Comodo Internet Security Vulnerabilities Exposed

For those interested, the ssts64 files have now been removed from the Comodo Whitelist and show up as unrecognized. :-TU

That’s good news. I’m surprised (in a good way). :-TU

I was able to beat both tests using some configuration tweaks without relying on the File Rating.

For the first test just add or edit the following rules and test them yourself.

In the HIPS rules => for C:\Windows\System32\taskhostex.exe => protected files/folders => modify => Blocked files/Folders => add the following files:



For => C:\Windows\System32\conhost.exe => Interprocess memory Access => Modify => Blocked Files/Folders => add C:\Windows\System32\cmd.exe

For => C:\Windows\System32\cmd.exe => Interprocess memory Access => Modify => Blocked Files/Folders => add the following files:



Now if Schedtest3.exe is even a trusted file in the File Rating and even you don’t disable the boxes beside “Trust applications signed by trusted vendors” and “trust files installed by trusted applications”

you will get a prompt from the HIPS and you can block the changes.

There is no need to change cmd.exe, conhost.exe, explorer.exe to unrecognized as well.

The second one can be easily passed if you use the following rule to protect the BITS from being used:

The results:

More info here (in Bulgarian)



this test shows what I have been saing for a long time, the default CIS settings are useless, if you install CIS with default settings or not install it at all is the same. YOU HAVE TO CHANGE THE SETTINGS!!!
I think a configuration Wizard would be a good idea, with that the “newbies” would also be able to configure CIS properly. Most off the tests I have seen for CIS fail just because of the default settings…
Just my opinion…



The second problem, in my opinion, is the “Trusted Vendors List”, Certificates can get stolen, copied, forged and what not, until that Certificate is revoked everything signed by that Vendor gets executed. Some companied even keep it a secret that they Certificates got stolen… But this is not a problem that only Comodo has…