Question for a Comodo insider. I have seen videos and all, but how specifically does Comodo protect from weaponized documents? Does it wait for internet contact and the possibility of a downloaded file, does this happen via another mechanism, such as “heuristic command line monitoring”. Most documents are opened in a trusted application, are they not?
One other angle on this. I am wondering if Comodo HIPs views activity of MS Office files as unrecognized or as a trusted part of a trusted application.
Questions about memory abuse and fileless malware seem to pop up with this issue too…
If by weaponized documents you mean those with embedded macro’s then if the macro tries to execute powershell or other commands, then embedded-code detection will kick in and turn those commands into a script file. If a document is specially crafted to exploit a vulnerability that allows code execution, then if the shellcode payload is programmed to download and execute an executable, then that executable will be dealt with like any other application, e.g. HIPS execution alert, auto-sandbox of the exe, etc.
Of the three main MS office applications (Word, Excel, PowerPoint) only PowerPoint opens presentation files on the command-line, while Word and Excel use a different method to open their respective supported files. So yes, documents are opened by trusted applications, therefore you can right-click on a document and choose run in containment if you are concerned about opening documents.
Thankyou for laying out the protection schematically for me. I REALLY want to find a way to separate protection associated with documents from standard executable defenses. Clarity from the alerts, even different alerts for some types of files, would be GREAT. Could there be a special option for auto-opening common but potentially dangerous file types in the container?
So, if I run one document in the sandbox, will it be auto-sandboxed the next time? When considering, as mentioned, suggesting a provision for an option to open all documents (or of various types) in the container, unfortunately, the possiblility of memory exploitation kind of complicates the issue for me. Since MS Word, etc. are trusted, I wonder if I could count on HIPs (Safe Mode) to alert when MS Office or some other documents platform or even a browser is attempting to access the memory of another application. I get stuck with this, because I do want memory protection to function even for a trusted application (or at least some/many->need to think this through), even when said application is in the sandbox. HIPs paranoid is not an option for me, as I have too much software that interacts with Windows.
Considering 3 rules:
- HIPs->globally enable HIPs monitoring of memory access (to other applications) only->all processes
- Containment->contain all applications which open files of set types (when they open same set file types)
- Some way of setting document files (or certain types of document files) to be seen as unrecognized without having to access the GUI for each file.
Could you outline how I might do this? Thx for the help. Farthest I have been able to get with this issue so far, but it seems kind of powerful to me, as in there may be other ways to use this kind of thinking (i.e.-location based etc.)
I am in deep, so please let me know if my questions become non-sensical…
Auto-containment is based on rules so you need a rule to tell it to contain files, but like I said about Word documents being opened in a different manner, creating a rule to auto-contain Word docs will not work. It would work for certain files such as rtf and powerpoint files if wordpad and PowerPoint is added to heuristic command-line analysis.
HIPS safe mode will not alert when any trusted application tries to access another application in memory, you would have to use paranoid mode or create a specific block rule for the trusted application like Word to block inter-process memory access. Applications running in containment are automatically blocked from accessing other processes in memory regardless of HIPS rules.
The only way to make documents be seen as and be controlled like executable files, is to add the respective application that handles the specific document format to heuristic command-line analysis, and that application needs to open documents via it’s command line.
Create a new text document on your desktop and then open that text document, then use process explorer or process hacker and double click on the notepad process and view the command line section under image or general tab. That is how heuristic command line analysis works, it parses the image command line of a process if that process name is in the analysis list and is enabled.
Very helpful information. Think I will try to process all these thoughts and perhaps submit a refined idea later for a simple method for special protection of documents and applications that host them.
I’ll try the HC-L method you mention for Office applications and their documents and see if I can make that work. Sounds kind of promising and the direction I would like to go ideally.
Also, I like the idea of creating specific HIPs rules in the manner you outlined, particularly the memory access rule :-TU. I’ll try it. Thanks again.