Just an update not fixed in version 8.2.0.4591
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
Any chance this will be fixed for the upcoming release or in the next beta release?
Not fixed with CIS version 8.2.0.4674 on Windows 7 or 10.
I have been looking into this further and it seems that the functionality of detect shellcode injections has been removed. I noticed that the user-mode hooks that comodo installs has been reduced between cis v3.14 and the current v8.2.0.4703 as evident in the GMER hook scan that I performed on a windows xp sp3 32-bit. Here are the results:
CIS 3.14 Hooks
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ADVAPI32.DLL!CreateServiceA 77E371E9 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ADVAPI32.DLL!CreateServiceW 77E37381 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ADVAPI32.DLL!OpenServiceA 77DF4C36 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ADVAPI32.DLL!OpenServiceW 77DE6FDD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] fltlib.dll!FilterConnectCommunicationPort 4FFE135C 5 Bytes JMP 10008210 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] fltlib.dll!FilterSendMessage 4FFE23A4 5 Bytes JMP 10008280 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CopyFileExA 7C85F2CC 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CopyFileExW 7C827B1A 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!DeleteFileA 7C831EC5 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!DeleteFileW 7C831F4B 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!GetModuleHandleA 7C80B731 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!GetModuleHandleW 7C80E4CD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!LoadModule 7C8624BE 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!MoveFileExA 7C85E3CB 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!MoveFileExW 7C835673 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!MoveFileWithProgressA 7C835EC6 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!MoveFileWithProgressW 7C81F716 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!OpenFile 7C82196A 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!OpenFile + 3 7C82196D 2 Bytes [7E, 93] {JLE 0xffffff95}
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!LdrGetProcedureAddress 7C917E88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtDeleteFile 7C90D220 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtFreeVirtualMemory 7C90D370 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtLoadDriver 7C90D450 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtSetInformationProcess 7C90DC80 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtUnloadDriver 7C90DEA0 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] ntdll.dll!RtlAllocateHeap 7C9100A4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] OLE32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] OLE32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] SHELL32.dll!ShellExecuteA 7CA41150 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] SHELL32.dll!ShellExecuteEx 7CA40E25 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] SHELL32.dll!ShellExecuteExW 7CA02F03 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] SHELL32.dll!ShellExecuteW 7CAB5BF0 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] WS2_32.dll!WSASocketA 71AB8B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[824] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll
CIS 8.2.0.4703 hooks:
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] fltlib.dll!FilterConnectCommunicationPort 4FFE135C 6 Bytes JMP 71A1000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] fltlib.dll!FilterSendMessage 4FFE23A4 6 Bytes JMP 719E000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7195000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7192000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 718F000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] kernel32.dll!CopyFileExW 7C827B1A 6 Bytes JMP 7183000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] kernel32.dll!CreateProcessInternalW 7C81979C 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] kernel32.dll!CreateProcessInternalW + 4 7C8197A0 2 Bytes [9A, 71]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A80001
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] kernel32.dll!MoveFileWithProgressA 7C835EC6 6 Bytes JMP 7189000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] kernel32.dll!MoveFileWithProgressW 7C81F716 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] kernel32.dll!MoveFileWithProgressW + 4 7C81F71A 2 Bytes [85, 71]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A3, 71]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [76, 71] {JBE 0x73}
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [73, 71] {JAE 0x73}
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7180000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 717D000A
.text C:\Documents and Settings\owner\Desktop\Kolibri.exe[3964] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 717A000A
Kolibri is just a simple webserver that I used to test shellcode injection against due to the version used of kolibri having a stack-based buffer overflow vulnerbility. The shellcode I used makes a call to the WinExec WinAPI function to execute windows calculator. In v3.14 CIS was able to warn of the buffer overflow and block the attack, whereas 8.2 gave no warning and the payload succeeded with windows calculator being executed.
So the question is, has the buffer overflow protection been removed intentionally and will it ever be re-implemented into CIS? Or is comodo not interested in protecting users from these type of attacks? Yes the sandbox and/or HIPS would protect users if the payload were to download & execute a knonw or unknown malware, but if the shellcode were to execute a windows command promt and open a reverse connection to an attacker controlled machine, aka a windows command reverse-shell, then cis would be useless.