Comodo bypassed

I can’t test this my self as the OP @ wilders uses rapid share and it’s passed the download limit. :frowning:

Reading it seems as if it only terminates a service - So no permanent damage. What would be interesting if it was able to terminate cmdagent.

Try this link: http://rapidshare.com/files/258635784/test.rar.html

It cant kill cfp.exe ;D

Theoretically possible it did bypass CIS. But let’s see practically first.

I’ll wait for a working link to test this.

Cheers,
Josh

They need to upload it to somewhere else than rapid share…
www.megaupload.com

IMO Aigle is a trusted tester, If he says it by passed - then it was bypassed.
Only waiting on getting the POC to confirm this and pass to devs…

Btw: For all the new users that see this;
It’s not something to be overly worried about, a POC = Proof of Concept. It is not actual malware. This POC is showing that it can terminate(not modify or delete) a process avoiding comodo’s detection.

Here

[attachment deleted by admin]

Not just theoretical Josh - no pop-ups, no alerts, no logs - just a hung application!

Not just CIS, either - quite a few fail to detect/stop a windows message flood.

Ewen :frowning:

Yes… A few are failing this including CIS.

I tested this on Internet Security Configuration, Notepad.exe Freezed for a very long time and so did other applications.

Internet Security being the default configuration, The good news is, is that CIS protects it self against this. (sshot-8) - COMODO can add a rule to stop something like this affecting not only CIS, But all other applications.

Proactive Security obviously will stop this too (sshot-7) (I’m running Proactive Security/Parental Control with Firewall and Defense+ Alerts Suppressed).

I sent an Email to Egemen.

Cheers,
Josh

[attachment deleted by admin]

Seems all classical HIPS are being bypassed, including the almighty Malware Defender.

I ran the test within Sandboxie, and nothing happened. Can someone please give clear instructions on how to test this POC? I’m not totally sure what to do when the blank box comes up with the question marks.

Thanks for any help!

I'm not totally sure what to do when the blank box comes up with the question marks.

Open Notepad and then run Test.exe. In the dialogue box in Test.exe type Untitled - Notepad and press enter.

Just ran it sandboxed, and CIS failed to notify me of anything going on. Happily, nothing really happened except test.exe froze. My Notepad was still fully functional. Sandboxie is not bypassed I guess, and is my first line of defense anyway.

So all I have to do to protect against Malware potentaily using this method of Process Termination is start using the Proactive Security Configuration again? Sweet! That was easy enough to fix/avoid! ;D :-TU

Fore me it was the other way around.

No alert, but it was Notepad that hung. Once terminated, test.exe was able to be shut down via the second radio button.

Sanboxie’s sweet, eh? :slight_smile:

Unfortunately not - I was able to get test.exe to hang notepad.exe while I was running CIS in Proactive Security mode - everything checked and D+ set to Paranoid - still no alerts or logs at all. :frowning:

Ewen :slight_smile:

The same for me :frowning:

Sorry Ewen I hit modify instead of quote, it’s old age you know!

Did you guys actually manage to execute the test in Proactive (Cause it stops for me)… Or did you guys Switch to Proactive while test was running, before you terminated notepad?

Cheers,
Josh

Switched to Proactive, did a restart just to make sure, ran Notepad then test.exe. Notepad terminated, and no alerts…

Switched and rebooted before running the test

Exactly the same for me.