Chris to be honest… You’re here to discredit Comodo. You are not here to help or improve. Releasing one sided videos to a SINGLE company is not a professional and respectful testing organisation would do. The way your behaving in here and the “tone” in your posts speaks that for it self.
There are a few things, by the way, as mention earlier by another forum moderator (panic), things such as CIS being left in Clean PC Mode and actually MANUALLY sandboxing the piece of malware. Was the POC on the PC before CIS was etc… And yes these are you can say rhetorical questions I couldn’t care less if you answered them or not. Anyway It all smells fishy to me! Cya later
I’m personally waiting for this thread to slowly die out.
ok but we can anyway wonder wich side MRG is on ? If they are serious and honest, they should be proud of finding a security hole and helping resolving it contacting the comodo devs. What’s the use of nagging comodo like that ? is MRG a group of research against malware or a malware maker group ? Chris wich side are you on, again ?
On the other hand, Melih is sometimes a bit optimistic when he says “there’s no problem… nothing can break cis protection”… MRG is not the first to raise a problem (cf shaoran’s case a few weeks ago). 88)
no security is 100%…
There is no known malware that can bypass CIS in the wild today…
Theoritical PoC will always exist.
I would further add that NIAC guidelines I posted in this thread is what any respectable vulnerability research organisation would comply with. Why MRG hasn’t complied with NIAC is a question mark still??
There’s still the matter of how the script would get ontop a CIS protected PC in the first place. I’m assuming that you had it on the PC before CIS was installed. Correect?
There's still the matter of how the script would get onto a CIS protected PC in the first place. I'm assuming that you had it on the PC before CIS was installed. Correct?
In my opinion, as solution to prevent enforcement of malicious windows scripts, I set the application C:\WINDOWS\system32\wscript to run permanently in Sandbox as limited.
This is a general vulnerability to all AV products and will be a constant subject of dispute. In this case, I do not think that this PoC endanger my computer security.
DO ANY OF the COMODO stuff members have the file this video latest uses ?
A file of that kind could come from any torrent for example .We all know that P2P is used A LOT all over the world for all kind of stuff ,almost anyone with internet acces downloads something using this kind of programs.
Iif that it s a simple uninstaller why Comodo has a so weak uninstall protection.
Why it didnt asked nothing ? It was simply flushed from the system without any confirmation messeges ?
At this moment i ve lost my trust for Comodo.
The file is the property of MRG and they have said they will not release it.
A file of that kind could come from any torrent for example .We all know that P2P is used A LOT all over the world for all kind of stuff ,almost anyone with internet acces downloads something using this kind of programs.
What, scripts? And then knowingly execute them?
Iif that it s a simple uninstaller why Comodo has a so weak uninstall protection.
Why it didnt asked nothing ? It was simply flushed from the system without any confirmation messeges ?
Because it called the standard Windows uninstaller and was running under the control of a trusted executable. Yes, it's an issue, but it is being addressed.
That’s exactly the kind of reply Chris is trying to induce haha. From my perspective, Chris and his company aren’t any better than professional malware writers at this stage - all they’ve done in this thread is create malice. Sad times really.
By the way, the lack of scripting execution protection from other products (including anti-executable software) is something I have been aware of for a while. AppGuard for example did not protect from command prompt execution, but I think in the latest release, this has been implemented. However, I then tested it against vbscript executables and it failed to block it. Faronics Anti-executable version 2 white-listed all scripting executables by default (and you couldn’t modify this!) and therefore allowed them all to run. In version 3, they have made things much more flexible.
Fact is, 99.99% of users out there will not need to use the likes of cmd.exe, wscript.exe, cscript.exe etc etc.
I’m not sure how helpful this is, but the following shows a list of default file types that Microsoft’s Software Restriction Policies (SRP) protect against (the only one I remove is the .LNK file type). Also remember that SRP does not just rely on the file type to block execution - it blocks any executable process instead (Microsoft have improved on this powerful mechanism with AppLocker in Windows 7 by the way). Also keep in mind that .DLL file types can be covered also with SRP/AppLocker:
Furthermore, perhaps CIS should consider denying the following executables from running by default? Or at least don’t classify them as (completely) “safe applications” - many POCs rely on them to bypass security software. The same can be said for the above list (note that .HTA file types are covered by default): http://ssj100.fullsubject.com/free-for-all-f4/ssj100-s-security-setup-t4.htm#16
To deny scripting execution: cscript.exe, wscript.exe, scrobj.dll, vbscript.dll
To deny registry access: regedit.exe, regedt32.exe
To deny command prompt execution: command.com, cmd.exe (if you’re using Sandboxie like me, make sure to read and carry out step 16 below. This is because Sandboxie relies on cmd.exe by default to delete the sandbox. You will therefore need to tell Sandboxie to use a different command instead)
To deny formatting: format.com
To deny running with elevated privileges: runas.exe
Sad thing is that MRG stated that Comodo will no longer be part of their tests.
They could have taken any product and make video with this exact same results.
Maybe two or three products wouldn’t be affected with this.
I think this explains why MRG is acting like this!
In the keylogger test which MRG carried out previously, MRG and Comodo failed to reach an agreement over what is a fail or pass for the test as there is no well defined guidelines as to how to test HIPS. Then the matter went public and Comodo ruined MRG’s reputation by stating that MRG changed methodology…and now MRG is seeking revenge.
I sincerely hope that both parties will eventually realise that they are on the same side, that is, fighting to keep users’ PC safe and therefore will work as a team to resolve this contention.
May good sense prevail so that ultimately end users can benefit and that it is not malware writers who will take advantage of this vulnerability!
Another example (imho) in today’s dirty fight for “supremacy” in IT Security:
guy/s builds good security software… guy/company’s product gets discrediting attempts from competition because the product is starting to pose a threat… nothing new ! (this makes me think why malware exists in the first place ?!)
WELCOME TO THE BIG LEAGUE, MELIH !!! There is a jungle out there and I hope your product becomes the new “alfa male” !!
