about SSS exploit, comodo can't intercept apps termination & log off PC.

it’s about the two first steps of the exploit, comodo never fixed it it seems,
and i had allready this prob on my first comodo test,
was build, now we’re build 3.5.55810.432

the exploit intercept system shutdown call without any alert on step 1 then step 2 shutdown the machine without any alert, except my vista 64-bit had a lot of progs open so i had a back screen asking me if i wanted to turn off and close all things open or come back,
that’s strange that this thing is not fixed, must be something coders forget,
anyway, no one is able to code something better on xp and vista, and the difference is not little, there’s not a prog u can compare with comodo, ok there’s this bug but it’s not enough for others progs to honestly imagine they’re better, they certainly used comodo and it was certainly a big slap,
BUT, ok people need comodo prevention cause it’s the best solution,
so if it’s the best solution, it will fix this exploit about step 1 and 2, the bug is here for too long time,
it must be fixed ! and it’s not the first time i post about it,
i allready posted about the prob this month, but as it seems no one cares, maybe this post will be big enough so we can all see it.
someone can give infos about this prob?
and if there’s something about the way comodo is coded is the reason why it can’t be fixed or it’s just some little thing easy to fix that will be done?
the best security app can’t be bypassed that easy !!! noooooooooo
pleeeeeeeeease :slight_smile:

this problem is here for very long, how comes it’s not fixed?
or if there’s some setup to do with D+, wich one is it?
if it exists, why it’s not enable by default?

Already asked here
Someone said he thought it was fixed ???

Have to tried to change Defense+ settings to offer better protection? Try to do it and post any results, please.

Even, though, I believe D+ should offer such protection by default. Because, lets face it, Defense+ is no security tool for the average user. The average user won’t know how to answer to most of all alerts. So why not offer maximum protection by default?

I even think D+ should be recoded to offer maximum protection and be less intrusive. Why not turn it into a very smart HIPS, so that everyone can enjoy it: average users, middle advanced users and advanced users. Of course if middle and advanced users whish to use D+ as it is, they could set it for such. Otherwise, we would stick with the maximum default settings for the average user. Of course, I am talking about a totally recoded D+ that does not exist. Will it ever?

ailef please change the topic title as that PoC is not meant to test system shutdown prevention 88)

Please clarify your first post further as it is not possible to understand if you really meant the SSS PoC or only the system shutdown part.

If you were referring only to system shutdown please confirm your Pseudo COM Interfaces - Privileges settings checking for LocalSecurityAuthority.Shutdown

Previous shutdown PoCs were trapped using Pseudo COM Interfaces - Privileges settings checking for LocalSecurityAuthority.Shutdown.

In this case if I press the ‘Shutdown Computer’ button the system will not shudtdown but it will logoff and go back on welcome screen.
In this case If I press the ‘Intercept system shutdown button’ the system won’t logoff.

Anyway these SSS PoC were created primarily to simulate a particular scenario as stated on this SSS.exe dialog itself.

In reality malware could wait for the user to shutdown the computer before running a malicious payload to avoid detection


In other words the shutdown is a vulnerability that could be exploited to carry a malicious operation if a security program closes before the malicious one.

It is obvious to me you deem the shutdown by itself a malicious operation but if that by itself something sufficient that SSS PoC wouldn’t have featured the other tests and in this regard you could have already noticed the 2nd reply in thaty topic you linked.

Bit Defender IS 2008 (firewall disabled) + Comodo (latest version). The BD icon disappears from tray. However, all tests passed successfully.

I would be far more concerned if CIS/CFP wouldn’t be able to protect against the exploitable part of the shutdown vulnerability even though as any other CIS/CFP user I gladly support the addition of new feature and trapped events.

Anyway you may concede that it would be far more easy to spot a malicious program noticing that it triggered some alerts after it forced a shutdown.

Sory, u did not understand the test. Comodo passes`it since long.

there’s a post about it, i think it clears the situation :

CFP/CIS is marked as failed in the following tests: SSS.exe i.e. System Shutdown Simulation tests.

It has been scored 50% because CFP/CIS does not intercept system shutdown requests. This is the testing methodology of the tester.

System shutdown poses no real threat. The malware waits for system shutdown to perform its harmful actions. So whether you intercept or not, it can attack the user when the user manually logs out. Original System Shutdown Simulation tests do care about this fact.
So we do not plan to add this redundant protection to pass any tests."

i think my questions with those 2 firsts tests in SSS.EXE are explained well in this post.
and anyway if the malware is waiting for the shutdown so it means once u’re logged u never shutdown your system, what is nonsense, everyboy reboots his machine one day or an other so egemen, the poster, is right about this exploit, yes the system shutdowns but what can u do about it? never shutdown ?
now to decid not to add this protection and detect what is sending shutdown order to the OS, we’ll see one day or an other if some malware is able to use this way to break into the system and corrupt it.

Hmm. Wouldn’t “Block all Unknown requests if application is closed” pretty much throw this out the window?

dont know, but this setting is activated here :-).
anyway when u shutdown, as all process are terminated, i’m not sure something would be able to modify anything to attack the system on restart, but with all those new malwares coming more and more all the time, no one is able to say the possibility can become a real thing.
anyway there’s no other security prog i would use instead comodo, it prooved enough how powerfull it is.

I don’t have all the inside info here, but wouldn’t an attack be possible after the shutdown sequence has started, and not be detected by CIS?
eg. what comes to mind is the installation/configuration of programs/updates M$ sends sends regularly to each Windows computer online (part 2 during shutdown, part 3 during reboot).
Knowing if a malicious program is attempting to shut down the OS might be a good thing if this is the case.

That would be what SSS is about

and CIS detect the attacks. :-TU

i don’t know how to intercept this SSS.EXE part like showed in the picture link, how to configure the D+ to get this result ?

update : oh well it’s not about the 2 first steps, the pic shows the 2 first steps were not intercepted,
and yes comodo is able to intercept the rest of the test.

got various results, on xp pro sp3, the first step closes all my apps except it cannot end comodo and i’m still on explorer.
the second step log off xp and i go to the login page where i clic to login the OS.
on second test, it doesnt close any app and the exploit tries to log off xp but it seems it doesnt work at all.

now on vista 64, first step has no effect on the OS and second step log off the system except it asks me to close SSS.EXE if i want to log off.

How comes. ???

You posted about that topic yourself and that picture link is the 2nd post in that topic.

Also you posted in that topic yourself (5th post) and you never raised this objection :-X Edit My mistake :-[ ailef read that topic but never posted on wilders about it

Those alerts in the picture link are plain D+ alerts and there is no special config setting involved. :slight_smile:

That picture link post clearly states that when another security software is terminated during shutdown whereas D+ is still active and will catch the PoC payloads at step 3.


Are you stating that on your PC D+ is unable to protect against payloads exploited during a shutdown? ???

If so please create an help topic about this in Defense+ Help boards.

I’m sure many members will post their suggestions.

i am ailef, not aigle, i dont know who posted this pic at wilders forum.
but yes, i didnt look well the pic, and as i was talking about step 1 and 2 from the beginning, i thought the pic was about step 1 and 2, my mistake,
and it’s simple, i just want to know why i got no alert when i run step 1 and 2, that’s all.
the topic was about step 1 and 2 bypassing comodo, not about the fact that i’m protected or not when i shutdown my machine. by the way the exploit doesnt shutdown the system but log off it, that’s completly different about the security impact that should have the exploit if it was a malware, when u log off, the system is still running except your autostart progs that are terminated, but system process (not all) are allready loaded into the ram, so maybe it’s possible to attach some dll to a system process during this time, i don’t know, it’s only thoughts,
but the topic was about step 1 and step 2
i had the answer with engemen post but as people posted about possibility to break into the system by this way,
they’re like me, thinkin why some unknow app is able to order apps terminations and make a log off with no alert,
if i install some prog not using comodo installation mode, i just tried with acronis that required a reboot, after i answered all the alerts (a lot) when the windows message tells me yes or no to reboot, when i clic yes, it doesnt ask me anything with D+, it reboots the machine so i guess the exploit is based on the same thing, it’s like if i was clicking on do u want to log off yes or no except the button is just yes, so adding a rule to control this would add more messages alert, and when people would clic yes i want to reboot, D+ would stop it and ask for authorization from the user, maybe it would be irritating,
but acronis is digitally signed so there’s no need to ask for D+ to alert when the signed installer wants to reboot the machine, but here we got some little prog coming from nowhere that got authorization to end all my apps, but not comodo, so it’s not like a real shutdown, comodo protected itself against this termination, but it allows all the others apps to close with the help of SSS and dont even ask the user if he allows this,
if it was a real shutdown comodo would terminate like any other app on step 1, but it’s not the case. apps closed but i keep comodo and explorer, so comodo detected some app wanted to terminate it as it’s not allowed by its own protection. after, step 2 is simply a button that is a log off button and it does exactly the same as the windows log off button. but it’s not, it’s another thing than the real one doing the same thing, i think only real way to turn off or log off should be allowed.
actually on xp when i run the step 1 just after i login it ends progs in the right taskbar corner but not comodo and when i clic step 2 the exploit cant log off anymore, it works the first time then xp seems to had some trouble as icons on the desktop dont appear as usual, some with cube around the icons. the way to tun them back is to go to the app and choose the right icon so by changing like this u can recover all your icons.
kind of annoying,
that’s what is strange, if there’s no prob with the step 1 and 2, why comodo cant be terminated ?
means that comodo doesnt alllow to be terminated like that so it was attacked and protected itself, where is the D+ alert as something wrong is happening or if it was not, comodo would ended too, what do u think ?
once the step 1 is used, it has no more effects on any app, but the step 2 ends apps like did step 1 before and it cant log off as it cant terminate comodo.
now it seems my xp is in troubles, i can’t log off or restart anymore, but i can shutdown.
on vista 64, always same activity, step 1 no effect, step 2 log off,
i have to try on vista 32 to see how it works.
if this was a shutdown comodo would end to and as it doesnt so the system needs to be protected by D+ so.
or i need to put all my apps in the protected files ? i tried with k!tv, the apps was terminated by step 2.
this is strange… don’t know what to think, all apps are ended except comodo so it’s not a normal shutdown but only for xp pro sp3, not for vista64…

ailef thank for pointing out you didn’t post on wilders, I edited my previous post to correct my mistake. I make my excuse to you and aigle about that. :-[

Your post is very difficult to read, and please correct me again (steb by step) if I misinterpret it.

I had the impression that you confirmed that this SSS PoC is unable to carry a shutdown but it does a logoff confirming what I was able to reproduce on my machine.

But as I previosly asked to edit the topic title to prevent misunderstandings the new title still mention a shutdown call.

As for the shutdown part I also asked you to confirm if your Pseudo COM Interfaces - Privileges settings contain LocalSecurityAuthority.Shutdown entry in case SSS.exe was able to bypass that protection (as it turned out that it was a logoff LocalSecurityAuthority.Shutdown is unrelated to this PoC scenario).

AFAIK all PoCs that focused only on the shutdown call (not logoff) are successfully trapped by LocalSecurityAuthority.Shutdown protection.

It looks like this new SSS revision 2nd step button trigger a logoff to welcome screen and not a shutdown (at least on my machine and AFAIK on yours).

As for the test itself, pressing the 2nd step button is optional as SSS.exe clearly states On the Start Menu select: Turn Off Computer >Shutdown. whereas the corresponding ‘Shutdown button’ actually triggers a logoff.

The first step of that PoC AFAIK is meant to have SSS.exe active during a shutdown or a logoff in order to carry the 3rd step, described as malicious payload (potentially unwanted malicious results). AFAIK that Intercept Shutdown Call at Step 1 doesn’t apply systemwide changes and it local to SSS.exe

The finding that safelisted app can obtain shutdown privileges in D+ safe mode is IMHO well within D+ operative designs since the shutdown call is not an hack but a system function provided for legitimate purposes and AFAIK all these legitimate apps warn the user about a shutdown.

Even if it looks that you are inclined to assume that shutdown/logoff are malicious payloads, there would be plenty space for disagreement as AFAIK the only way malware has been exploiting this function is to terminate security softwares in order to have full control on the machine whereas legitimate applications will use these functions to carry maintenance operations (eg downloaders that shutdown the PC once a download task is completed).

As it is unlikely that malware will be safelisted I feel you are stretching that SSS PoC way behind its intended purpose inducing some readers to believe that D+ will not protect against malicious payloads (and this is not the case, as you quoted a CIS lead architect’s (Egemen) post about similiar PoCs).

I don’t believe Comodo would be willing to neglect said feature ATM if it really was a such a security critical function.


Thank you Gibran

yes i have this entry : Pseudo COM Interfaces - Privileges settings contain LocalSecurityAuthority.Shutdown

“But as I previosly asked to edit the topic title to prevent misunderstandings the new title still mention a shutdown call.”

yes i put this title as this what is written on the sss.exe exploit
i got the exploit version 1.1.3 beta, step 1 is called intercept system shutdown call
and step 2 is named shutdown computer.
so wich title i can write ? apps termination and log off computer ? is it correct ?

sorry for the post hard to read but i’m not english at all, i learnt this language at school many many years ago.

AFAIK SSS.exe don’t send any app termination messages either. The termination of non security critical apps is what happens on a normal user-triggered logoff and I guess it is triggered by the OS itself…

There is not much else I could add pertaining Leak Testing/Attacks/Vulnerability Research, anyway I would be interested to know if you think that is it SSS.exe that terminate all running applications and possibly read an explanation.

[ at ] John buchanan: You’re welcome. Even if I’m not a Comodo employee nor a security expert I attempted to do my best to clarify some aspects of that SSS PoC.

on xp pro sp3, step 1 terminates all apps except comodo, the exploit is unable to end it wich is a good new. prob is that D+ gives no alert, and as comodo is not terminated, it means we cant say the exploit acts like a real OS activity or comodo would terminate too.
on vista sp1 64bit, it does nothing, not an app is terminated.

Thanks for providing your interpretation although I asked if you think that is it SSS.exe that terminate all running applications and possibly read an explanation.

But once again I have to clarify some aspects. The SSS PoC exploits pertains step 3.

Since SSS in not a malware Step 3 doesn’t contain actually dangerous functions (payloads).

As SSS itself states the leaktest involves a manual Reboot or a Logoff (manually or pressing step2 button).

In SSS PoC scenario Reboot and logoff are vulnerable conditions.

The vulnerability can be exploited by running a payload (step 3) only if the security software is terminated during shutdown or Logoff.

CIS is protected against the vulnerability and protect the system against exploits.

If shudown/logoff by itself (step 2) was really regarded as dangerous exploit then the shutdown command wouldn’t have bundled with windows.

The termination of non security critical apps is what happens on a normal user-triggered logoff and it is not actlively carried by SSS.exe.

Step 1 of SSS.exe will modify the default outcome of the system logoff/shutdown by resisting the implied termination in order to prove the vulnerable condition in which eventual exploits could be carried (step 3).

Like Step2 even step 1 doesn’t directly attack other applications (hence triggering alerts).

Although CIS doesn’t trap the logoff AFAIK it will trap the shutdowns.

Even if it looks that you are inclined to assume that shutdown/logoff are malicious payloads, there would be plenty space for disagreement as AFAIK the only way malware has been exploiting these functions is to terminate security softwares in order to have full control on the machine whereas legitimate applications will use these functions to carry maintenance operations (eg downloaders that shutdown the PC once a download task is completed).

IMHO triggering ( and then exploiting) a vulnerability doesn’t carry the same meaning of vulnerability=exploit like you implied. As for logoff by itself I find it even less concerning than a shutdown.

Regarding shutdown itself and to what extent it could be consireded a PoC payload(exploit) I wish to invite you to consider also other interpretations although, in SSS context, the payloads are listed under step 3 whereas logoff pertains step 2.