Big scurity risk due to lack of CIS self-defense

liosant · July 4, 2018, 4:22pm

Solution possible:

if config is comodo internet security, apply protection Objects protect in HIPS when commandline, applications safe… running in contaiment.

Safe Applications is not 100% safe and exploited for malwares or applications unknow.

231 · July 4, 2018, 5:11pm

If self-dense is useless, then why Kaspersky and Symantec use self-defense modules?

ReeceN · July 5, 2018, 3:58am

bazolo post:40:

AD A) Blocking certificates would become a nightmare. Then the Safe Mode would become the Paranoid Mode and it is not a solution, because a whole life would only be spent on defining endless (often uncertain) rules. But you can not trust the certifications endlessly, rather you should use the method of limited trust with the additional lines of defense that I am proposing.

AD B) Omitting one of the progam modules does not mean winning the battle, when others are active, they can win the fight with attacker, but you want to give everything with the walkover at once.

AD C) So write for example to Microsoft or Avira or others, because they just blocks access to own settings. Convince them that it is nonsense that they do.

I’m sorry I do not have time to repeat the same over and over again. I work a lot.
Comodo’s bosses decided it is a threat, convince them now, not me.

If you would like Trusted Files that have had their Certificates verified to have a certain set of security rules applied to them, or would like rules applied to all trusted files, then feel free to suggest it in the Wishlist section of this forum.

I did not say Self Protection modules were nonsense, I said that if you are infected you are “potentially” ■■■■■■■. Implementing a self protection module that is based on chance and hope that the technique is not going to be advanced enough to defeat it does not seem a very solid solution.

For example, malware in the Comodo Sandbox is generally speaking going to be prevented from installing on the machine and therefore has prevented the infection in the first place. A self protection module however is not going to stop malware from being installed if it has went undected in the first place.

This provides a false sense of security, adds bulk to the application and wastes development time that could be spent on something else.

Finally, this thread is regarding you claiming to have defeated Comodo, again, you have not demonstrated that you have been able to do it. With that said, if you manage to do so, without first reducing the security settings of the application, then feel free to post it as many of us will be very interested.

Dennis2 · July 5, 2018, 7:09am

For the simple reason it makes user thing they are safe, whether they is another matter.

It all depends on the users attitude.

As soon as one provides something the others follow, something Comodo has never done they only follow if something increases security, if not it is dropped.

Dennis

_Wolverine · July 5, 2018, 10:46am

bazolo post:4:

Try it:
C:\Windows\system32>reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs
Num REG_DWORD 0x3
InstallPath REG_SZ C:\Program Files\COMODO\COMODO Internet Security
InstallDriver REG_DWORD 0x1
Active REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\2

and check the value of the Active. I think that you have a different value
Replace your value in these and try it:
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\Firewall\Predefined\4\Rules\0 /v Action /t REG_DWORD /d 0x1 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\AV\Settings\ExcludedApplications\0 /v Filename /t REG_SZ /d . /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2 /v Filename /t REG_SZ /d . /f

Now I see. But then you should also add “Comodo Client Files/Folders” and “Comodo Internet Security” to Protected files/folders → Blocked Files for the “%windir%\explorer.exe” HIPS default rule to protect CIS from being crippled by in the scenario you explained legitimate → gone rogue app alternatively somebody that gained administrator access to your PC either remotely or physically. “Metro Apps” should also have the ‘Comodo registry’ HIPS registry access block rule although I reckon Windows 10 should run them contained by default and they should not be able to edit registry like non UWP apps. Then password protect CIS.

Though it prevents deletion and being disabled via registry editor but not being disabled via for example services.msc. Create under HIPS → “HIPS Groups” a new category like “COMODO Services Keys” and then add the below and add the new category to “All Applications” will keep all CIS services safe (Excluding non-critical ones like CSS and ISE) from manipulation by already installed running software or malicious user locally or remote aswell as snake oil registry cleaner programs.

HKLM\SYSTEM\ControlSet???\Services\CmdAgent*
HKLM\SYSTEM\ControlSet???\Services\cmdboot*
HKLM\SYSTEM\ControlSet???\Services\cmderd*
HKLM\SYSTEM\ControlSet???\Services\cmdGuard*
HKLM\SYSTEM\ControlSet???\Services\cmdhlp*
HKLM\SYSTEM\ControlSet???\Services\cmdvirth*
HKLM\SYSTEM\ControlSet???\Services\inspect*

_Wolverine · July 6, 2018, 12:03pm

While I understand your point no protection is 100 percent perfect in stopping malware. Then you have the situation that sometimes you would need to disable some module(s) for proper hardware driver and/or software installation. Suppose the hardware vendor f* things up and you get compromissed software in your PC (think CCleaner blunder esque situation). It might be far fetched but people will rarely upload drivers and alike to Virustotal and for proper installation like for example Intel GPU drivers (Manufacturer drivers) you need to disable some modules temporarly. So having your a** covered without implications aint nothing bad and can be acomplished with some simple HIPS rules. Plus we Comodo users are kinda paranoid aint we hahaha… ;D

prodex · July 7, 2018, 9:39am

That could be true! Therefore we have the option of Hips-paranoid modus which I activated only once. :o

Could be it’s it’s due to all the options/possibilities cis allows in contrary to other programs. I read years ago that users have not installed cis for this reason: I don’t know what to do with comodo, apparently it’s a comodo secret what to do with or how to handle cis.
And yet it is important to find insecurities or dangerous lacks and the staff of comodo will be greateful for it, surely.

_Wolverine · July 7, 2018, 10:38am

Well Paranoid mode should IMO only be enabled after breaking the system in with “Create rules for safe applications” HIPS option so you get a base to build upon. I would say CIS/CFW is as complicated as you want it to be. Putting it in Pro Active mode and not changing things unless one understands would give excellent protection and not introduce any complications for novice users. For deeper customisation Comodo provides excellent manual for each release and while it might take some time to grasp what you read the information is pretty much applicable on other similar security softwares as for future usable knowledge.

For me CIS is the Rolls Royce of protection suites. I tried all other security suites and believe it or not but CIS is the most informative and easiest to use aswell as providing the best protection and AV signatures is the least important. I could just disable the AV module and the other modules would stop 99,9% of the malware. Als due to non cluttered accessible menues and logs it feels relatively easy to use and understand while not trying to hide settings through hops of menu entries like many other security suites. And then we have the automatic sandbox feature and run-in sandbox systems… pure gold!

prodex · July 7, 2018, 11:00am

I agree with you. The paranoid mode in HIPS, however, requires a lot of knowledge about what to allow and what not to allow and you need a lot of patience until it’s through what I don’t have. Nevertheless I am protected, still, without dangerous attacks.

It’s a pity that the manual is only avalable in English. But who should do the translations?

DecimaTech · July 11, 2018, 9:22pm

Not a bug what you really want is a wish to add comodo keys to blocked protected registry for all applications.

DecimaTech · November 25, 2019, 11:08pm

Comodo service registry keys are protected even with HIPS disabled starting with CIS v12.2.0.6938 beta 1

Ploget · November 26, 2019, 7:25am

Nice :-TU

R2C2 · November 26, 2019, 1:01pm

It would be nice to see some official documentation concerning this improvement - it’s not mentioned anywhere in the Beta release notification.

Ploget · November 26, 2019, 1:32pm

It’s a tendency in most of these Beta releases, to mention the fixes, but miss the many improvements they’ve made - it’s there however and a good addition