bypass defense+ (.xls file)

Someone tested comodo with the malware.

the user double clicked on the document file (.xls file)

the user checked the autorun entry

The malware created an autorun entry successfully.

environment:
Microsoft Office 2003 SP3
Virtual Machine

VirusTotal:
http://www.virustotal.com/file-scan/report.html?id=e8e3e4d41cec98a8c351c8cbd5f80994bc426ec0f567d5128ea20ebf3db594eb-1312435407

can you please give me the full registry string of where it was created, mainly becasue there are multiple run entries where this could be located.

It means “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”

well that registry key is part of the protected registry keys so if it really put in an entry then it really is a bypass. Can I have a sample to test it out on my system, so I can confirm.

can you tell me what version of excel you are testing this on??

OP shows Office 2003 SP3.

yeah I just saw that. ;D I just tested on office 2007 and no bypass, I will download 2003 and try it again.

I hardly believe it’s a bypass.
The task of a HIPS is not to detect exploit code execution, at least not with default settings.

Simply run Office sandboxed or restrict its rights, e.g. with D+ rules.

What else?

The exploit code will run in the same security context as Excel in this case, so default config and/or sandbox are likely not blocking this because Excel.exe is running ‘Trusted’.
Action takes place in memory, but what happens next?

It created a run key and point that to a ‘unknown’, you reboot and sandbox isolates it because this drop can’t be ‘Trusted’. Can the OP confirm this?

I added an unrecognized file to the startup entry

reboot XP

I viewed the active process list.

It was not partially limited by CIS.

I checked the list of unrecognized files.

It is still be here.

Conclusion:

CIS can not sandbox autostart processes which are unrecognized by CIS.

So, the autorun entry must be protected from malwares.

That’s an important find. I hope Comodo Devs will look into it.

Can You PM me the sample ? ???

Did you tried this sample with “Block all unknown requests if the application is closed” checked?

Now its said to use the “block all if interace is not running” only for infected machines, because of posssible unpredictable problems in normal use. But who will know when the machine is infected?

If this setting would help, it doesnt help the majority of the users.

Any entry in the autostart should get a “own” question, no matter what was ticked before, when it is made. Most things dont need to have such an entry, the few which need it would be obvious when they get asked. Everything else would seem suspect if it happens out of blue sky.
Its like with the new firefox. You have to agree to the activation of add ons.
Normal people would understand this question easier, than to change settings to modify the defense+ to be more protected.

It is a buffer overflow attack. It should have been detected by BO defense. However, let us analyze what is gooing on.

Can you please send the excel file to me?

Thanks,
Egemen

If the user enables this option, CIS will sandbox many trusted files when the system starts.

True. Last week I helped a guy to solve a problem with sandboxing many trusted files.
He had that option enabled.

Thanks,Egemen.
Waiting for next update :slight_smile:

CIS is sandboxing safe applications even without it (skypekit, CCC, Mozilla Nightly, Left 4 Dead 2 etc.).