CIS Defence Plus is poor against zero day exploits

aigle · December 1, 2010, 3:56pm

The strongest component of CIS is Defence Plus that is supposed to mitigate new malware, exploits etc etc.

I have noted a very interesting thing yesterday. Since release of CIS v 5 three windows exploits were discovered. Sadly Comodo defence plus is helpless against all these exploits. :-TD

1- .lnk explot
2- dll execution exploit
3- zero day UAC byapss exploit

Very interestingly a sandbox like sandboxie and geswall will protect against all these exploits by design( I said by design as latest geswall version has some bugs that make it impractical against .lnk explot).

ntoskrnl · December 1, 2010, 6:53pm

Interestingly, the first two could easily be neutralized even in CIS 3.X. However monitoring of dynamic linking is fully extinct in CIS 5, what is very strange after Stuxnet’s “triumph”. Sadly, COMODO relies on Windows’ invulnerability too much, unreasonably much

languy99 · December 1, 2010, 7:01pm

pray tell us, how did you come up with these conclusions, do you have any proof?

salaficall · December 1, 2010, 11:27pm

+1

Maxxwire · December 2, 2010, 4:08am

+2

~Maxx~

ssj100 · December 2, 2010, 7:27am

Hi aigle, I don’t think those are entirely accurate comments. More accurately put would be something like:

CIS 5 does not block those exploits in default configuration. However, like with any Classical HIPS, it is able to be manually configured to block just about anything you want, including all three of those exploits.

harsha_mic · December 2, 2010, 8:00am

Can someone test with proactive config set along with sandbox set to untrusted in a VM…
I wanted to test the Windows exploit by myself…but don’t have a VM installed…

aigle · December 2, 2010, 8:55am

hi, there is no way to block first two exploits in version 5.

ssj100 · December 2, 2010, 9:01am

Oh yes, thanks for reminding me - for some reason, DLL control was taken out in version 5. However, CIS version 3 could easily block those exploits.

harsha_mic · December 2, 2010, 9:12am

will DLL control be re-introduced in future 5.xx versions as to succesfully block these kind of threats/exploits??
probably Dev team/egemen could shed some info. on this…

aigle · December 2, 2010, 11:09am

Actualy dll control in version 3 in its current form is totally impractical.
I wish for a better intelligent dll control that is uses friendly and strong as well, with minimum pop up alerts.

salaficall · December 2, 2010, 11:25am

probably Dev team/egemen could shed some info. on this…

or maybe the Thread Starter aigle kindly gives us some details or a technically explained proof

thanks in advance

salaficall · December 2, 2010, 11:46am

found this

https://forums.comodo.com/news-announcements-feedback-cis/zero-day-windows-exploit-bypasses-defence-plus-t65789.0.html

brucine · December 2, 2010, 11:47am

Outside of later Windows patches and detection by AV, points 1 and 2 have been largely documented in this forum (i thus don’t know what aigle is reporting, nothing new), and indeed showed the failure on the defense+ side, like in almost every software on earth.

He’s however right stating that dll control is always possible in cis3 (and probably also in cis5, i didn’t test the latest) but very impractical.