“As companies continue to zero in on the silver bullet of “protection” without considering the redundancy and impotence of their security layers, the result is a porous security posture with limited capabilities.” ~Comodo
I by no means am an expert, my skill level is pretty minor, Ive just had some practice over the years refusing to accept defeat and cleaning instead of nuking.
It all started a while back, with an obsolete video divers from necessity, it turned into a keylogger, had a pile of graphical glitches affecting comodo, pornhub, website logins.
Running a full battery of hardware diagnostics ram, vram, hdd ram, l1/l2/l3 cpu cache, video card etc showed all was good.
Then google started flagging me for suspicious network activity.
There was some issues with memu (android emulator) leaking and corrupting filzilla sftp transfers, but i moved over to nox.
There was a worm that kept coming back in memu, infected nox
occasionally the sound driver wouldn’t boot properly on a cold boot.
sometimes laptop would run hot, fan going nuts, but nothing, and i mean nothing in task manager/cpu use cpu time/io etc would explain this
Then origin started acting strangely.
Putting it all together i was getting more and more sure something was there.
Not that i wasn’t checking things over time, but then the gloves really came off.
All running processes signed, clean by comodo, clean by virus total nothing suspicious cpu time/io/page faults and so on, i just didn’t go into handles and threads, never really having needed to before
All startup entries signed, clean by comodo, clean by virus total (precept for a couple of codecs in klite pack, but was expected long term issue, klite been using since forever its fine)
short of whois, no suspicious network activity
sigverif - nothing
comodo can - nothing
cce deep scan - nothing
gmer - nothing
avast deep scan - nothing
malware bytes - nothing
hyjack this - nothing
pretty sure even thew combofix etc at it
all the bootcd virus scanners i could get to work - nothing
no comodo hips alerts etc
windows services cut to the bone, only what i need and still be secure - no improvement
auto runs minimum nessary
all the service center crud, and (official and legit of course) driver detection and diagnostic crud removed - random inexplicable laptop running hot and fans going nuts, fixed.
All files “safe” with comodo upload verify thingy but it was very hard to tell because of the flickering, ECEPT one suspicious powershell script in the comodo temp directory which would error out
not upload or verify (more on that later)
All on the surface absolutely clean, i decided to attack the problem from a network security perspective.
groans sooooooo many problems, where to begin!
To add almost every specific rule, comodo needs to understand, windows random ports, 49152 - 655135 and tack that in [windows random]
First thing i tried to do was stop the vpn from leaking and block everything but dns, 22, 80, 443 and icmp eco reply, no need for arp locally a static ip, open vpn cant be static, but it figures itself out without broadcasts
After i got the basic setup done i take a look at the logs
i see “windows operating system” connecting to china, Moscow, Netherlands, Moldova, and a ton of countries i had never even heard of
Most of the rubbish was only when open vpn was connected, yes safe, clean, vt and comodo verified, wtf!
Turns because the openvpn out of date , updated
there was vasts bursts of suspicious ips yet not a peep from hips about this because its exe “safe” when it was in fact compleatley compromised from a wide variety of sources
just because you think its safe does not mean i want all defenses lowered there must be some sane rules
just because the code is signed, legitimate, secure, and safe, does not mean i want it connecting to the internet!
just because i see what its up to doesn’t mean don’t want to on occasion selectively approve or deny various changes because sometimes good things are mixed with bad things.
just because the code is signed. legitimate, secure, do-sent mean its not downright malicious as various implementations of drm have been etc
nuking off openvpn and then putting on a fresh install from openvpn.net, everything was still “windows operating system” in comodo logs
fortunately there is somewhat of a workaround being application rules show up correctly to the correct application, in the logs but it dosent cover everything.
for example port 1900 (among others) is being absolutely smashed on outbound tcp constantly (denied), even though i disable on interface and service, SOMETHING is still being annoying so yes its a place to hide from the logs
I was pretty intrigued about what were the pre defined rules rules for windows, and while yes usage cases could be a complex beast i was expecting some selective and targeted and intelligent rules to learn from… what did i find? allow all!
so i guess the “new network detected” and clicking on “i am in a public place” thinking that will tighten things up and harden the firewall, is just there to look sexy huh?
let alone asking the user some questions, like do you use file sharing, detecting if the local private ip is 10, or 192.168 and setting some rules
still a pretty horrible back door for everything not explicitly denied with application and global rules to silently leak out onto the internet due to open vpn showing as window os
the only way to fix?
well new rule c:*.* ask for all OUCH constant bing! bing! bing! bing! continuously 2 weeks later… bing! bing! bing! ffs…
for 1, adding a directory inst even in the menu!
ok so lets start with the notifications:
steam.exe wants to connect to the internet, ip 184.108.40.206 port 80
can you drag and highlight the ip? no
can you double click on the ip to select the octet? no
can you triple click on the ip to select the whole ip? no
can you mouse over whois? no
can you right-click on ip and check ip reputation databases? no
can you right click on ip and telnet on port 80 and send a http get to see the code? no
can you right click on ip and allow this connection (remember to factor in windows random ports!)
can you right click on ip and deny this connection? no
can you right click on ip / executable and show filtered logs (for only that app / ip)
can you right click on application and send to virus total? no
can you right click on application and send hash to cloud and get hips baseline, ip/port requirements? (even crowdsourced because of games etc)
can you right click on application and sandbox it? no
can you right click on application and send to various online sandboxes for 3rd party validation? no
can you right click on application and temporally monitor it at various levels of aggressive debugging and logging? no
can you right click on application and get detailed sandbox reports with various cloud based statistics and a malicious confidence score? no
can you right click on application and tell comodo to “advanced learn” i wish!
and i don’t mean scan hard drive, i found “■■■■■.exe” lets alow it! like the last time i ever let comodo learn
i mean, learn and set specific rules!
ok sure, set up a warning box to yell at me, hey stupid if this is an online game/torrent client/web browser/chat app where you will encounter an unlimited number of ips, and so make an unlimited number of rules, which will degrade performance until computer crashes.
give the user 3 options
1 modify learning, so they can for example ignore ips and focus on ports change default learning period etc and add learned ip into specific network zones / port sets as an option
2 learn more, goes off to a help me documentation page explain ips ports etc
also to be able to step back and forward though alert bubbles and pause on specific bubble if you don’t catch them in time
then we have actually adding a rule
in the drop down box for allow, deny, etc have disable so that we can use this for testing and saving of headaches for later
and yes once again, add folder
one does wonder about the timeout of state-full rules considering comodos love of trying to force allow all down your throat and as a finishing touch one may want to configure that
Because CDN’s love spamming you with huge amounts of ips its not hard to imagine a hacker simply going, well ill just sign up for said CDN and then attack you, its not exactly ev-ssl verification to get an account so no, you dont want to allow entire ip ranges, because not all gateway ips are used for all customers but using comodo for this drives you to despair!
far be it, for techs to slap on comodo on as a diagnostic layer with rolling custom rules and then see what pops up, and then are happy to leave it on there for their clients knowing it wont be in their face over everything or allowing everything and being pretty useless overall since your already forking sysinternals you may as well seamlinessly integrate it because comodo self protection module blocks allot
just blind dumb heavy duty manual labor to do anything useful because after all comodos policy of creating trust online is to trust comodo, to allow everything and its only real layer of defense is hips which don’t remind to come back on and gets compleatley nuterd, by file upload validation which do not account for vulnerabilities in said “safe” application
so after wading though the endless muck and spending months on what should of taken a day at most:
slapping down the global rules fixed the strange flickering on pornhub
a while after laying down rules thick and fast, my firewalls repeatedly got smashed by an entire botnet on port 23725 trying to reconnect haven’t found much specific on that one unfortunately
tinkering around with mass effect Andromeda (been playing though the series as de-stress from all this ip hurt) resulted in a clean install of catalyst control center and nvidia drivers resulted in the strange flickering of comodo to go, and, the sound card to fix up, and of course on reboot for open vpn to suddenly forget its login and password. its still connecting to a university ip it shouldn’t be, but ive gotten unhappy* off at its cdn ip abuse and constantly pegging ip connection requests at me, so for now, im updating manually and dealing with it later
java updater connecting to a bunch of unusual ips again i got the crud with it and just blocked it
comodo connecting to a bunch of strange ips
one would think that comodo being an root CA and a core part of our security would understand chain of trust and deliver its updates from a comodo ip! or are you saying that a root ca cant secure a server?
whitelisted a few hundred ip for comodo before i gave up and blocked the rest
now when the computer boots its a case of:
does openvpn work? or does it get stuck with openvpngui not knowing the password for openvpn service
do the the rulesets in comodo apply properly (they wont show up inside comodo anymore been to corrupted/hacked)
does the keyboard work properly? (this is not a hardware issue but affects d key and sometimes other keys as well)
usually one of the above will stuff up so its cold boot after cold boot at this point to get it working and a whole can i really be stuffed knowing full well im gonna have to nuke all eventually and fresh install and repeat the process because i cant backup the ip rules as they are
and for god sake give us a permanent opt out button for yahoo, this is not the 90’s i am not using Netscape navigator because that was the last time it was any good!
your really “creating trust onlne” by being associated with and endorsing, record breaking database breaces, and chat apps where you couldn’t be online for 10 seconds before you get an endless horde of chatbots asking for your credit card for “age verification” and so on… sure, i REALLY want to use yahoo.
when comodo detects corruption and forcibly does a clean install, export all the rules!
At the end of the day, the security model is fundamentally flawed. It takes only one vulnerable yet “safe” application to be exploited by an open network socket, and a average user with no cloud based hips baseline or ip (CDN) confidence rating, to interpret the alert and warn them not to click allow. that’s if even hips bothers asking, is highly likely going to go, well that’s legit, allow on hips, then comdos defenses start to crumble, that’s even if it asks for access rather than sit in memory and spam away.