A. THE BUG/ISSUE COMODO doesn´t check invalid EXE cerfiticate (invalid digital signature) if the EXE is from a trusted vendor Can you reproduce the problem & if so how reliably?:
Yes I can, every time. If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: I installed a VALID application from a TRUSTED VENDOR.
2: I used a patch program to change the EXE file to bypass a registration installation code One or two sentences explaining what actually happened:
When I ran the application after the patch, COMODO didin’t alert me “the EXE file was changed, there is a certificate, but the digital signature is invalid, do you wanna run it anyway ?” One or two sentences explaining what you expected to happen:
It shouldn´t trust in an application (even a trusted vendor ) that has an invalid digital signature. If a software compatibility problem have you tried the advice to make programs work with CIS?:
it doesn´t apply Any software except CIS/OS involved? If so - name, & exact version:
No Any other information, eg your guess at the cause, how you tried to fix it etc:
COMODO doesn’t check if the EXE digital signature is valid or not if the vendor is a trusted one.
B. YOUR SETUP Exact CIS version & configuration:
8.2.0.5000 - default instalation (COMODO Internet Security) Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
All of them are ON.
Antivirus =stateful
Firewall =Safe Mode
Auto-sandbox =Enabled
HIPS =Safe
Viruscope =Enabled
Have you made any other changes to the default config? (egs here.):
Hips (create rules for safe applications, enabled enhanced protection mode, do heuristic command-line analysis for certain applications, detect shellcode injections) Have you updated (without uninstall) from CIS 5, 6 or 7?:
No if so, have you tried a a a clean reinstall - if not please do?:
YES Have you imported a config from a previous version of CIS:
NO if so, have you tried a standard config - if not please do:
YES OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7, 64 bits - all updates, uac disabled, administrator, real machine Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=NO b=NO
Apparently it is trusted in comodo’s cloud trusted list, otherwise if you disable cloud lookup the cracked version becomes unrecognized. Go ahead and remove the application from the file list and then disable the option to enable cloud lookup and try executing the application again, you should get either a HIPS alert or the application should be sandboxed.
I did that (the application was removed from HIPS list and I disabled cloud lookup).
HIPS alerted me that the application called another EXE (a crash sender debug application), but It didn’t complain about the wrong digital signature, after I allowed the application access the debug module, the application ran.
If I change the default configuration (COMODO Internet Security) to COMODO Proactive Security, the application ran sandboxed.
But it also don’t alert me that the application has a wrong digital signature . Imagine a browser accessing a Internet Bank with a wrong digital signature … It could be isolated only by sandbox in COMODO Proactive Security (it is not the default), but even so, it is not good because the user would use that browser to access the internet and the thief could catch some information. Sandbox could save a computer to not be damaged, but not to avoid a leak information.
This is a user bypass. An unknown executable is not allowed to change a protected executable. If you have an unknown executable that can change other executables please report it. That’s a serious bypass and needs to be fixed.
CIS is the nanny of program behaviour not of user behaviour. It means that the user can do everything (including dangerous and stupid actions) where an unknown executable cannot.
I have never seen this. The thing is I visually review/view every digital signature as a habit before I install. CIS catches all unknown or invalid signatures it comes across. At least with my configuration and installation.
Sounds like you want CIS to give a specific warning that an application has an invalid digital signatrue when it is being executed, CIS does not due this but rather states in the alert whether the application is trusted,unrecognized,or malicious. If you want CIS to warn about an invalid digital signature, I suggest creating a wish here using the required wish format. Otherwise what is happening here is not a bug, applications with invalid digital signatures will not be trusted by the “trust applications signed by trusted vendors” file rating setting, unless the application itself is trusted in comodo cloud trusted list.
Therefore moving to resolved/outdated section. Thanks
a) in default mode, COMODO when see a know valid vendor application, it doesn’t check if the EXE was changed and doesn’t alert the user.
b) even in SANDBOX , a thief could steal some information if the exe access the internet.
c) in SANDOX alert one that exeplorer.exe wants to run the EXE, just it.
I could use an installer with that EXE (pretending be a software update), the user could be alerted that someone is updating the application, then a home user would think that is legitimate (because he is updating) it would run without sandbox and a home user wouldn’t notice the bad signature (COMODO default Installation).
I am also testing other kinds of security desktop software to see their behavior in this aspect.
But I will not stress that. For a concept proof paper it is enough.
