Bypass? Dll injected and no pop up from D+

tested on Windows 7 x64 with Comodo 5.0.163652.1142. Sandbox off, D+ with proactive profile.

RadeonPro can inject its dll “AppProfiles.dll” into other processes and there’s no pop up from Comodo regarding this.
Even if I use the process protection features, e.g. to protect firefox.exe against injections and so on, AppProfiles.dll is loaded into the memory:

Either using paranoid mode doesn’t help.

If you want to test by yourself you need a Radeon graphics card in order to run RadeonPro.
Can you reproduce it?
If yes, what do you think?

when i launched it i get the D+ alert asking for unlimited access
if i clic block i dont get nothing to happen everything is normal no dll opened or nothing

check you setting you may have turned off some D+ functions or attually clicked allow for the install so all files installed are supposed to be safe

also its looks like a safe program, even if is not signed the comodo cloud scan may find it as safe

You are seeing a pop up regarding the sandbox. The sandbox must be always disabled for such testing because it’s using Windows rights limiting and this distorts the result.
D+ should handle any code injection.

No, man…

Got those features off.

i can reproduce it, dll injection is not detected by comodo
Sandbox or not, it is injected.

Thank you very much for confirming this.
So it’s a general issue. :frowning:

That is what happens when the development of the HIPS has been stoped for a long period.

If I recall it correct Online Armor has the same problem. And I bet almost every other HIPS has too.
I’d really like to know what is different of RadeonPro’s injection technique that it seems to be fully unknown to popular HIPSes.

What is pis*ing me off more is that since Comodo 3.8 the x64 HIPS didn’t improve at all regarding usermode hooks.
I’m curious what the developer comment will be in my “Sad: No progress with the x64 HIPS of CIS” thread. :-TD

Personnaly, online armor work with my issues
i posted 1 bug :;new#new

OK, I tried Online Armor again and I was wrong, it passes:

So I guess the problem is only related to Comodo. Fail.
May I get a price now? If I’m not mistaken it’s the first real Comodo 5 HIPS bypass. ;D

cookies ;p

is the dll injection will be still possible if the program is running inside the sandbox ?

I won’t try this now because I haven’t installed CIS anymore.
But my assumption is: Yes, because RadeonPro can work with limited rights and for the rest D+ is used (and D+ fails the injection).

hmmm that explains one of the 2 failures in the last NIS 2011 vs CIS 2011 report from matousec :slight_smile:

any word from comodo ? < I think they saw it and working on it < and yes it’s time for updates :-\ < hopefully quite soon

Hi Guys,

We have tested and CIS actually does not fail it.

When RadeonPro is first executed, there is a COM alert. When this is allowed, CIS lets the rest of the allow alerts too. This is for the sake of end-user experience by default. For example, if you blocked, it would block the DLL injection. Can this be changed? Yes. When you see the popup, it is the default popup layout. You can simply click “More Options” and it will expand the popup to Advanced Layout. In this layout, CIS will be verbose and allow you to play.


Thanks for the update on this one.

MOVEAX could reproduce because he made a mistake too?

yes, checking ‘remember my answer’ in simple mode is dangerous.

I’ve tested again and it actually fails like hell.

I always use the advanced layout. If I test such an issue and even create a forum thread you can be sure that mentally ■■■■■■■■ human failures like the one you have described don’t apply to my findings.
Just for my ego I tested again (advanced pop up layout!!!) and there is no pop up regarding the injection.
If I recall it correct there’s not even a pop up for the COM interface.

@MOVEAX: Did you see a pop up regarding COM interface access?

Yes we have reproduced the issue in Windows 7 x64 today. It is a bug in x64 systems. Will be fixed with the next release.

Good. :slight_smile:

If you change something especially for x64 maybe you could also take a look at this?

I think if Comodo would score better at SSTS on x64 I’d use it.