All Vulnerable from COMODO BO Tester for CIS V4.0.141842.828

Melih on: September 10, 2007, 12:33:18 PM:

Lets see if your security products (AV, firewall or other) protect you from a Buffer Overflow (BO) attack, which is one of the most common form of attacks for users. Especially Drive-by-Download attacks extensively utilise BO to inject malware to users's machines.

COMODO BO Tester is a testing utility which checks whether your system is vulnerable to buffer overflow attacks or not.;msg88339

I test it today, my PC CIS setting listed as following no matter it is Sandbox enalbe or not. and three of the BO Tester are all Vulnerable from COMODO Buffer Overflow Attack Test, I wonder if CIS V4 can protect buffer overflow attack?

Antivirus Security Level: Stateful
Firewall Security Level: Safe Mode
Defence + Security Level: Safe Mode
Sandbox Security Level: Enable
Advance Setting: Check for Monitoring Shellcode Injection
Configuration: Proative Mode

it actually can protect you from Buffer overflow and I tested a a lot of ( real malware) nothing bypassed !

here in this case the porgram is digitally signed by comodo, so it’s trusted and everything will be allowed ;D

which is not the case in a real malware ! :slight_smile:

All three protected, but I didn’t get three alerts. :-\

I do (CIS V3, and thus no sandbox), but it is the first time i receive a very detailed defense+ alert, suggesting the “thing” is in fact signed by Comodo, and undirectly saying a real buffer overflow maybe would not.

The BO testing applications are not signed nor safelisted. Nor that being signed/safelisted would make a difference whereas it is unclear what made you direcly say this much. ???

On the other hand Comodo BO protection is not hardware based (AFAIK) and thus it might have implementation limits.

Nevertheless it doesn’t look there is much to prevent anyone to have both MS DEP and Comodo BO protection enabled:
Exploits that bypass Microsoft DEP are possible and it wouldn’t hurt to have one additional layer of BO defense.

I disabled DEP for both botester32.exe and botester.exe and I got the same result as well:
Despite all test always get a protected result, I don’t always get an alert.

Though if I attempt to run each test more than once I get to see an alert for each of them. ???

Disabling “Detect Shellcode injections (i.e. Buffer overflow protection)” option along with MS DEP had all those test fail with a vulnerable result.
Disabling “Detect Shellcode injections (i.e. Buffer overflow protection)” option without disabling MS DEP had Ret2Libc (X32) fail with a vulnerable result (Heap and stack execution were protected)

OS Windows XP32 32bit SP3 and latest patches
CF 4.0.141842.828

I sometimes get three alerts, sometimes two, and sometimes no alert. :-\

My CPU does not support hardware DEP, and XP lacks ASLR, so Comodo is my only BO protection. Also, DEP is disabled for BO Tester (can be verified with Process Explorer), unless it is enabled for all processes, which is not the default setting in Windows.

I mentioned that step because I usually use “Turn on DEP for all programs and services except those I select” and get both DEP and Comodo BO protection enabled.

Just to amend another omission of mine I guess I’ll have to mention my CPU support also hardware DEP.

Win7 Ult x64

Currently I get a Fail for Ret2Libc, seemingly no matter what settings I change. ???

Something is amiss?


[attachment deleted by admin]

Same for me only the x32 is blocked.

Thanks for reminding me about BO attacks:

Hope this helps:

Here is how it looks on my system.

In first two tests botester64.exe just crashes, but still it says that system is protected. I guess hardware DEP kicks in, which by the way is set to protect only important programs and Windows’ services. Rel2Libc (x64) is not passed, but I think it’s intended behaviour since it was disabled on purpose for 64-bit operating systems and I think it still is.

Last three test are passed but I get random number of BO alerts from CIS or none at all.

[attachment deleted by admin]

When I run the test I have exactly the same experience as fOrTy_7.

However, why should Ret2Libc (x64) be vulnerable? Why no popup?