and almost never a certificate from a big and trustworthy company like Adobe, Google, Apple, Microsoft and others.

For me it took less than five minutes to customize the Vendor List following the guide of Cruelsister, all the user has to do is: Select all vendors, then use the search function (magnifier icon) to search for vendors the user wants to keep, uncheck those, and then press Remove to delete all other vendors.

Customizing the vendor list is more about preventing against PUPs and controversial companies like Baidu for example. As well as those Chinese vendors with unreadable characters in the list. It’s more about user preference, but Comodo does prevent against PUPs and Whitelisted Malware if you set it up in the right way and it’s a easy thing to accomplish. There are room for improvements regarding vendor list customization? Yes sure, and Comodo will eventually get there.

Cool, just so you know, I followed cruelsister1’s guide. I removed all signatures that aren’t from companies that make things I use and disabled cloud lookup.