1. What actually happened or you saw:
The history goes back a number of versions of Comodo Internet Security where certain applications were able to bypass the existing HIPS protection and gain access directly to the physical drive itself. This meant they could bypass any file system and read/write binary data at arbitrary locations anywhere on the disk, including inter-partition space and the boot sector. >:( I had a notable case long time while ago where (despite having HIPS enabled) one such program was able to write data right into my boot sector (first 63 LBA of the disk). Having been running a dual-boot system at the time and running a hashing script on those sectors from a Linux OS, this of course triggered an alert each time the data was changed. I’ve repeatedly had to restore the original data from a backup before I finally traced the culprit to a ■■■■■■ DRM implementation. Fortunately there wasn’t anything majorly serious, but it could have easily been some boot sector residing malware.
2. What you wanted to happen or see:
I was running Comodo Internet Security with HIPS enabled. It should have detected this “intrusion” into outside-filesystem space on my disk. This could be a serious security issue, if applications are allowed to access and modify critical data at arbitrary locations on the disk. Perhaps CIS should finally add an option to show HIPS alerts whenever a program attempts such access because everyday applications generally do not need low-level disk access. The only legitimate programs I can currently think of are disk partitioning tools and maybe some hex editors.
3. Why you think it is desirable:
I am proposing an enhancement to the security of HIPS. :-La New CIS versions should include a new group of Protected Objects by default. Specifically a new group called “Physical Drives” should be added to Protected Files. I don’t exactly know what entries should be listed in this group, but following two entries seem to have worked for me over the years:
- \Device\Harddisk*\DR*
- \Device\HarddiskVolume*
4. Any other information:
Windows has a list of devices, but you can’t easily view them without using some special tools. For this purpose we will use a program called “Winobj” that is part of the Microsoft Sysinternals Suite. Running this program showed a number of interesting devices to block. For local disk drives there were a number of interesting entries that I have listed below (notice that some of them are symlinks). I do not know, if it is sufficient to block only the actual devices or do symlinks also need to be blocked, but as I have stated above, I have reduced these entries into just two effective lines. This also begs the question of what other interesting devices are listed in here that could be added to the protected files list. A few devices I can think of are Microphones and Webcams. I’ll likely have to fill in a new wishlist for those after I do some more research.
/Device/Harddisk0/DR0 /Device/Harddisk0/Partition0 => /Device/DR0 /Device/Harddisk0/Partition1 => /Device/HarddiskVolume1 /Device/Harddisk0/Partition2 => /Device/HarddiskVolume2/Device/HarddiskVolume1
/Device/HarddiskVolume2/Device/HarddiskVolumeShadowCopy1
/Device/HarddiskVolumeShadowCopy2
/Device/HarddiskVolumeShadowCopy3
/Device/HarddiskVolumeShadowCopy4
/Device/HarddiskVolumeShadowCopy5
/Device/HarddiskVolumeShadowCopy6
etc./Device/HarddiskVolumeShadowCopy{SOME-UUID-HERE}
/Device/HarddiskVolumeShadowCopy{SOME-UUID-HERE}
/Device/HarddiskVolumeShadowCopy{SOME-UUID-HERE}
/Device/HarddiskVolumeShadowCopy{SOME-UUID-HERE}
etc.
Possibly related thread about removable media:
https://forums.comodo.com/install-setup-configuration-help-cis/set-removable-drives-usb-drive-as-write-protected-t30790.0.html
EDIT: Added picture.