Any update on security of 64 bit CIS?

Just wondering if there is any update on the security of 64 bit CIS. When will 64 bit CIS have the same level of protection as 32 bit?

The MS Patch Guard feature for the Kernel in Windows 7 x64 is a computer security industry wide problem and not just for Comodo alone.


Oh is it bad, could you explain in a bit more detail… have new laptop which have only just got with Windows 7 (64bit) on and never knew of such problems as it’s first time had 64…

Take it’s more MS side than Comodo’s (security vendors in general).

Thanks for reply in advance and sorry OP for asking within your thread.

Wait… What problems are there?

  • Image execution control - process manager callbacks
  • Process/thread protection - object manager callbacks
  • File protection - (mini)filter driver
  • Network protection - Windows Filtering Platform
  • ret-to-libc protection - I don’t think this should even exist :slight_smile:

Why not?

It’s the vulnerable program’s fault, not Comodo’s. If you don’t trust a program to be secure, don’t give it too many rights in D+.

Which programs would you “trust to be secure”? And doesn’t the program code change every time it updates to give potential vulnerabilities? Wouldn’t the user then need to do a lot of “computer house work” and essentially operate as a “leet hacker” to identify all the vulnerabilities?

My point was, apply the principle of least privilege - don’t give programs more rights than they should have. Return-to-libc doesn’t just apply to the C runtime library - in the broader sense it’s a way of bypassing NX by returning to any executable code that does what you want it to do (e.g. execute a program). There’s no way Comodo’s ret-to-libc protection can cover enough functions to make it useful.

EDIT: Oh, and ASLR makes it harder for ret-to-libc to succeed nowadays.

Disclaimer: I don’t have CIS installed anymore so I can’t check how the protection actually works, or what functions guard32 hooks.

Can’t Comodo come up with ways to apply protection techniques using Microsoft’s built-in APIs?

OK, I forgot something. There’s no Microsoft-approved way to hook win32k system calls in kernel-mode. That’s when people start turning to user-mode hooks, which can always be bypassed.

evil_religion asked me about Online Armor’s user-mode “anti-unhooking” feature, which apparently doesn’t exist in CIS on 64-bit. Well, here’s proof that user-mode hooking is stupid.

NOTE: This has only been tested on 64-bit Windows 7.

  1. Open up the Online Armor control panel thing by double-clicking on the shield tray icon.
  2. Run TestPh-KillOA.exe.
  3. oagui.exe and oahlp.exe will terminate.

This is just a demo; obviously malware can run this in a loop to keep trying to kill OA’s GUI, or do other bad things.

EDIT: Fixed typo in code.


Code and proof of concept removed by moderator as it “could be eventually misused for illegal purposes”. See the Forum Policy paragraph 8-6 for reference.

If I were to install the 32-bit version of CIS on a 64-bit workstation, would that be a temporary workaround until a more secure 64-bit CIS comes along?

No, you should install the correct version of CIS for your operating system.

The problem comes from the nature of the 64 bit operating system, not the coding of the 64 bit version of CIS.

So if I understand you right that means when 64 bit takes over and it is every new computer 700 dollars or more is 64 bit pretty much now. So when everyone in time has 64 bit system then we will all be less secure with our new operating system. Is that what you are saying?

64-bit support (or long mode) is optional on modern CPUs, so you can still install a 32-bit OS. If that’s what you’re asking. And this has nothing to do with the AMD64 architecture. Just Windows.

So you can install CIS 32 bit on 64bit OS? Sorry if it is offtopic.

Valentin N

isnt it a good thing that microsoft protects the kernel.?
i didnt realise that cis5 64-bit was less secure than 32-bit.
In what way is it less secure besides the patchguard.
Microsoft cant win can they.?
They try to do something positive for security and then get slammed for it.
Kernel patch guard seems a very good thing to have going if its protecting your system.

No, because 32-bit drivers don’t work on a 64-bit OS. You can install a 32-bit OS on a 64-bit (AMD64) processor.

Just in case anyone here is confused, AMD64 = x86-64 = modern AMD and Intel processors.

thanks for the answer:) I am sorry for the stupid question.

Take care

Valentin N

what about syswow64?
i have several 32-bit applications running on my 64-bit machine.