1. What actually happened or you saw:
I saw a few films which showed that some exploits are able to bypass CIS.
2. What you wanted to happen or see:
I would like to see CIS automatically monitor the most well known exploited programs ((for example java, adobe flash player, adobe reader, etc…)) to make sure that even if they are exploited any payload delivered will be uncovered and sandboxed. 3. Why you think it is desirable:
Currently it’s possible for applications on a system protected by CIS to be vulnerable to exploits. Then, it is possible for the exploit to deliver a payload, and for that payload to be trusted because it appears to have originated from a trusted program. This sort of protection should mitigate much of that threat. 4. Any other information:
A program which has protection similar to this, although it also has additional protections, is Malwarebytes Anti-Exploit.
A video of Malwarebytes Anti-Exploit in action can be seen here:
Actually, CIS already does have some exploit protection. However, most users are not aware of this.
Therefore, for this Wish it’s very important that you specify the type of exploit protection you would like added to CIS. Perhaps the best way of doing that is linking to tests where CIS was able to be bypassed. If possible post those links in your next reply.
Without knowing the specifics however, it’s not possible to put through a wish like this. CIS does have exploit protection. Thus, I think the best way to go about this is to actually spread the word that if anyone finds an exploit which can bypass CIS please create a bug report for it. I will then forward that bug report as a bug to Comodo. What you are really asking for is not for exploit protection to be added to CIS, but for the exploit protection already included to be improved.
EricJH, I skimmed the FAQ link, but wasn’t sure about how to differentiate between what CIS currently does and what else it could do. Do you have any thoughts for specific additions which could be made to the currently existing CIS exploit protection?
Layer 1 protection:Protection Against Operating System Security Bypasses
This is the first and foremost protection against exploits. It consists of multiple advanced memory protection techniques to detect exploit attempts which try to bypass the build-in Operating System protections such Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
These are protections provided by the OS its self. I think when such phenomena happen the OS will intervene its self. It's not clear how MBAE adds value here.
Layer 2 protection: Memory Caller Protection
This protection layer incorporates multiple memory techniques to prevent exploit code from executing from memory
This is the layer where CIS shellcode protection works. It is not clear what techniques MBAE is using at this layer.
CIS uses:
Detection of Buffer Overflows which occur in the STACK memory
Detection of Buffer Overflows which occur in the HEAP memory
Detection of ret2libc attacks
Full 32 bit and 64 bit Support
CIS buffer overflow protection works on all applications. MBAE Free works on a limited set of applications that get often targeted: Java and various browsers. The premium version allows a broader set of programs to be protected.
CIS protects against three sorts of buffer overflows to be protecting all applications. Having more buffer overflow protection mechanisms at works makes compatibility harder according to egemen. MBAE protects a limited set of programs which should make it easier to have more forms of buffer overflow protection. However it’s not clear which buffer overflow protection mechanisms MBAE is using.
This protection layer is the last defense against exploit attempts. In case an exploit is able to bypass all memory protections and/or uses sandbox escape techniques such as those typically used in Acrobat Reader and Java exploits, this layer prevents the exploit payload from executing its malicious actions on the protected system.
This layer keeps an eye on if code tries to escape from sandboxes of protected applications. CIS does not have a layer comparable with Layer 3.
Wouldn’t it be possible for Comodo to add an inclusion list to Viruscope to monitor certain trusted applications we want or need to be monitored, that way if they are exploited Viruscope could still help protect system from an infection much better then if it wasn’t monitoring the included application like it currently does, I hope this makes sense, I feel this seems like a good compromise or at least the start of one ?
Monitoring applications run outside the sandbox does not equal monitoring trusted applications, it may monitor trusted applications but it doesn’t alert for it, I agree with the idea AimeeLW has.
I was not aware of that. In that case then there could be some sort of behavioral monitoring of trusted applications to ensure that an exploit through them would not be able to access the system.
I agree, with that sort of argument this does sound like a suitable wish. Perhaps this could be an enhancement of the Viruscope abilities. :-TU