Comodo Driver Security Level Question

Just out of curiosity, why are the two CIS Drivers ‘cmderd’ and ‘cmdGuard’ File System level drivers, instead of Kernal?

Would there be any security advantage/disadvantage in upping it to kernal?

Thanks :stuck_out_tongue:

Aren’t those two CIS Drivers protected by other CIS Kernal drivers to prevent tampering?
Can you stop or kill those two drivers on user level?

Would love to know.

A kernal level driver launches cis early when booted, however the ones above actually just load as File System.

Not exactly sure what cmdGuard driver does, but you would guess that this is the driver that protects the software. Maybe the early boot driver protects the ‘cmdGuard’ driver that protects the rest of it. I don’t know. :smiley:

They are in fact kernel-mode drivers, just a specific type of kernel drivers.

Very interesting.

So I’m guessing the cmd driverquery command is just reporting the wrong restriction level?

Hmmm, wondering if a user could terminate or kill those processes/drivers with ProcessExplorer or ProcessHacker or alike.

Nevermind I got confused.

I was thinking File System level was User-Mode level.

I learned something today. :smiley:

Thanks futuretech!

If you run the ProcessHacker driver in the kernel, by default the driver runs in user mode, PH is in the position to take down any driver running in kernel space. That’s why with a HIPS it is of the utmost importance to know that the driver you allow to be installed in the kernel can be trusted.

Thank you for the info.
Yes, I fully agree with you that you have to / must trust a kernel mode driver before ever using it.

I just checked PH driver-mode setting on my system, it seems to be kernel-mode by default on my end (using PH 2.39.124 portable if that makes any difference).

I thought the kernel driver was not the default setting but I could have been wrong.

I remember a discussion that egemen had years ago with a member about Outpost Firewall. Outpost firewall would resurrect its kernel driver after it had crashed or was taken down. Egemen argued that the system would then still be considered compromised because it is unknown what happened while the driver was down. The system could worst case be infected with malware. Egemen says once something runs in the kernel it runs with the same rights as CIS and capable of doing anything including unhooking other drivers.

Does anyone know if Windows blue screens if a CIS kernal driver is halted?

Because for the above reasons, it seems like it probably should. And then actually undergo a pre-boot system integrity check.

Would be pretty nice.

I don’t know. That’s the only thing I know for sure.