Ability To Detect When Exploits Try To Deliver Payload And Sbox Payload [M1276]

1. What actually happened or you saw:
I saw a few films which showed that some exploits are able to bypass CIS.

2. What you wanted to happen or see:
I would like to see CIS automatically monitor the most well known exploited programs ((for example java, adobe flash player, adobe reader, etc…)) to make sure that even if they are exploited any payload delivered will be uncovered and sandboxed.
3. Why you think it is desirable:
Currently it’s possible for applications on a system protected by CIS to be vulnerable to exploits. Then, it is possible for the exploit to deliver a payload, and for that payload to be trusted because it appears to have originated from a trusted program. This sort of protection should mitigate much of that threat.
4. Any other information:
A program which has protection similar to this, although it also has additional protections, is Malwarebytes Anti-Exploit.

A video of Malwarebytes Anti-Exploit in action can be seen here:

Actually, CIS already does have some exploit protection. However, most users are not aware of this.

Therefore, for this Wish it’s very important that you specify the type of exploit protection you would like added to CIS. Perhaps the best way of doing that is linking to tests where CIS was able to be bypassed. If possible post those links in your next reply.

Thanks.

CIS has buffer overflow protection. it often gets forgotten as the focus of development is not with other aspects of the suite.

From what I remember is that these three are the most common ones. Getting other buffer overflows covered is technically very challenging.

Like Chrion I would also be interested to learn about exploits that are able to bypass CIS.

I know :slight_smile:

Unfortunately, I do not remember where were these videos, but check this out:

http://www.pcmag.com/article2/0%2C2817%2C2414835%2C00.asp

Here more information about the idea

Without knowing the specifics however, it’s not possible to put through a wish like this. CIS does have exploit protection. Thus, I think the best way to go about this is to actually spread the word that if anyone finds an exploit which can bypass CIS please create a bug report for it. I will then forward that bug report as a bug to Comodo. What you are really asking for is not for exploit protection to be added to CIS, but for the exploit protection already included to be improved.

How does this sound to you?

Thanks.

No, I do not mean it. I do not mean it to look for errors, just add mechanisms such that, for example, uses MBAE.

Out of sheer curiosity. Do you have link to an article that describes the protection of MBAE in more technical detail?

I’d like to see this as well. Currently, more information is needed in order to narrow this Wish down in order for it to be considered.

It’s not easy, because the company did not provide each other ideas. I’ll try to get that information’s
Please wait for respond :slight_smile:

Thank you.

Hi.
Check this:

&

EricJH, I skimmed the FAQ link, but wasn’t sure about how to differentiate between what CIS currently does and what else it could do. Do you have any thoughts for specific additions which could be made to the currently existing CIS exploit protection?

Thanks.

Layer 1 protection:Protection Against Operating System Security Bypasses

This is the first and foremost protection against exploits. It consists of multiple advanced memory protection techniques to detect exploit attempts which try to bypass the build-in Operating System protections such Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
These are protections provided by the OS its self. I think when such phenomena happen the OS will intervene its self. It's not clear how MBAE adds value here.

Layer 2 protection: Memory Caller Protection

This protection layer incorporates multiple memory techniques to prevent exploit code from executing from memory
This is the layer where CIS shellcode protection works. It is not clear what techniques MBAE is using at this layer.

CIS uses:

  • Detection of Buffer Overflows which occur in the STACK memory
  • Detection of Buffer Overflows which occur in the HEAP memory
  • Detection of ret2libc attacks
  • Full 32 bit and 64 bit Support

CIS buffer overflow protection works on all applications. MBAE Free works on a limited set of applications that get often targeted: Java and various browsers. The premium version allows a broader set of programs to be protected.

CIS protects against three sorts of buffer overflows to be protecting all applications. Having more buffer overflow protection mechanisms at works makes compatibility harder according to egemen. MBAE protects a limited set of programs which should make it easier to have more forms of buffer overflow protection. However it’s not clear which buffer overflow protection mechanisms MBAE is using.

Layer 3 protection: Application Behavior Protection

This protection layer is the last defense against exploit attempts. In case an exploit is able to bypass all memory protections and/or uses sandbox escape techniques such as those typically used in Acrobat Reader and Java exploits, this layer prevents the exploit payload from executing its malicious actions on the protected system.

This layer keeps an eye on if code tries to escape from sandboxes of protected applications. CIS does not have a layer comparable with Layer 3.

Wouldn’t layer 3 be protected by the Auto-Sandbox and Viruscope though?

They are both not working on trusted applications so if an exploit breaks out of Adobe Reader’s or Java’s sandbox there is nothing to stop that.

Wouldn’t it be possible for Comodo to add an inclusion list to Viruscope to monitor certain trusted applications we want or need to be monitored, that way if they are exploited Viruscope could still help protect system from an infection much better then if it wasn’t monitoring the included application like it currently does, I hope this makes sense, I feel this seems like a good compromise or at least the start of one ?

It’s currently possible to have Viruscope monitor applications run outside the sandbox as well. Therefore, couldn’t Viruscope still fill this role?

Monitoring applications run outside the sandbox does not equal monitoring trusted applications, it may monitor trusted applications but it doesn’t alert for it, I agree with the idea AimeeLW has.

I was not aware of that. In that case then there could be some sort of behavioral monitoring of trusted applications to ensure that an exploit through them would not be able to access the system.

I agree, with that sort of argument this does sound like a suitable wish. Perhaps this could be an enhancement of the Viruscope abilities. :-TU

AimeeLW, what are your thoughts on this?

Actually, what is the difference between this and “Do heuristic command-line analysis for certain applications”? Isn’t it related?