CIS Defence Plus is poor against zero day exploits

The strongest component of CIS is Defence Plus that is supposed to mitigate new malware, exploits etc etc.

I have noted a very interesting thing yesterday. Since release of CIS v 5 three windows exploits were discovered. Sadly Comodo defence plus is helpless against all these exploits. :-TD

1- .lnk explot
2- dll execution exploit
3- zero day UAC byapss exploit

Very interestingly a sandbox like sandboxie and geswall will protect against all these exploits by design( I said by design as latest geswall version has some bugs that make it impractical against .lnk explot).

Interestingly, the first two could easily be neutralized even in CIS 3.X. However monitoring of dynamic linking is fully extinct in CIS 5, what is very strange after Stuxnet’s “triumph”. Sadly, COMODO relies on Windows’ invulnerability too much, unreasonably much :frowning:

pray tell us, how did you come up with these conclusions, do you have any proof?




Hi aigle, I don’t think those are entirely accurate comments. More accurately put would be something like:

CIS 5 does not block those exploits in default configuration. However, like with any Classical HIPS, it is able to be manually configured to block just about anything you want, including all three of those exploits.

Can someone test with proactive config set along with sandbox set to untrusted in a VM…
I wanted to test the Windows exploit by myself…but don’t have a VM installed…

hi, there is no way to block first two exploits in version 5.

Oh yes, thanks for reminding me - for some reason, DLL control was taken out in version 5. However, CIS version 3 could easily block those exploits.

will DLL control be re-introduced in future 5.xx versions as to succesfully block these kind of threats/exploits??
probably Dev team/egemen could shed some info. on this…

Actualy dll control in version 3 in its current form is totally impractical.
I wish for a better intelligent dll control that is uses friendly and strong as well, with minimum pop up alerts.

probably Dev team/egemen could shed some info. on this…

or maybe the Thread Starter aigle kindly gives us some details or a technically explained proof

thanks in advance

found this

Outside of later Windows patches and detection by AV, points 1 and 2 have been largely documented in this forum (i thus don’t know what aigle is reporting, nothing new), and indeed showed the failure on the defense+ side, like in almost every software on earth.

He’s however right stating that dll control is always possible in cis3 (and probably also in cis5, i didn’t test the latest) but very impractical.